While WordPress is a great tool to use to manage and update your website, it’s also a frequent target for hackers or other users with malicious intent- this makes securing your WordPress installation a top priority. In the event that your site does get hacked, the good folks at Webair are more than happy to assist you with clearing hacked content- however, in this article, we’ll focus on some preventative measures to make sure your site stays safe and sound.
Exploits and Updates
First of all, it’s imperative that you keep your WordPress installation up-to-date. When the WordPress developers release an updated version, it’s for a good reason- if a certain version of WordPress has a security vulnerability and the software gets updated in response, that usually means whatever security vulnerability they fixed is now out there in the wild. This makes older, out-dated versions of WordPress more vulnerable to attacks. Luckily all WordPress versions after 3.7 feature automatic updates, so this shouldn’t be too much of a concern for you.
Another important tip concerns your administrator login and passwords. Never, ever, ever use ‘admin’ as your administrator login- it’s essentially the same as using ‘password’ as your password (which is another thing you should never, ever, ever do). There are a number of automatic password generators online that will help you generate a secure, random password, which (in conjunction with a username that isn’t ‘admin’) will mitigate the vast majority of brute-force attacks on your WordPress installation. It may also benefit you to limit the number of login attempts that can be made over a specific period of time- this will also help reduce the chances of a successful brute-force attack on your site- there are multiple ways of doing this, but the easiest method is likely to install a plugin to manage this functionality.
There are several plugins available (some even endorsed by WordPress) that can help you protect your WordPress site(s). One such plugin is the NinjaFirewall WordPress Edition, which is a fully-featured web application firewall. Essentially what this means is that the plugin will scan, sanitize and/or reject any requests sent to a PHP script on your server. Everything inside the WordPress installation directories are placed under the WAF’s protection, even scripts you may have coded yourself. NinjaFirewall’s WAF will also protect you from malicious code execution, such as those from PHP or shell scripts. For more info on NinjaFirewall, check out WordPress.org’s article on the plugin here.
There are a few other general-purpose security tips for WordPress. One is to take backups of your most essential WordPress files- configuration and custom theme folders (if any), most importantly. Another good idea is to rename the WordPress database prefix to something other than ‘wp_’- this is a default DB prefix for WordPress, and as such changing it makes it just that much harder for hackers to gain information on your WordPress setup. It also may be smart to remove any references to your version of WordPress from any publicly-facing files- this can be done manually via editing the code, or there are a number of plugins out there that can do this for you.
However, if you take one thing away from this article, let it be this: educating yourself on this subject will go a very long way towards protecting your sites, WordPress or not. Keeping up with current security threats and the most up-to-date versions of your software takes five or ten minutes, but it could easily save you five or ten hours in troubleshooting later.