6 Essential Steps for Securing Your WordPress Siteby Adam Green on Mar 19, 2012 • 6:12 am 8 Comments
With WordPress powering more than 20% of all new Websites, it goes without saying that hackers have plenty of opportunities to exploit its vulnerabilities. And since there are steps you can take to protect your site from an attack, it’s time to step up to the plate.
If you’re not already up to speed on WordPress security measures, take note of the following tips. They’re easy to implement, and they could save you — and your site — from a world of trouble.
1. Always update WordPress and your theme.
WordPress often releases updates meant to enhance usability and patch up security problems. You’re notified of these updates specifically because WordPress wants to keep your site safe from harm, so take heed!
And keep an eye out for updates to your WordPress theme. While many creators of free themes rarely release updates and may not offer notifications whenever an update becomes available, the popular paid themes of the world — Thesis and Genesis, in particular — do offer updates and will send you a notification.
2. Back up your database.
Your database is where all the good stuff lives. You know. Stuff like your posts, your pages, your permalink structure — basically all of your content.
In the event that hackers totally obliterate your site, having a recent backup of your database will put you back in business. Thankfully, there are plugins out there that will back up your database automatically. One worth looking at is WordPress Database Backup, which emails you a copy of your database every day.
3. Change your passwords — often.
If you’ve had a WordPress site for the last year or so and are still using the same password, stop what you’re doing and change it now.
Cycling through different passwords on a regular basis helps keep hackers at bay. And if you’re still using simple, letters-only passwords, you’re much more likely to be the victim of a cyber attack than those of us with strong ones.
Make sure your password has numbers. And capital letters. And at least one funny character from the top of your keyboard. Choose one that you have trouble identifying by name.
4. Don’t let just anybody register.
For anyone running a community site, it’s important to confirm the identities of all potential users before you let them register. You might do this via email or even through a phone call — anything that will keep your site safe from someone who shouldn’t have his or her own login.
It seems like sites that feature guest contributors frequently allow anyone to fill out a registration form and gain access to the CMS. If you don’t know who these people are, giving them this much access could be very bad. Know your users, and closely monitor their registration.
5. Define privileges for all users.
If you have multiple contributors, take the time to set user privileges accordingly. You never want to hand over access to your index.php file, for instance, to someone who has no idea what it is — even if that person has good intentions.
6. Stop multiple login attempts.
Consider installing a plugin that locks down your login page whenever someone tries to log in more than a set number of times. Login Lockdown is a good one, but there are others.
This will stop anyone who attempts to access your site through brute force (i.e. trying multiple plausible passwords until one of them works). While there’s no 100% guarantee that these measures will protect you from cyber goons, they’ll definitely make your WordPress installation safer.