WordPress has evolved so much since it’s early days as simply a blogging tool. These days you can use WordPress to create some of the most powerful websites with almost unlimited functionality. The main reason WordPress has become so popular is due to the ease of use it offers. No functionality is too difficult to implement, simply find and install whatever plugin you are looking for (yes, there is nearly a plugin for everything) and you’re off; Need to add a shopping cart to your site? No problem! Want to stop spammers from commenting on your site? Done!
As WordPress has grown in popularity, it has no doubt become the favorite target of choice for attacks. Because of this, it is important to make certain precautions to ensure that your site is protected from any such vulnerabilities. This article is a basic step in the right direction. We will be covering recommended techniques to harden your WordPress installation, as well as installing recommended plugins to help protect against attacks.
First, and most importantly change your WordPress admin username and password. It is far too common that users installing WordPress keep the default username/password when installing. We recommend immediately changing the username from ‘admin’ to something more difficult and personable, adding an additional layer of security. As far as the password goes, we recommend using a strong password consisting of alpha-numeric values, and mixing some capital letters, and special characters in as well.
The next step (and equally important) which can not be stressed enough is to make sure your WordPress installation, themes, and plugins are always up to date! This is probably the number one method in which WordPress sites are hacked. Outdated plugins/themes can leave vulnerabilities which attackers use to gain access to your site. Make sure to leave only plugins you are using installed, and remove any plugins that you do not currently need. It is far too easy to forget about a plugin that you have previously deactivated, and leave your site open to attacks.
Now that we’ve got the basics covered, let’s move onto the fun stuff.
All in One Security & Firewall – Easily the most popular and most widely used security plugin. This all in one package is a must install. With several powerful tweaks, All in One Security & Firewall allows you to easily protect your site against the most common (and less common) known exploits. From basic firewall protection to comment-spam control, Bruce force attacks and everything in between, this plugin is an absolute necessity:
- Comment spam prevention
- Protect your database prefix
- Advanced Brute Force Protection
- Disable php editing via Dashboard
- Firewall Protection
- Protect core files
- Manually approve registrations
- IP Blacklisting (individual and range)
- IP Whitelisting (indiviudal and range)
- Implement Captcha
- Monitor User account/content for malicious content
- Change your login URL
- Disable WP Meta Information
- File change detection
iThemes Security – iThemes is one of the highest rated security apps currently available for WordPress. They offer both a free version, and a premium (paid) version, but for the purposes of this article, we will be covering the free version. Full of features and ready to help protect you:
- Monitor file changes
- Brute Force Protection
- Hidden admin/login page
- Locking out users who enter their username or password incorrectly too many times.
- Logging user actions.
- Two-Step Authentication
- Forcing Secure Password Authentication
WordFence – WordFence is next on our list and provides similar protection to iThemes Security while enhancing on some other aspects. Also providing both a free and premium version, we will once again be covering the features of the free version:
- Malware/Injection/Backdoor Scanning
- Blocks IP Addresses
- Block entire Countries
- Setup customized alerts
Secure Core Files:
wp-config.php – It is important to add additional security to your site by securing a few core files via your .htaccess file. Place the following at the top of the .htaccess file in the “/home/username/public_html/path-to-wordpress” directory:
<files wp-config.php> order allow,deny deny from all </files>
wp-includes.php – The next file we will be securing is the wp-includes file. Be sure to place the following outside the #BEGIN WordPress and #END WordPress tags of the same .htaccess file we edited above (directly below the previous code will work fine):
# Block include files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
All Host Boogie accounts include a free partner account to CloudFlare, and industry leader of content delivery and site security. CloudFlare has many features that we recommend taking advantage of (and is enabled by simply clicking through your cPanel). From caching your content on their always-ready network, to masking your IP address and DNS, CloudFlare adds a very nice touch to all sites, but WordPress sites in particular.
Backup your Site:
Host Boogie takes nightly backup of all hosting accounts on all of our servers. We typically try to store these backups for as long as possible (typically about 10-14 days before they are overwritten) and have them readily available should disaster strike your website. With that being said, we still strongly recommend keeping your own backup of your site. Backups can be taken a number of ways which we will be covering in a later article. If you have any questions regarding backups, please feel free to contact our support department.
As with any site there is no 100% full proof method of preventing an attack, however, by following the recommendations outlined in this article your site will be better protected, and ready to take on any such attacks.
This concludes our initial security recommendations for WordPress installations.
Get started today at https://hostboogie.com/wordpress
Use coupon code wpsecure for 10% off all plans (excluding Lite)