This Hands-On WordPress article has been extrapolated from the August 11, 2014 WordPress Deep Dive Discussion Meet-up lead by Nick Batik
Basic WordPress Site Security Practices
The most effective WordPress security practices don’t change appreciably from one year to the next.
These are ones that even non-programers can manage on their own, or make sure that the WordPress Developer takes care of as part of normal site maintenance.
As a site owner or manager who is concerned about ‘hardening’ your WordPress site you need to:
Install each WordPress update as it becomes available
Keep the number of Plugins on you site to a minimum and ALWAYS delete – not disable – those plugins no longer in use.
Upgrade those plugins as soon as updates become available.
Choose difficult passwords and change them regularly
Back up your site data daily, weekly or monthly, depending on how often information changes on your site.
- Use .htaccess to protect your WordPress site. — If you are not comfortable with code – ask your WP Developer to show you how to do this.
These are a WordPress sites owner or managers ‘tier one’ defense strategies. Once these site ‘hardening’ practices are in place, it is time to look at Security plugins to monitor your WordPress core files and traffic.
WordPress Security Plugins
WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software. iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. Themes Security works to fix common holes, stop automated attacks and strengthen user credentials. With one-click activation for most features, as well as advanced features for experienced users, iThemes Security can help protect any WordPress site. There is a free and premium version available This plugin was developed and is maintained by Chris Wiegman member of the Austin WordPress Meet-up organizing team.
Wordfence is a leading cyber security solution for WordPress. They provide a complete anti-virus and firewall package for your WordPress website including two factor authentication, a Firewall incorporating machine learning and tools to help recover from a hack. Wordfence Security is available free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘wordfence’ without quotes. Our premium version includes enterprise WordPress Security features like Two Factor Authentication and Country Blocking.
This plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.
This backup plugin can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more, see list below. With a single backup .zip file you are able to easily restore an installation. Please note: this free version will not be supported as good as the BackWPup Pro version.
There are, a number other free and paid backup plugins out there and every one has a favorite –choose one that works for you — but please install and use it on your site.
WordPress Security Services
If you decide that you want to “Job-Out’ your sites Security the number one recommendation would be Sucuri. They provide website monitoring, malware removal and all the related website security services that you would need. Sucuri services include a sitecheck scanner automatically scans your website to ensure it is clean of malware, suspicious redirects, iframes, link injections etc. You can manually set the frequency with which the scanner runs its tests for malware and blacklisting, content changes in the core files, WHOIS changes and DNS changes. In addition to this, the security scanner also ensures that your website is not blacklisted by Google, Norton, PhishTank, Opera, SiteAdvisor, Yandex, and, of course their own Sucuri blacklist. For additional information about Sucuri services and package pricing go to https://sucuri.net.
Controlling Comment SPAM
A check is made that the checkbox has been checked before the comment is submitted so there’s no chance that a comment will be lost if it’s being submitted by legitimate human user.
To combat the new ‘learning’ bots, this plugin adds dynamically named fields to the comment form so each post has a differently named field and value.
You can set the maximum amount of comments a user can have in the moderation queue to protect you from comment floods (provided you haven’t approved any of the spammers comments before)
Please be aware of these current WordPress security issues
f you’re a WordPress user and you’re running any of these plugins, you’d better update them right away.
All vulnerabilities have been patched in new versions of each plugin. The various vulns can allow an attacker to use your website for phishing lures, to send SPAM, to make you an unwitting malware host, infect other sites (on a shared server), and more.
If you’re admin on a WordPress install, check to see that you have the following current versions of each affected plugin:
WordPress Security Resources For Non-Programmers:
- WordPress Codex- Hardening WordPress
- Locking Down WordPress by CodePoet
- WordPress Security Cutting Through the BS
- MVIS Security Center (Plugin): Identifies most of the topics described in this guide and provides information on how to lock down WordPress
- wpsecure.net has a few guides on how to lock down WordPress.
- Brad Williams: Lock it Up (Video)
- Official docs on how to password protect directories with an .htaccess file
- Simple tutorial on how to password protect the WordPress admin area and fix the 404 error