6 Essential Steps for Securing Your WordPress Site
by Adam Green on Mar 19, 2012 • 6:12 am 8 CommentsWith WordPress powering more than 20% of all new Websites, it goes without saying that hackers have plenty of opportunities to exploit its vulnerabilities. And since there are steps you can take to protect your site from an attack, it’s time to step up to the plate.
If you’re not already up to speed on WordPress security measures, take note of the following tips. They’re easy to implement, and they could save you — and your site — from a world of trouble.
1. Always update WordPress and your theme.
WordPress often releases updates meant to enhance usability and patch up security problems. You’re notified of these updates specifically because WordPress wants to keep your site safe from harm, so take heed!
And keep an eye out for updates to your WordPress theme. While many creators of free themes rarely release updates and may not offer notifications whenever an update becomes available, the popular paid themes of the world — Thesis and Genesis, in particular — do offer updates and will send you a notification.
2. Back up your database.
Your database is where all the good stuff lives. You know. Stuff like your posts, your pages, your permalink structure — basically all of your content.
In the event that hackers totally obliterate your site, having a recent backup of your database will put you back in business. Thankfully, there are plugins out there that will back up your database automatically. One worth looking at is WordPress Database Backup, which emails you a copy of your database every day.
3. Change your passwords — often.
If you’ve had a WordPress site for the last year or so and are still using the same password, stop what you’re doing and change it now.
Cycling through different passwords on a regular basis helps keep hackers at bay. And if you’re still using simple, letters-only passwords, you’re much more likely to be the victim of a cyber attack than those of us with strong ones.
Make sure your password has numbers. And capital letters. And at least one funny character from the top of your keyboard. Choose one that you have trouble identifying by name.
4. Don’t let just anybody register.
For anyone running a community site, it’s important to confirm the identities of all potential users before you let them register. You might do this via email or even through a phone call — anything that will keep your site safe from someone who shouldn’t have his or her own login.
It seems like sites that feature guest contributors frequently allow anyone to fill out a registration form and gain access to the CMS. If you don’t know who these people are, giving them this much access could be very bad. Know your users, and closely monitor their registration.
5. Define privileges for all users.
If you have multiple contributors, take the time to set user privileges accordingly. You never want to hand over access to your index.php file, for instance, to someone who has no idea what it is — even if that person has good intentions.
6. Stop multiple login attempts.
Consider installing a plugin that locks down your login page whenever someone tries to log in more than a set number of times. Login Lockdown is a good one, but there are others.
This will stop anyone who attempts to access your site through brute force (i.e. trying multiple plausible passwords until one of them works). While there’s no 100% guarantee that these measures will protect you from cyber goons, they’ll definitely make your WordPress installation safer.
8 comments
Andreas says:
Mar 19, 2012
Thanks for the Database Backup plugin link. Downloaded & installed. I’ve already lost a year worth of travel blogging, because of some database corruption and neither I nor my webhost did any backups…not gonna happen again!
Jim Jenks says:
Mar 23, 2012
This is good thanks. I don’t have much security currently simply because I don’t have much that I need secured, but I know in the next few months I will be needing to take a lot of these steps.
Blog Lady says:
Mar 24, 2012
There are several other ways to boost WordPress security, including:
Change the admin user from the default “admin” to something a hacker wouldn’t guess easily.
Restrict access to system folders such as wp-admin (you put a code in the htaccess file for this) to your own IP address only.
Disable folder viewing so people can’t see your wp folder contents.
Hide the WordPress version you are using by removing the info from the header (also by deleting the readme HTML file in your blog installation).
Daniel at the DailyBlogTips.com has a great AdSense course where he teaches WP security at the start of his lessons. He offers the course like only once a year, it seems.
Missy says:
Jun 6, 2012
Hi, Blog Lady: (or Daniel)
Do you know if there’s a WordPress plugin that does the items you mention above?
Please advise.
Brian says:
Mar 26, 2012
I’ll go ahead and do #3 now and continue to do so. I’ve failed at being as diligent in that as I should.
As for the database, I think my host does that, but it may be weekly. On some of my sites I should probably do that more often, the plugin sounds like a good choice for that.
I think those are the two tips that affect me the most and could do better at. Thanks .
sajith@social media says:
Mar 27, 2012
I never backed up my blog content, since I didn’t know it is a important part in blogging. After reading this I got insight to it. Now I will make backup for my both blogs.
Thanks for the info.
Ayesha says:
Mar 28, 2012
As I’ve faced many problems according to security. This post resolve all my problems. These three steps are really very essential.
Andressa says:
May 17, 2012
this is a good post. this post gives truly quality information. i’m definitely going to look into it. really very useful tips are provided here.http://www.dedetizador.com