Over the last few months there has been a huge amount of focus on the security of the WordPress, where the platform has been specifically targeted by hackers. Having a secure website is not only important for the webmaster or the owner but for the user of the site too. Sites that are hacked can often be used to add comments to other sites, or deliver a virus or malware that is then used as spambot, or just to gather important user information. One of the great things about WordPress is that securing your site is made incredibly easy. Here are a few tips to help secure your website.
1. Keep your blog up to date.
In earlier versions of WordPress it was difficult to upgrade your WordPress install, as this would be achieved by copying certain files via FTP. Today it is easier than ever to upgrade, as the CMS now has an automatic installer which is simple as clicking a button to upgrade. Also upgrading was fraught with problems as many upgrades often broke themes or plugins, but now that WordPress is more actively developed, this has become less of a problem. If you follow a few easy steps when upgrading then this should be a smooth process. Don’t forget to back up before you upgrade.
So, you may be thinking that my site is working, then why should i upgrade? Well, upgrades are not simply created to add shiny new features, they are often issued to fix bugs and to secure gaps in security, so upgrading is a necessary step to keep your site secure. Hackers will often target earlier or specific versions of WordPress due to known security flaws in the software.
2. Create a strong password.
As WordPress is a publicly available software package, it is simple to discover where the admin panel is located. So once a hacker knows where to login then it’s simple as trying random combinations of username and passwords. Your username is very simple to find as it is located on most posts on your site and through the author archives, so the only thing left to guess is the password. A number of years ago this would have been an enormous task to guess every combination of password, but it is now easier to do with the more powerful machines that we have these days.
A computer can try a millions of combinations in a matter of minutes, so if you have a common word or phrase as your password then this could be simple to guess. If you make your password harder to discover then it will take longer to determine the correct password. A few suggestions for a more secure password is to use random sets of words and to add symbols or numbers to the password. It is also a good idea to use a different password for every site you use, because if you use the same password and this is discovered, then the hacker has access to every site you use. I use a password manager to create a unique password for every site and to use as storage facility.
3. Limit the number of login attempts allowed.
This next tip follows on from the last point in regards to accessing the admin area. A technique used by many hackers is to run a program that will try millions of combinations of usernames and password until a match is found. One technique to counter this, is to limit the number of attempts that a user has to try to login, by using a plugin. If a user can only make a small number of attempts in a fixed period of time, then this will mean that the hacker will have to wait between attempts, so thus slowing down the hacker. A large number of attempts may take weeks instead of minutes previously. This also allows you to monitor attempts so that persistent users can be banned from accessing the admin area.
One of my recommended plugins to achieve this, is the Limit Login Attempts plugin available in the WordPress Directory.
4. Delete the admin user.
Earlier versions of WordPress required you when installing, to create the first user on your site using admin as an username to make a simpler install. Now you are prompted to create a custom username but some people still user the admin username for simplicity. This username has recently been exploited by hackers as it was a simple username to guess. So to reiterate on point three, a username that is more difficult to guess, will make it more harder for a malicious user to access your site by simply guessing the login credentials. This is often referred to as security through obscurity.
A recommended technique to counter this, is to create two users with the first being created as full admin user, with this account being used to update the site or plugins and to perform maintenance tasks and a second user created as an editor role, allowing content to be published but can’t make major changes to the site. Only the second user will be publicly visible, this will limit the amount of damage a malicious user can do if access is gained through this account.
5. Only use trusted themes and plugins.
One of the great features of WordPress is the number of resources that are available to extend the software. There are literally thousands of themes and plugins out there to install from various different sources. Unfortunately there have been some plugins and themes realised which have code added to them, so that the site can be exploited often without the user knowing. Some have ranged from adding targeted adverts to a site to deploying a virus to a visitors computer.
There are a number of recommended places to get themes and plugins, such as the Official WordPress Themes Directory and the WordPress Plugin directory or commercial sites as Themeforest or WooThemes. If you are ever unsure about a theme or plugin then a google search should show user reviews to help you make your decision or ask on the WordPress Forums.
I hope these tips help you keep your Website secure and by applying a few simple rules can greatly decrease the chances of your site being hacked. I don’t think that the risk of a site being hacked will ever go away, but if you stay ahead of the game and make the job of a malicious user harder than a secure site is more than achievable. Please add your tips and tricks that you use in the comments below, and if you need some help then fire away, I’ll try my best to advise.