This guest post is by Karol K of ThemeFuse.
Right now WordPress powers 48 of the top 100 blogs online. More than that, WordPress actually powers 19% of the web as a whole.
Essentially, this is great. Such a strong community of users and developers means that the platform is sure to evolve even further and provide us with lots of cool features that are yet to be developed.
Unfortunately, this creates some dangers as well… Whenever there’s a big number of people trying to make something happen, there’s another group of people trying to take it all down.
The cases where a blog owner loses complete access to their site are not uncommon. Actually, sometimes even whole domains get hijacked, and I honestly have no idea on how that’s done.
But we don’t have to know how hijacking a domain or stealing a blog works to be able to implement some basic security precautions. And that is exactly what this post is about—making your blog secure without playing with source code, understanding things, and stuff.
Typical WordPress security problems
WordPress as a whole (a website management platform) is very well designed. It doesn’t have any preposterous security issues that beginning programmers could exploit. The problems, however, arise when you try to tweak your installation of WordPress by adding new plugins or themes, implementing hacks, or doing anything else that interferes with WordPress.
Of course, this doesn’t mean that you should settle for the default installation, not use any plugins, and only blog using the default theme. What it means is that you simply need to be careful when installing new stuff on your blog, as well as when setting up your blog for the first time.
Let’s start by discussing some of the common security problems you’ll need to handle.
Excuse me for being obvious, but you really need to start with proper usernames and passwords for your user accounts. Everyone realizes the importance of this, but not as many people implement the best practices.
You must use complex passwords—letters, numbers, special characters, spaces—and usernames that are not obvious. A password of “admin,” for example, is extra-obvious.
For more information on account security, see my recent guest post here on ProBlogger, which explained user accounts and roles, and how to set them up properly.
The name of the next problem in line: shady, untested plugins. WordPress plugins have a fair amount of power over how your WordPress installation works. If a plugin contains some buggy code, it can crash your blog completely. The same goes for code that’s not secure. Finally, if one of your plugins doesn’t implement any security features, it can become the point of entry for malicious bots or direct attacks by hackers.
Remember, the weakest link is where the chain breaks. You only need one low-quality plugin to get into trouble.
The advice I have here is: don’t use any plugin that hasn’t been updated in a while, or hasn’t been officially tested with the newest version of WordPress. Being up to date is always the best precaution. Also, plugins that are more popular are usually more secure as well.
There’s one more big issue we have to in terms of shady code, and that’s WordPress themes. I will say this again—and I’m not sorry for it—free themes are evil.
Well okay, not all of them. There are two kinds of free themes: (1) the good ones, released by quality theme stores as a way of attracting new customers by spreading one or two great free themes, (2) the evil ones made primarily to look great, attract many users, and use the space in the footer for SEO purposes.
These SEO-focused themes often use some strange, encrypted PHP code that can’t be removed, otherwise the theme stops working. This code usually displays search-optimized links (sometimes in an invisible font).
You never, let me repeat, never want to have encrypted code on your site. Even when you get the theme for free in exchange for hosting this encrypted section, it’s not worth it.
If you’re planning to use your WordPress site as the base of your online business then buying a quality theme is a must. If you have a bigger budget, you could even hire a developer to build your theme on top of some popular theme framework.
Since we’ve now covered the basics—user accounts, plugins, and themes—let’s look into some of the things that you can do to actively make your blog more secure.
Steps to better security
First, let’s talk through some of the best practices in terms of security. Then, let me show you some cool security plugins.
Yes, it all starts here. The story is similar to the one about WordPress themes: if you want to have a secure environment, you simply need to invest money. Don’t use free hosting.
Make sure that your web host implements basic security features and that it has good reviews among users (search on forums; Google is likely to display only affiliate reviews, which aren’t always credible).
Secure your own machine first
This is not something that comes to mind immediately when we’re talking WordPress security, is it? But what’s the point of securing your WordPress installation on the host if you have a malicious key-logger installed on your computer that will pick up your password and send it to the attacker?
You always need to start by securing the machine you’re using to connect with your WordPress blog. There are many good antivirus apps available, so I won’t discuss this any further. Just keep in mind that this issue is equally as important as anything else described in this post.
Update, update, update
Update WordPress. Update your plugins. Update your theme. Try to install these updates immediately after the alert apepars in your Dashboard.
Here’s why. Fixes to new bugs and security holes are always a big part of every update. The minute an update gets released, all the changes are announced in the official doc that goes along with the update.
If a hacker wants to attack a site that hasn’t been updated yet, they just have to take a look at the document, do a little research and tackle the holes that the new version fixes.
For example, here’s an excerpt from the information on the newest version of WordPress:
“WordPress 3.3.2 also addresses: Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.”
Essentially, such information is a guide for hackers on how to attack outdated sites. So be sure to update everything, without delay.
Back up regularly
No one likes to get hacked, but we can’t assume that it won’t ever happen. You always should have an up-to-date backup of your WordPress site, just in case something goes wrong and you have to restore your blog.
You can do backups manually, or you can sign up to a paid service or simply get a plugin to do this for you (more on this later).
Delete plugins you don’t use
There’s no point in occupying your server’s resources with stuff you don’t use. The same advice applies to themes. Leave just the theme your blog uses, and delete the rest (you can leave the default theme, just in case).
Handy plugins to improve your blog’s security
Everybody loves them some cool plugins, right?! So here’s a list of the ones I recommend you use to make your blog more secure:
- AntiVirus: This plugin protects your blog against exploits, malware, and spam injections. It scans your theme’s files and notifies you if anything suspicious is going on.
- Online Backup for WordPress: This app is the one I use for my backups. You can use a schedule or perform backups by hand, and have them sent to your email address or made downloadable. The plugin backs up the database as well as the file system.
- Secure WordPress: This is where you stop scanning and start acting! This plugin performs a number of security tweaks to your blog. There’s no point in listing them here, so I invite you to check for yourself. Also, you can choose which ones you want to enable and which you don’t need.
- BulletProof Security: The list of things this plugin does is quite impressive. It’s a really serious piece of software. Just to name a few features: protection against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts, one-click htaccess protection, wp-config.php protection, and loads of other tweaks. It’s really worth looking into.
- Hide Login: This plugin has a very simple idea behind it. You can use it to hide your login page. In other words, it creates a custom login URL. It also lets you create a custom admin URL (instead of domain.com/wp-admin), and a custom logout URL.
Your content is the most valuable asset on your blog. You naturally don’t want it to get stolen by some evil content scrapers and SEO marketers who just want to launch thousands of sites with content from various RSS feeds.
Unfortunately, you can’t protect against this completely. There’s always a danger that someone can steal your content and republish it without attribution. But you can make it just a little harder, or at least let everyone know that your content is protected.
Try checking Copyscape. It’s a service that searches for copies of your content around the internet. If it finds some, you get an alert and some instructions on how to get it taken down. Copyscape offers a couple of different services, so it’s good to pay them a visit and choose one that suits you best.
The just-in-case approach
No matter what you do to protect your blog, something bad is always possible. That’s why you need to have a strategy set in place for the time when something goes wrong, and you need to act fast.
I invite you to check out two of my own: how to restore your blog after a crash, and what to do when you lose access to your blog. And I truly hope that you’ll never have to use either of these guides.
How secure is your blog?
There you have it. I think that’s it when it comes to securing your WordPress site without going into code and implementing various tweaks manually. There’s always a never-ending stream of things you can do, but if you take care of just the ones described here you’ll have a pretty secure blog, and you’ll be ready in case something bad happens.
How diligent are you when it comes to your blog’s security? And what security tweaks would you add to this list?
Karol K. is a 20-something year old web 2.0 entrepreneur from Poland and a writer at ThemeFuse.com, where he shares various WordPress advice. Currently, he’s working on a new e-book titled “WordPress Startup Guide – little known things worth doing when creating a WordPress site.” The e-book launches soon, and now the best part … it’s free. Also, don’t forget to visit ThemeFuse to get your hands on some premium WordPress themes.