Step 1 Constantly Update WordPress
WordPress is open source, making it a target for hackers and crooks. Over 60 million sites use WordPress, when WP pumps out an update, the sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed. Also, it doesn’t take long to update your WordPress site, according to WordPress it takes 5 minutes or less to complete.
Step 2 Remove the Admin
Probably, the easiest thing you could do to protect yourself is start off by changing and or removing the admin superuser. Anyone who uses WordPress knows that there is a user called admin with a top-level security clearance, especially hackers. If the username is admin, how hard can it be to crack the password. Create a new administrative account but this time with a different name, and then delete the admin account all together.
Security experts recommend creating an administrative account with a very complex username and password (something like !z8dBerts02*), store it somewhere, and create another account for you to publish content that has your name but does not have Admin powers. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis – an editor account would be sufficient.
Step 3 Choose a Strong Password
Regardless of the type of site you are running, you may be at risk for a brute-force attack. In the first step when we deleted the admin username, probably deterred most hackers but there are always those that are very persistent or already know your username. The next step to take is to choose a very difficult password and diverse password. A good way to determine whether or not your password is secure is to enter it into an online password checker like passwordmeter.com or to generate a random password.
Step 4 Secure Your Login Like Google
We prefer to take extra precautions when protecting our site, installing plugins can add an extra layer of security. There are numerous plugins that can handle passwords and login aspects of WordPress. One plugin that we find very useful is Login LockDown; it records the IP address and timestamp of all failed logins in addition to IP blocking after a certain number of failed logins. This plugin is especially helpful when it comes to defending yourself against an attack – most attackers give up on a site if their IP gets banned this is the kind of tech that Google and Facebook uses.
Step 5 Backup
It’s a good practice to backup your site weekly. I recommend Backup Creator, it’s good for all of your WP sites and very simple to install and operate, it even offers and automatic feature. We use this for over 25 sites so it’s good! Check out www.backupcreator.com
Next – Advanced Security Tips
Ok the first 5 steps are pretty simple and just about anybody can do them, the next 5 are advanced and you might need help. Just saying be careful.
Step 6 Hide WordPress Version
Let’s say that you forget to update your WordPress installation, or just don’t have 5 minutes to spare. Your WordPress version gives hackers a good idea of how they can hack your site, especially if it’s out dated.
By default, WordPress displays the version, because they want it for metrics to see how many people are using which version, etc… However, this is like putting up a bright red sign on your site telling hackers what to do.
If you’re using a premium theme, odds are that the developer took the liberty of disabling for you, but it’s always better to be sure. Open your functions.php file and drop in this line of code.
- <?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Step 7 Change File Permissions
It is very important that you have the proper file permissions to ensure your site’s security. I recommend that you restrict your file permissions down to the bare, CHMOD value of 744 which essentially makes it read-only to everyone except you.
Just open your FTP program and right click the folder or file and click on “File Permissions”. If it is 777, you are very lucky that you haven’t already been hacked. You should change the CHMOD value to 744, only giving the “owner” full access.
Step 8 Whitelists?
Whitelists allow you to manage who is able to access certain areas of your website. It’s like having the Death Star protect your admin folder, so that no one, except for you, can access the folder. You can do this using the .htaccess file.
Here are the steps:
Navigate to your /wp-admin/ folder, then check if there is already a .htaccess file, if there isn’t one, just make one. If there is already one there, I suggest making a backup of it before doing any edits. Please make sure you are in the wp-admin folder, and not the root folder.
Paste the following code into the .htaccess file:
- AuthUserFile /dev/null
- AuthGroupFile /dev/null
- AuthName “WordPress Admin Access Control”
- AuthType Basic
- <LIMIT GET>
- order deny,allow
- deny from all
- # Whitelist Your IP address
- allow from xx.xx.xx.xxx
- # Whitelist Your Office’s IP address
- allow from xx.xx.xx.xxx
- # Whitelist Your IP address While Your Traveling (Delete When You Come Back Home)
- allow from xx.xx.xx.xxx
Replace the xx’s with your IP address, which you can find out at WhatsMyIP.org. Now every time you are going to be logging in from some where other than the places you added into your .htaccess file, you have to add the new IP address before you can use it.
9 Hide Your Plugins
Putting a blank index file into your /wp-content/plugins/ folder will hide all of your plugins. Some of you are probably thinking, “Who cares if someone can see my plugins?”. Well, plugins can tell hackers how to hack your site, or at least if it is hackable.
Step 10 Analyze Server Logs
If you are super anal and have a bunch of time on your hands you can check
your server logs and web analytics 3-4 times a day to see if there is any unusual behavior. I don’t recommend this unless you off your OCD meds or maybe you’re in the spy business and want to make sure Jason Bourne isn’t after you.
Step 10.5 Backup Again
I’m including Backup again because it’s a must and it will save hundreds of hours and possibly thousands of dollars too , some and suffering. I know it happen to me and a few of my friends.
And let’s be real, you still haven’t backedup your site. So besides BackupCreator.com you can take advantage of cron jobs, if you’re hosting company provides it, by using this command:
- mysqldump –opt -u $DBUSER -p$DBPASS $DBNAME > backup.sql
- gzip backup.sql
- DATE=`date +%Y%m%d` ; mv backup.sql.gz $DBNAME-backup-$DATE.sql.gz
- echo ‘BLOG BACKUP:Your Backup is attached’ | mutt -a $DBNAME-backup-$DATE.sql.gz $EMAIL -s “MySQL Backup”
- rm $DBNAME-backup-$DATE.sql.gz
Having a backup of your site makes your life easier especially when you need to re-set up your WordPress site or if you want to clone the content for another site.
If you have questions or need help with any of these steps please contact us firstname.lastname@example.org