WordPress Security Overview
Welcome to the WordPress security article. In this article we are going to be covering how to help keep your WordPress install safe and how to help minimize the possibility of your website being breached.
Because WordPress is a very popular website application, assailants are always attempting to find weaknesses inside of the code that will allow them access to the core administrator features. When a WordPress site is breached, it is normally because of one of the following:
- To Create a Public/Hidden Phishing Site
- To be used as an Email Spam Source
- To Deface your Site
- To steal Member Details (emails, encrypted passwords, etc.)
Now onto the good part, how we can help prevent security breaches.
- Update!
- WordPress releases updates all the time. A large majority of them have security fixes in addition to the standard feature upgrades. It is VERY important that you update your WordPress as soon as possible when a new version is available. Also something to keep in mind, WordPress announces the security holes that they patched when new updates go out. Because of this, a large number of people have access to the information required to breach the older versions of WordPress. Always be on the lookout for the update notice that appears on the home-screen of the admin dashboard.
- For more detailed information about how and why to update WordPress, please click here.
- Good Passwords
- Another method assailant’s use when attempting to breach your WordPress install is password cracking. We go into more detail about what this is in the Password article of this series. Password cracking at its simplest form is attempting a large number of passwords trying to find the correct one. One of the best methods to use to help prevent this type of attack is to use strong passwords. For more information about passwords, please click here.
- Extra Password
- Some hosts (including us) allow you to use server based authentication to help reduce the possibility of breaching your password through cracking. This works by having 2 login prompts. Once login uses htaccess, while the other is the standard WordPress login. You must enter your htaccess credentials before you even see the WordPress login form. For information on how to password protect your wp-admin directory, please see the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-how-to-password-protect-directories
- cPanel: /control/cpanel/cpanel-how-to-password-protect-directories
- There are also plugins that will help you do this directly from the WordPress admin dashboard. We a link to one later in this article.
- Directory Index
- A good way we can help protect our files is to disable directory indexing. This makes it so that when people try to access just a folder they do not see the files inside of the folder. However, please keep in mind that they can still access them if they know what the full file path is. For information on how to disable indexing, please see one of the following two links.
- SiteAdmin: /control/siteadmin/siteadmin-index-manager/
- cPanel: /control/cpanel/cpanel-index-manager/
- Themes
-
- Almost all of us use themes for our WordPress site; it allows us to customize the way our site looks and feels. However, something to keep in mind is that themes can also have security holes from bad code. It is important to use a theme that has been done by a professional/experienced person that knows how to code securely. It’s also important to update your theme if a new version has been released, just like WordPress updates.
- Plugins
- Plugins help us by adding features to WordPress that we may need for a website or project. Like themes, it is very possible that plugins have security holes. Here are a few tips when picking your plugins.
- Active Plugins
- Never use a plugin that has not been updated in a reasonable amount of time. This could be an indication that the developer may not be providing security updates, and in turn, could open potential security risks for your site.
- Trusted Sources
- We recommend only using plugins that have been vetted by the WordPress community. Don’t install plugins that have low reviews or bad comments. This could be a sign that the plugin developer does not have a full understanding of good coding habits and/or security.
- Databases
- If you run multiple WordPress sites, it is highly recommended that you use different databases (and database users) for each one. This will help prevent all of your sites from being compromised if someone was able to access your database login credentials.
- Table Prefix
- Avoid using the default wp_ database table prefix. It will help prevent pre-written attacks that rely on the default table prefix. This can be changed during the WordPress install process or by changing your database layout and configuration file. For information on how to change your table prefix, please click here.
- Backup!
- In this day and age, it’s always a good idea to keep regular backups of your site. While we maintain backups here at Site5, it’s also a good idea to run backups yourself as an extra layer of protection.
- SSL/HTTPS
- We cover this topic in more detail inside of our passwords article, but it’s worth noting a few things here. HTTPS encrypts traffic sent to and from the server making it difficult for assailants to intercept your data. If you have a popular website, it is a good idea to purchase a SSL certificate and have it installed on your account to help prevent the possibility of someone snatching your private data (like passwords) out of the air. For more information, please see our Password article here.
- Logs
- You should be checking your logs from time to time to see if there are a lot of requests being made where they shouldn’t For example, if someone has visited the WordPress login page over 1000 times in the past few minutes, it’s a good indication that someone is trying to crack your password. You can now take the IP from the visitor and block it to help slow them down. There are plugins out there that can do this for you automatically saving you time and headaches.
- For more information on how to access the logs and what you are looking for, please click here.
- sFTP
- When possible, try to use sFTP rather than FTP when uploading or chanting your files. This will secure the traffic and help prevent assailants from intercepting the files you are uploading. For information on how to use sFTP, please click here.
Recommended Plugins
In this section, we will cover plugins that may be helpful for keeping your WordPress site secure.
Please note: We do not offer support (in terms of questions or issues) for these plugins, nor can we guarantee their security. Use them at your own risk.
- Bulletproof Security
- This plugins takes a lot of the grunt work out of htaccess files. It allows you to add passwords, block non-public folders and much more.
- http://wordpress.org/extend/plugins/bulletproof-security/
- WordPress Firewall
- This is another good plugin that helps prevent common types of attacks.
- http://www.seoegghead.com/software/wordpress-firewall.seo
If you have any recommendations for plugins, please leave a comment on this page.
This concludes our article on WordPress security.
Char October 19, 2014 at 4:22 pm
Hi,
This thread was posted on 12-12-2012.
Is the information and instructions contained herein, updated?
If not, would you please update it for us?
Thanks!
James Davey October 20, 2014 at 6:47 am
Hi Char,
Yes, this information is still accurate :)
Shari Smith May 15, 2015 at 5:30 pm
That SEO plugin is pretty old. Maybe this article needs an update. Security is a huge issue and using updated plugins are part of good security.
James Davey May 18, 2015 at 6:03 am
Hello Shari,
Yes, security is important and keeping plugins updated is a very big part of that. That is actually the first step mentioned in this article. The plugins mentioned here are recommended, but not 100% necessary – you are free to use whichever plugins you like.
Justin Bouchard May 25, 2015 at 11:54 pm
What about word fence or iThemes security? Will any of them conflict with site 5? Are they recommended?
James Davey May 26, 2015 at 5:30 am
Hello Justin,
Both of those should work fine, yes.