WordPress Security: How to Lock Down Your WordPress Site
At the time of writing, the number one suggestion in the Votebox is about online security. How can you keep your site from getting hacked and taken down, or worse, being “injected” with malicious code that might even affect your visitors in a negative way?
If you own many websites, chances are that you’ve had one or several of them compromised at some point and that’s never a pleasant experience.
In this post, we’ll take a look at the exact steps you can take to secure your WordPress websites, as quickly and easily as possible.
If you’ve been lucky enough to never have had any security issues with your website, you might be wondering: “how likely is it that I’ll get hacked?”
Especially if you have smaller sites, it may seem like they wouldn’t make interesting enough targets for hackers, so you don’t really have anything to worry about, right? Wrong, unfortunately. My first ever site that got hacked was on a simple little blog that hadn’t been around for more than a few months and that barely got 40 visitors a day. Not a prominent target by any means.
The first thing you need to understand is that there doesn’t have to be any reason for an attack. You don’t have to have made enemies in hacker-circles, you don’t have to have a big, popular or controversial website. An attack can happen out of the blue, for the simple reason that your site is easy to hack. And that’s the number one rule: the easier it is to hack your site, the more likely it is to happen.
In this post, we’ll look at the two most important factors for securing your WordPress site:
- Backing it up, so that it can easily be restored, in case it does compromised.
- Adding security measures to make it more difficult to hack and therefore less likely to be attacked.
A WordPress site consists of two main components: the database, which stores all your written content and settings and the files on your server, containing all of your images, plugins, themes etc.
Install the WP-DBmanager plugin, which you can set to automatically create backups of your database at specific intervals and email them to you or store them on your server. In addition, you can also use this plugin to restore your database from a backup file.
Here’s a video showing how to use the installation, setup and restoration features in WP-DBmanger:
Files BackupThe easiest backup solutions are those that come with your hosting provider, but depending on your provider they might not offer all the features you'd want. Our recommended hosting provider for getting started is Hostgator. Hostgator provide a weekly automatic backup on all their shared hosting accounts, as long as you have fewer than 100,000 files stored on the server and less than 20GB of space used. If you install multiple WordPress websites on one account, it's likely that you'll exceed the file limit at some point. You'll see something like the following in the sidebar of your cPanel dashboard, when this happens: When you are below the thresholds for files and disk-usage, you'll always have a backup available, but it can be up to a week old and there's only ever one backup stored. It's a good solution, but it's not perfect. You can manually create backups by going to the backup wizard in your cPanel. This will create a file for you to download, in a few easy steps. You can also use this same wizard to restore your files from an existing backup file. Our recommended high-end hosting provider, StormOnDemand, comes with it's own, fully customizable backup solution. Here, you can have daily backups created and you can store them for up to 90 days. The service is pay-by-use and the rates are very low. If you are using a different service or you want to extend the limited backup functionality of a shared hosting account, the SiteAutoBackup service is worth taking a look at. For any cPanel hosting account, you can create automatic, daily backups very easily and you can store them for up to 31 days. The pricing starts at $2/month, so you don't have to break your bank for this added bit of security. With the above, we've made sure that even if you get a WordPress site compromised, you'll never be more than a few clicks away from restoring all your files and data. The next step is to do what we can to ensure that restoring a backup will never even be necessary.
UpdatesSince you're familiar with the Internet, I'm sure you are aware that there are sites and forums/communities on pretty much every topic imaginable. And so there are also sites and communities that are all about documenting and discussing online security flaws and how to exploit them. Someone might read up on such an exploit and then do a quick search to find a site to try it out on. If your site meets the criteria and happens to show up in the search results, that's all it takes for it to become a victim of a hacker attack. The most commonly exploitable issues with WordPress as well as WP plugins are usually addressed with updates and luckily, WordPress makes updating very easy, via dashboard notifications and one-click-updates. Always update to the latest WordPress version and always keep your plugins up to date. If you're running an older version, it will still contain all the bugs that have been fixed in the newer version and some of those bugs might be potential security loopholes. If you run many different WordPress websites, it can be difficult to manage, as you'd need to log in to each dashboard separately, to perform the updates. If you want to make this process easier, take a look at manageWP (hosted service) or WP Mass Updater (Windows desktop software). When installing new plugins for your site, check to see when they've last been updated and whether they've had multiple versions in the past. As a general rule, a plugin that is updated regularly is less likely to be a potential security risk than one that had only one release, years ago and was never updated since.
PasswordsAny and all security measures are futile if someone can simply log in to your site as an administrator or log into your hosting account, with malicious intent. Because of this, it's very important to use real passwords for all of your accounts. If you use passwords like 123456, password, letmein, qwerty, your birth date or anything similar, you're simply asking for trouble. You might think that that goes without saying, but I know that some people are reading this and thinking "how did he know my password?" (here's how). I recommend using LastPass, a free and awesome password management app. Create one truly secure master password for your LastPass account and then have it auto-generate secure passwords for you, for every account you use. The downside to this is that with any password manager, you'll have a single point of failure: if someone gets access to your password manager, they have access to everything. This is still a far smaller risk than using non-secure passwords on your accounts or writing down your passwords to remember them, though. The only alternative I'd recommend would be to use memorizable, secure passwords by stringing together random words and remembering them as visual representations. You'll still need some discipline and a good memory to do this, if you're going to use different passwords for all your critical accounts (as you should). Bottom line: replace all your insecure passwords with secure ones, right now. In addition, also make sure that your admin username is neither "admin" nor the same as your display name. If your username is either of those, that's one less thing a hacker needs to figure out, in order to breach your website. In the WordPress admin menu, go to "Users" -> "Your Profile". Here, you can set a nickname to anything you want and you can set the display name on your site to be your nickname:
Secure FTPFTP clients are extremely useful for managing the files on your server, but on a standard FTP connection, all of the communication between your computer and your server is un-encrypted. This means that, among other things, your username and password is sent in plain text and could, theoretically, be intercepted. The solution is to use an SFTP (secured file transfer protocol) connection. The general procedure is very simple: make sure you have SSH (secure shell) access enabled on your hosting account, set your FTP client to use SFTP and use your main username and password to connect (i.e. the password you use to log in to your cPanel account - logins for individual FTP accounts don't work via SFTP). Here is the same in more detail:
SSH AccessIf you are using Hostgator, log in to you client and billing dashboard and click on the "View Hosting Packages" link in the sidebar menu. Then, click on the "Enable Shell Access" link: If you are using StormOnDemand, SSH is enabled by default. If you're using a different hosting provider and you don't know how to activate SSH access, a look at the knowledge-base or a quick support request should get you sorted.
FileZillaNext, download and install the free FileZilla FTP client (available for Windows, Mac OS and Linux). Launch it and open the site manager (File -> Site Manager).
Use the following settings:
- Set the host to your registered domain for the hosting account, preceeded by "ftp." or enter your server's IP address.
- If you are using Hostgator, enter "2222" as the port. On StormOnDemand, leave this field blank.
- Select the SFTP option for the Protocol drop-down menu.
- Select the logon type "Normal".
- Enter your cPanel username and password.
- Click on connect.