Top 10 Steps to Securing Your WordPress Installation!
Open Source is wonderful! The possibilities it provides are truly amazing and there is so much room for customization and addition. Any developer that has played with the WordPress code has found some interesting things he/she could change to their liking, but some have also experienced the flaws. Not everyone looks at open source projects and thinks about sharing, progress and exchanging ideas, instead they see an opportunity to mess with the code and hack other people’s websites. Today, we will look at how one can best secure one’s WordPress Installation and keep their site safe from those who mean it harm.
Step 1: Change File Permissions of WordPress Files and Folders
Using your cPanel file manager or other file manager of choice such FileZila, you can view and change file permissions of entire folders or files. Just right click on the files and folders and make sure you set the CHMOD value to 744 which is probably for the best. This settings gives the owner all rights (read, write and execute) while everyone else can only have the read rights.
If you found that your site’s most important files are having a CHMOD of 777, the you are lucky that someone with knowledge of hacking hasn’t taken advantage of that yet!
Step 2: Don’t Allow Hackers to Find the Admin account
When you install WordPress a super user account called admin is created. Those who find the superuser account and gain access to it will be able to do anything they want! Change the name of this account to something more random and use a password that would be impossible to crack. Something random with a lot of different upper and lower case characters and numbers.
Create a different user account for publishing articles and content and give Editor rights as that will be enough to change all you might need without resorting to the super user admin rights. Change the admin password every now and then, it is a good practice.
Step 3: Use Login Lock Down
Do you know what brute forcing is? The basic concept is that if hackers know a user name they only need a password right? Imagine a text file with over 1 million of possible passwords and program that could try them all out at once! This plugin called Login Lock Down provides you with the security your WP site needs!
After several failed log-ins the plugin will disable the IP address from logging into WordPress for a set amount of time. In the Options Panel you can set how many failed attempts should result in a block and how long that block should last. Really helpful and certainly useful!
Step 4: Choose Strong Passwords
I am not sure how much this needs to be stressed out! Another possible problem is if you have multiple authors on your site and someone hacks one of your editors accounts. This person would be able to cause some serious damage that would take some time to repair, even with all your back-ups.
For this reason, you should send an email to all your staff/authors and have them visit Password Meter and have them make sure their password is strong and safe.
Step 5: Secure WordPress Plugin
There are other plugins that do a similar job, but Secure WordPress is probably one of the best and is worth the installation. This plugin will remove any scattered information that hackers my find and use against you and will also help by blocking out some bad queries providing some basic protection from brute forcing and DoS attacks.
Step 6: Change Default Secret Keys
If you took all the correct steps hackers should have a hard time getting access to most of your files. One tricky thing most people don’t change is their secret keys in the wp-config.php file. The code looks something like this:
define('AUTH_KEY', ''); define('SECURE_AUTH_KEY', ''); define('LOGGED_IN_KEY', ''); define('NONCE_KEY', '');
Step 7: If You Don’t Need It, Don’t Have It
Step 8: Backup Your Data
Step 9: Limiting Access to the Admin Account via the IP Address
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # Whitelist Your IP address allow from xx.xx.xx.xxx # Whitelist Your Office's IP address allow from xx.xx.xx.xxx </LIMIT>
Step 10: Analyse Your Server Logs!
As you know cPanel and similar services come with a Server Log and you should use to monitor for suspicious activity every day. If you have Google Analytic use that as well and if you ever notice a huge increase in traffic that is full of users who quickly exited your site, then ask yourself if you were targeted by a hacker and check your logs! Do not be passive, monitor your site for suspicious activity.