WordPress Security

WordPress Security

Security and encryption is a very hot topic around the news lately.  Apple and the FBI, Edward Snowden, Hillary Clinton’s emails, the Sony Movies hack… the list goes on.  Security concerns are at an all time high and with WordPress being as massive of a platform as it is, it can be an easy target for people looking to take advantage of sites that aren’t locked down.

I’ve written about the important of strong passwords and my own terrible, no-good, very bad day. Now I make sure I have a very carefully configured version of iThemes Security installed on every install and follow the WordPress Codex security articles to the letter.  But what else can we do to help lock down WordPress and make sure our sites aren’t another addition to the statistics?  Let’s start with looking at the numbers:

Where Do WordPress Sites Usually Get Hacked?

  • 41% – hosting
  • 29% – theme
  • 22% – plugins
  • 8% – weak passwords

83% of WordPress sites that are hacked (30,000 per day!) are compromised because they have not been updated to the latest version.

Preventing WordPress Security Issues

  • Don’t use the default “admin” account.  Additionally, don’t use a common login that can be tied to an author on the site.  For example, my login name for this site is not astanley or aaronstanley or any variation.
  • Close comments after 30 or 60 days.  While this isn’t a failsafe from an injection, it will definitely help and have an added bonus of keeping a lot of spam out.
  • Don’t show a login link on the site – some themes have the wp-admin/login link in the footer for easy access.  Bots can sniff this right out.  If your end user can’t tag a simple extension to the URL, then that’s a larger issue.
  • Always, always keep WordPress up to date.  Those security patches are remarkably important.
  • Report bugs and security issues.  This is actually really helpful to core developers and will get you involved in the welcoming WordPress community.
  • Lock down file permissions – whether you do this at the server level or in FTP, part of installing WordPress should be reverting permissions and write access back to 666.
  • Use a WordPress security plugin that limits login attempts.  Again, I can’t recommend more highly iThemes Security, but there is also WordFence and All-In-One, both of which have a strong user base.  Whichever you choose, do your research and make sure all of your settings are configured correctly.
  • Consider two-factor authentication.
  • Re-evaluate your web host.  Some are better than others when it comes to security and I’ve found that the ones that make it a priority also are going to offer faster load times as well.
  • Multiple backups.  Your server should be backing up on a daily level for at least 4-7 days, but you should have your theme and database being backed up regularly to an external source as well.  If you don’t realize that there’s been an issue until well after the server backup limit, then you’re in trouble.  This is also why many WordPress developers work on their desktop and push live, so there’s always a backup for theme files ready to go.
  • Check your plugins.  Your plugins are a very potential threat and one weak version of a new plugin could bring your site down quickly.  Make sure you’re using well-reviewed, heavily used, and tested plugins on your site.  And make sure you’re reading the update log before you install an update – if it’s a security patch, install immediately, but if it’s a new feature, maybe hold back before the reviews and testing comes in before potentially opening up a vulnerability.

There are many more ways that will help tighten up your WordPress security, but hopefully this gets you thinking about how you’re protecting your site.  Do your research and protect yourself!  Otherwise there is someone out there more than willing to mess things up and ruin your day.