With each passing day, strong security becomes more important. This article explains some ways to keep WordPress secure while improving the overall security of your WordPress-powered site. Most of the tips provided here are practice-based security steps that require no plugins or hacks. The idea here is that you don’t need to make changes to any code, or modify WordPress in any way in order to maintain strong security. These are security steps that most any WordPress user can use to help protect their site and keep WordPress safe and secure.
The motivation for this article is the idea that WordPress itself is secure. When vulnerabilities are discovered, the WordPress team fixes them up and pushes out a new version asap. In my experience, most security issues are introduced by external factors, such as user inexperience, insecure servers, and badly coded 3rd-party plugins and themes. Much of the advice given in this article is aimed at reducing risk by controlling these and other external factors.
Keep in mind that security is not a set-it-and-forget it kind of thing. There is no such thing as a perfectly secured site. If your site is online, there is risk. Thus, good security is not about trying to eliminate risk, but rather results from reducing risk as much as possible. As stated in the WordPress Codex1:
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain.
Risk elimination is not a one-size-fits-all, click-a-button-and-done type of affair. Rather, risk reduction happens in layers. Everything counts. From server software to form validation and everything in between, every layer of protection works together toward a site’s overall level of security.
So with that in mind, here are some tips that will help you to keep your WordPress-powered site as secure as possible.
Use SFTP not FTP
If you’re still using regular ’ol FTP, you should switch to SFTP as soon as possible. In a nutshell, FTP sends your credentials and data in clear text, which means your password and connection information is not encrypted2. If you are transferring your files via FTP, anyone listening on the network can grab your data and use it to exploit your site. Using SFTP is just like using FTP, but with SFTP all of your credentials and data are encrypted, which protects them from would-be attackers.
Ask your web host if you are unsure about SFTP support — they should be more than happy to help. Likewise with your current FTP setup, check the documentation to see how to change things over to use SFTP as your file-transfer protocol.
This is the same basic idea as using SFTP instead of FTP. If your site is using the HTTP protocol, all transmitted information is sent without encryption. So all comments, logins, purchases, and other transactions are sent and received unencrypted over the network.
This means that an attacker could intercept passwords and other sensitive data in order to exploit your site and its users. This is one reason why Google and other big players are pushing hard for everyone to switch over to HTTPS. With HTTPS, all transmitted data is encrypted, which helps to protect against interception and exploitation.
Of course, switching from HTTP to HTTPS requires more effort than switching from FTP to SFTP. To set up HTTPS for your site, you need an SSL certificate, which must be implemented properly on your server (which can be easier said than done). If you do decide to upgrade to SSL/HTTPS, make sure to do so for allpages on your site, otherwise known as “always-on” SSL.
Perhaps the most important of all security tips is to host your sites on a secure server. The server is the foundation of your website, so make sure that your web host is reputable and provides stable, secure servers.
Especially with web hosting, you get what you pay for, so avoid “cheap” hosting at all costs. If you can afford it, get anything better than “shared” hosting. Shared hosting means that you are sharing the server space with other users. So if another site on the server is hacked, then all sites on the server may be compromised. Like living in a bad part of town.
Contrast that scenario with dedicated hosting, where the entire server is dedicated to your sites. That enables you to be as secure as you want to be, without worrying about what your neighbors are doing (or not doing). Likewise with VPS hosting, the security of your sites is not dependent on the security of your neighbors.
Some things to look for in a good web host:
- Solid reputation as secure, reliable, supportive, responsive, etc.
- Provides a properly configured server
- Provides current versions of software (Apache/Nginx, PHP, MySQL, etc.)
- Provides reliable methods for backing up and restoring your data
- Happy to discuss all details regarding service, security, features, et al
Unfortunately finding a good web host these days is easier said than done, but it is of critical importance nonetheless. Taking the time to do your own research and find the best possible web host is one of the best security investments that you can make for your site.
Everyone on the Web should be using strong passwords. Unfortunately, there are many folks who have yet discover the joys of getting hacked. Seriously, people. Tell your friends. Spread the word. Strong passwords are mission-critical. You’ve got to use strong passwords and change them regularly.
One of my pastimes is watching network traffic. One thing I see more of every day is brute-force hacking attempts. And 99% of it is aimed right at your site’s login page. They want in. They want to exploit your site. Fortunately it’s trivial to deny them access: use ultra-strong passwords for everything. That includes not only your WordPress password, but also credentials for things like email, database connections, SFTP, and anything else that requires authentication. As stated in the WP Codex1:
Hackers thrive on predictability. They predict that many peoples passwords are in fact ‘password’, or that their username is probably their real name or some default value such as ‘admin’. Be unpredictable.
As a complete bonus, WordPress now features a built-in password-strength meter on every user’s Profile screen. This makes strong passwords a no-brainer for all of your users. Here are some additional tips for rocking strong passwords:
- Keep it long, random, and alphanumeric
- Never share your password with anyone
- If you do let others use your passwords for tech support or whatever, change the passwords afterward
- Use an online password generator to generate strong passwords
And if you want to super-secure the WordPress login page, you can implement two-factor authentication.
This also should be drilled into everyone’s skull at this point: stay current with the latest version of WordPress. Doing so is made dead-simple, with features like one-click and auto-updates — there really is no excuse for lagging behind on the updates. This goes not only for the WordPress core files, but also for all plugins and themes that are installed on your site (whether active or not, it’s always best practice to keep ’em updated).
In addition to keeping all of the software up-to-date, it’s wise to keep an eye on the latest WP development news for important heads up on general security, zero-day threats, and other breaking issues.
Clean Up Rogue Files
Good security involves limiting liability as much as possible. Keeping loose, unused files on your server unnecessarily increases the liability of your site. Take a few moments to examine your directory structure and remove any files that are not required. To give you a better idea, you should remove things like:
- Development-only files (like for testing, version control, etc.)
- Unused (inactive) themes
- Unused (inactive) plugins
- Unused PHP scripts
- Sensitive information and/or notes
- Any other loose files that are not required
If you must keep such files on the server, you should protect them against unwanted access. Here are two alternate .htaccess techniques for securing any file on the server:
RewriteRule /filename\.ext - [F,L]
RedirectMatch 403 /filename\.ext
To use either of these techniques, change the
filename to match the name of your file, and
ext to match the file extension. Then add to your site’s root .htaccess file and upload to your server. Test by requesting the file in your browser. Using either method should return a “403 – Forbidden” error.
Keep Good Backups
This is another no-brainer for most people, but there are some who have yet to suffer catastrophic data-loss and learn the lesson on their own. Keeping good backups of your site is essential to avoid losing critical data and getting back up to speed if and when something bad happens. And there is a lot of bad that can happen these days. Having a current set of tested, working backups enables you to get back on track without losing any precious data. And always keep multiple copies of your backup files. Remember, good backups are:
- Kept secure
Further, understand that you need to back up not just your database, but your files as well. Basically you need to keep backups that will enable you to reconstruct your entire site to its current state at a moments notice. If that sounds like you, then you’re good to go in this department. If not, then you may want to check out some of the useful backup plugins available in the WordPress Plugin Directory.
Stick with Trusted Sources
This one’s easy. Install only reputable themes and plugins from trusted sources, and stay away from “shared” or “pirated” versions of themes and plugins. It’s just too easy for evildoers to slip bad code into their pirated warez. Sure, on the surface everything may look fine, and the plugin or theme may otherwise function normally. But beneath the hood, malicious code can do bad things without your knowledge. Don’t be a victim. Always get your plugins, themes, and scripts from trusted sources.
Use Quality Plugins
It’s not so much the number of plugins as it is the quality of plugins that you run on your site. When looking for plugins, look for signs of quality, such as:
- Current with latest WordPress
- Positive ratings and feedback
- Signs of active support
- Number of other users
- Updated recently
And so forth. Keeping an eye out for signals of quality and reliability will help you choose the best possible themes and plugins for your site. And that will help keep your site secure.
Know what You’re Doing
This goes not just for using WordPress, but for any online work in general. There’s a lot involved, a lot of moving parts, a lot that can happen. It’s important to educate yourself as much as possible to gain an understanding about how things work, what they do and so forth.
Likewise with WordPress, it’s key to understand how to use and get the most out of the software. Doing so will help you make educated decisions and get the most out of WordPress with the least amount of effort. And of course, understanding is a precursor to good security.
Know where You’re Doing It
I am amazed at how cavalier some people are about working online via any WiFi connection they can find. They just walk into any shop, connect to the local free WiFi and get to work. Why is this a bad idea? Because you never know who is lurking on the same non encrypted network looking for victims.
Never log in, make purchases, or do anything other than browse when working off an unknown or insecure WiFi signal. Otherwise it’s just too easy for attackers to hijack the signal and steal your information. And you would have no idea until it was too late. Unless you’ve taken explicit steps to secure your connection, stick to trusted networks for all work and business related activity.
This concludes the first part of steps to keep your WordPress website secure. We will publish the part 2 of the article very soon. Please leave your comments and feedback as that motivates us to keep writing.