This guest post is by Karol K of ThemeFuse.
Right now WordPress powers 48 of the top 100 blogs online. More than that, WordPress actually powers 19% of the web as a whole.
Essentially, this is great. Such a strong community of users and developers means that the platform is sure to evolve even further and provide us with lots of cool features that are yet to be developed.
Unfortunately, this creates some dangers as well… Whenever there’s a big number of people trying to make something happen, there’s another group of people trying to take it all down.
The cases where a blog owner loses complete access to their site are not uncommon. Actually, sometimes even whole domains get hijacked, and I honestly have no idea on how that’s done.
But we don’t have to know how hijacking a domain or stealing a blog works to be able to implement some basic security precautions. And that is exactly what this post is about—making your blog secure without playing with source code, understanding things, and stuff.
Typical WordPress security problems
WordPress as a whole (a website management platform) is very well designed. It doesn’t have any preposterous security issues that beginning programmers could exploit. The problems, however, arise when you try to tweak your installation of WordPress by adding new plugins or themes, implementing hacks, or doing anything else that interferes with WordPress.
Of course, this doesn’t mean that you should settle for the default installation, not use any plugins, and only blog using the default theme. What it means is that you simply need to be careful when installing new stuff on your blog, as well as when setting up your blog for the first time.
Let’s start by discussing some of the common security problems you’ll need to handle.
The basics
Excuse me for being obvious, but you really need to start with proper usernames and passwords for your user accounts. Everyone realizes the importance of this, but not as many people implement the best practices.
You must use complex passwords—letters, numbers, special characters, spaces—and usernames that are not obvious. A password of “admin,” for example, is extra-obvious.
For more information on account security, see my recent guest post here on ProBlogger, which explained user accounts and roles, and how to set them up properly.
The name of the next problem in line: shady, untested plugins. WordPress plugins have a fair amount of power over how your WordPress installation works. If a plugin contains some buggy code, it can crash your blog completely. The same goes for code that’s not secure. Finally, if one of your plugins doesn’t implement any security features, it can become the point of entry for malicious bots or direct attacks by hackers.
Remember, the weakest link is where the chain breaks. You only need one low-quality plugin to get into trouble.
The advice I have here is: don’t use any plugin that hasn’t been updated in a while, or hasn’t been officially tested with the newest version of WordPress. Being up to date is always the best precaution. Also, plugins that are more popular are usually more secure as well.
There’s one more big issue we have to in terms of shady code, and that’s WordPress themes. I will say this again—and I’m not sorry for it—free themes are evil.
Well okay, not all of them. There are two kinds of free themes: (1) the good ones, released by quality theme stores as a way of attracting new customers by spreading one or two great free themes, (2) the evil ones made primarily to look great, attract many users, and use the space in the footer for SEO purposes.
These SEO-focused themes often use some strange, encrypted PHP code that can’t be removed, otherwise the theme stops working. This code usually displays search-optimized links (sometimes in an invisible font).
You never, let me repeat, never want to have encrypted code on your site. Even when you get the theme for free in exchange for hosting this encrypted section, it’s not worth it.
If you’re planning to use your WordPress site as the base of your online business then buying a quality theme is a must. If you have a bigger budget, you could even hire a developer to build your theme on top of some popular theme framework.
Since we’ve now covered the basics—user accounts, plugins, and themes—let’s look into some of the things that you can do to actively make your blog more secure.
Steps to better security
First, let’s talk through some of the best practices in terms of security. Then, let me show you some cool security plugins.
Hosting security
Yes, it all starts here. The story is similar to the one about WordPress themes: if you want to have a secure environment, you simply need to invest money. Don’t use free hosting.
Make sure that your web host implements basic security features and that it has good reviews among users (search on forums; Google is likely to display only affiliate reviews, which aren’t always credible).
Secure your own machine first
This is not something that comes to mind immediately when we’re talking WordPress security, is it? But what’s the point of securing your WordPress installation on the host if you have a malicious key-logger installed on your computer that will pick up your password and send it to the attacker?
You always need to start by securing the machine you’re using to connect with your WordPress blog. There are many good antivirus apps available, so I won’t discuss this any further. Just keep in mind that this issue is equally as important as anything else described in this post.
Update, update, update
Update WordPress. Update your plugins. Update your theme. Try to install these updates immediately after the alert apepars in your Dashboard.
Here’s why. Fixes to new bugs and security holes are always a big part of every update. The minute an update gets released, all the changes are announced in the official doc that goes along with the update.
If a hacker wants to attack a site that hasn’t been updated yet, they just have to take a look at the document, do a little research and tackle the holes that the new version fixes.
For example, here’s an excerpt from the information on the newest version of WordPress:
“WordPress 3.3.2 also addresses: Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.”
Essentially, such information is a guide for hackers on how to attack outdated sites. So be sure to update everything, without delay.
Back up regularly
No one likes to get hacked, but we can’t assume that it won’t ever happen. You always should have an up-to-date backup of your WordPress site, just in case something goes wrong and you have to restore your blog.
You can do backups manually, or you can sign up to a paid service or simply get a plugin to do this for you (more on this later).
Delete plugins you don’t use
There’s no point in occupying your server’s resources with stuff you don’t use. The same advice applies to themes. Leave just the theme your blog uses, and delete the rest (you can leave the default theme, just in case).
Handy plugins to improve your blog’s security
Everybody loves them some cool plugins, right?! So here’s a list of the ones I recommend you use to make your blog more secure:
- AntiVirus: This plugin protects your blog against exploits, malware, and spam injections. It scans your theme’s files and notifies you if anything suspicious is going on.
- Online Backup for WordPress: This app is the one I use for my backups. You can use a schedule or perform backups by hand, and have them sent to your email address or made downloadable. The plugin backs up the database as well as the file system.
- Secure WordPress: This is where you stop scanning and start acting! This plugin performs a number of security tweaks to your blog. There’s no point in listing them here, so I invite you to check for yourself. Also, you can choose which ones you want to enable and which you don’t need.
- BulletProof Security: The list of things this plugin does is quite impressive. It’s a really serious piece of software. Just to name a few features: protection against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts, one-click htaccess protection, wp-config.php protection, and loads of other tweaks. It’s really worth looking into.
- Hide Login: This plugin has a very simple idea behind it. You can use it to hide your login page. In other words, it creates a custom login URL. It also lets you create a custom admin URL (instead of domain.com/wp-admin), and a custom logout URL.
Other considerations
Content security
Your content is the most valuable asset on your blog. You naturally don’t want it to get stolen by some evil content scrapers and SEO marketers who just want to launch thousands of sites with content from various RSS feeds.
Unfortunately, you can’t protect against this completely. There’s always a danger that someone can steal your content and republish it without attribution. But you can make it just a little harder, or at least let everyone know that your content is protected.
Try checking Copyscape. It’s a service that searches for copies of your content around the internet. If it finds some, you get an alert and some instructions on how to get it taken down. Copyscape offers a couple of different services, so it’s good to pay them a visit and choose one that suits you best.
The just-in-case approach
No matter what you do to protect your blog, something bad is always possible. That’s why you need to have a strategy set in place for the time when something goes wrong, and you need to act fast.
I invite you to check out two of my own: how to restore your blog after a crash, and what to do when you lose access to your blog. And I truly hope that you’ll never have to use either of these guides.
How secure is your blog?
There you have it. I think that’s it when it comes to securing your WordPress site without going into code and implementing various tweaks manually. There’s always a never-ending stream of things you can do, but if you take care of just the ones described here you’ll have a pretty secure blog, and you’ll be ready in case something bad happens.
How diligent are you when it comes to your blog’s security? And what security tweaks would you add to this list?
Karol K. is a 20-something year old web 2.0 entrepreneur from Poland and a writer at ThemeFuse.com, where he shares various WordPress advice. Currently, he’s working on a new e-book titled “WordPress Startup Guide – little known things worth doing when creating a WordPress site.” The e-book launches soon, and now the best part … it’s free. Also, don’t forget to visit ThemeFuse to get your hands on some premium WordPress themes.
Karol
Very important article. I felt the pain 2 months ago when a whole bunch of my sites were hacked and it took me over 2 days, $500 in technical costs and over $1,200 in lost earnings!!
Warning to everyone with income producing websites online….don’t underestimate the importance of securing your websites, follow Karol’s advice above.
Cheers
Phil
Hi Karol, Thanks for sharing the ways to secure WordPress blog, my blog got hacked yesterday but Thank GOD I had a complete backup of my blog. Now I will do all security work for my blog. Thanks for sharing.
Thanks for the tips Karol. I had taken a few basic steps to protect my blog but now I see that there are a lot more things that I can do.
What are your thoughts on ‘Better WP Security’ plugin?
Hi Phil,
As the author of Better WP Security and a big fan of Problogger let me know if there are any questions I can answer on the plugin.
These are some useful tips but I’d rather not install any plugins that delete/modify WordPresses’ core files. The importance of regularly backing up your blog cannot be stressed enough. I do it (automated) twice a day for my upcoming project and for my own blog. Even though I don’t write daily on the latter, I still want to take into account any style changes I’ve made between different posts, if any.
Thanks for the tips. This is really important because we all do not want our blog has security risk. I know that there are people placing encrypted codes in free themes, so it is not a good way to use free themes if we want to have a long term blogging business.
Hi Karol,
Good post. One other area you might want to consider for most bloggers who often practice their craft away from home is to watch the wi-fi they’re connecting to. Most WordPress installations make stealing passwords over public wi-fi ridiculously and can be avoided with free tools such as SecurityKISS.
Hi Chris, No you don’t need to use any wi-fi, There are many WordPress plugins which can help you to secure your WP password. The idea which Karol shared on his post is greatest ways to secure your WordPress password.
What Ehsan suggests has nothing to do with protecting your password during transmission. Using something like SecureKISS can protect it at this point in which it is very vulnerable in many cases. Wi-fi is a huge security risk to many bloggers. I’ve done a good business of fixing sites of owners who don’t understand this.
re: Hosting security
“Don’t use free hosting” , this should be extended to “Avoid unmanaged bulk hosting” if at all possible, as the problem’s are the same. When you see the sub-50$ hosting plans, you’re on the same server as hundreds if not thousands of other users which share the same system. A good host will scan their system for compromised sites, plugins and blogs.
It only takes one of those users getting hacked, using any php cms, for your site to be hacked.
Hi Karol,
Thanks for well organized post and I really learned quite a few new things through the post and I am doing my blogs back up regularly but I thought I am missing one or two things mention in the post and certainly wil work on them to further secure my blog.
Thanks again for sharing!
thanks, i just recovery my hacked sites, glad to see this articles before the next hack
Hi Carol,
Security is my concern and you describe that a lot of work I need to do … Having difficult password sometime can be counter-productive because even myself hard to remember it. If I type and store it some where in usb, I am affraid if I lose it.
I have try “limit login” plugins so far. I just want to ask, as a wordpress blogger should I change my password regularly?
Thanks
Changing your password regularly is definitely good practice, especially if you use the password on multiple sites.
Okto,
I never store my password. I always memorize it and it is complicated but since I log in lots each time I log in it is burned into my memory and fingers!
If you really need to store your password on a use be adjust the password so what you find on the usb will trigger your memory of the original. For example, if your password is ray343joneH you could record 343joneH and just memorize you need to add ray.
Food for thought.
David
The part where you have shared those plugins was very helpful. I like it. Thanks
Thank you so much for sharing this, wordpress has so many security breaches.
Hi Karol,
Thanks for sharing your thoughts about securing your blog. Recently, there were hacking attempts in my blog. Good thing I installed login lockdown, wordpress firewall, and secure wordpress to my blogs. I am using admin as my username and a strong password, a combination of letters, numbers, and characters.
I agree that if you are using an “admin” as username, many hackers will attempt to hack. So I delete my username and replace a strong one.
By the way, your tips are highly appreciated. Those are good advice..
Thanks for this tip….Will use your tips to secure my blog more effectively….
nice tips. all are helping to secure the wordpress blog.
Really good post…
I am also a blogger and I know how difficult it is to recover a hacked blog.
Thanks for sharing cool tips.
I agree a lot regarding free themes. Most free themes out there have encrypted codes or links on the footer that really affect your site’s loading time. If you can’t read codes yourself and not aware of this tactic, you’ll end up sacrificing a great deal on your site’s health. Better get those paid themes or have someone create one for you instead.
– Jules Mariano of Total Bounty
Good post karol.
When a blog gets popular, have a resonable amout of traffic and visitors and started earning you a living, it is in risk. WordPress by default is a very cool and versatile platform. The tips are great but i wanna add another plugin which hides the wp-admin and wp-login.php unless the user is registered or logged in. It is Wp Lockdown. It also change the login url to something you want. Use it with Login lockdown for best security!!
This is a great list of things to do to secure your WordPress site…
I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
I have now written up my experiences in a comprehensive WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.
My checklist has a few more items and detailed steps for how to get the job done.
Hopefully the checklist can help other people securing their WordPress sites…
I will also try your checklist. Thanks for the info.
I agree it is dangerous. Does anyone know where you can get the plugin which hides the wp-admin and wp-login.php?
This is a really good reminder. Security is such an easy thing to procrastinate for when all of the writing and marketing stuff is caught up. (Yeah right!) It reminds me of the saying “If you don’t have time to do it right when will you have time to do it over?”. I appreciate the kick in the backside!
I’m lucky in that I can afford to use WP Engine’s services (lowest plan to start with), which goes well with the $15/mo plan from VaultPress. I do have the Better WP Security plugin installed on my new blog (not launched yet) and I use other little tweaks and methods to protect my blog, but the best thing any serious blogger could do is go with a good managed WordPress host like WP Engine, and use VaultPress for a real-time backup solution.
Hi Gemma,
Yes, I hear Vaultpress is excellent for constant back up and for $15 a month for peace of mind, you get a great deal.
David
Theses are amazing tips to secure but I always have a feeling that hackers will still be able to hack into the blog even if whatever we’re trying to protect it.
Fabulous post – great up to date info – love the plugin tips!
:)
Great blog that has taken me places other security focused blogs haven’t considered. Theme’s for instance. I’d not considered that risk, although I definitely agree that choosing plugins which are regularly updated and tested on recent versions of WordPress is sound advice. That said, I agree with Feb that an experienced hacker will probably find a door ajar somewhere. Therefore, regular backups must be close to the top of any bloggers/site owners’s housekeeping list.
Many many thanks. I just recovered my hacked site.