(Image Credit – ClickonF5)
Since few months, I’ve been hearing lot of horror stories regarding the security compromises that bloggers have to deal with. It’s open source nature, what has been the boon for WordPress, is now standing against it (For Hardcore Open-source lovers – I am in favor of Open-source all the way and that statement of mine should not be taken as personal attack). There have been many blogs that weren’t using the latest version of WordPress are now infected with some sort of worm or some hacker gets access to the web server and misuses your precious resources. There are cases where they even harm the website by effecting its search engine rankings.
It’s always a nightmare when it comes to cleaning up the WordPress installation that has been compromised with some or the other warm, however few precautionary steps will always ensure some level of security that’ll keep “stupid hack scripts” away from your precious blog. Just follow these steps and you won’t have to shell out hundreds of dollars to make WordPress secure -
Here are some of the steps that one can take to keep the WordPress installation secure -
1. Keep your blog software up to date – WordPress has been very quick in taking actions against security attacks and generally its the older versions that become the target. WordPress now has automatic upgrade feature and with touch of a button, you’d be able to upgrade WordPress. You can read more about upgrading WordPress over here.
2. Keep strong password – It’s always advisable that one should keep a secure password. A good password is always combination of alpha-numeric characters. I’m sure these 16 firefox extensions will surely help you generate stronger password and will keep it safe for you too!
3. Use Secret key for WordPress – Some time back, I’d written the use of Secret key feature of WordPress. It’s a default feature of WordPress and one should definitely use it. Definitely, its not the only solution, however it makes sense to implement it as well. Small precautions like these will only make your WordPress more secure!
4. Set proper file directory permissions – One of the biggest loop hole starts from here itself. It’s important for every blogger to ensure that they keep proper file directory permission that is recommended for WordPress. This way, no unauthorized scripts will be able to gain access to the folder structure of your web hosting account.
5. Table prefix can be a weak point too – Table Prefix is one of the important part of WordPress’ database (in fact any database) and it is recommended that one shouldn’t use the default prefix as the default prefix is known to everyone and hackers tend to misuse that information for their evil intentions. I’d written a guide on how to change the table prefix that one can follow to strengthen the security.
6. You thought only passwords should be secure, What about the username? – I believe that these are few points that WordPress community can always do to ensure that the bloggers get safe at the time of installation, I just hope someone works on this point at least. By default, WordPress makes a default user by the name of “admin”. Most of the users keep it the same and unfortunately, that is exactly what we don’t want to do. Here’s the post that talks about securing WordPress by not displaying your actual username.
7. Make important folders inaccessible – If you thought that just setting up directory permissions is more than enough then I would say that it’s just not that simple mate! I would suggest that one should drop an empty html file (ensure that the name should be index.html) in wp-content/themes/ & wp-content/plugins/ folder. This way whenever some one will try to see the content of those folder, they’ll be presented with a blank page and nothing else. Isn’t that a smart move?
8. Keep your own computer free from viruses & malware – Lets say that you got a pen drive from your friend to copy some document and a while later you realize that your computer is infected from virus because that pen drive was full of viruses. Will you blame your own computer for that mishap? Similarly, if your computer is infected with malware and while you upload files on your blog it can get transfered to the servers too. I would suggest that one should use a good anti-virus and anti-malware scanner to avoid such kind of things.
9. Use of SSH instead of FTP – Most of the FTP software support SSH, a protocol that acts like FTP. The good thing about this protocol is that it has encryption and thus all the activity that you perform on the server is done under secure environment. Here are some tutorials that you can go through to get better understanding of SSH -
10. Up to date server environment – Alright, this is not in your hands, but in the hands of web host. It’s always advisable that while choosing your web host, you should confirm from them that which version of MySQL, Apache & PHP are they using. Match it with the latest version mentioned on their respective websites and if they are out dated, you should ask them to update them (very unlikely) or change the web host asap – Here’s the guide to help you do that quickly.
11. Use Robots.txt to deny access to robots at important areas – There are various important folders like wp-content or wp-admin, wp-includes that don’t need to be indexed in search engines. So, its better to deny robots to let them crawl their content. Here’s this quick tutorial that’ll educate you about the use of Robots.txt.
Other important reads that’ll enhance your knowledge about WordPress security
- Securing your WordPress install the foolproof way.
- Hardening WordPress.
- 11 ways to secure your WordPress blog.
- WordPress security whitepaper.
- 16 WordPress plugins to secure WordPress.
If you have written articles on WordPress security feel free to share it with us and we’d love to include it on our blog.
Hi Mayank, it’s really a very informative article. WordPress security is definitely something that we usually ignore. One never pay attention to it, until someday, the blog is hacked or attacked.
I never thought that a small thing like upgrading the wordpress can really make a big difference.
I am so glad I ran into this article, really useful. We all need to keep security tight, allow only reliable sources to come in and keep very important things secured . We should always be careful on the internet
One thing you might want to do is use a .htaccess file to blog access to wp-admin directory. That should help with some hack attempts.
This is a good article on basic security for slowing down “stupid hack scripts”, as you put it.
Your title however; is very misleading, as these basic steps are not “WordPress Security Service for free.”
The danger is that people will do these things and think their site is safe, when in fact it is still only partially protected.
Slowing down “stupid hack scripts” used by script-kiddies is about all these tips can do… and that may be okay for casual WP users.
But if you use your site to make money or represent your company, you probably can’t afford the downtime, loss of income, and possible public embarrassment of being hacked. These basics are like turning on your home burglar alarm system but leaving a window open on a floor without a motion detector.
Most of our business comes from repairing hacked WP sites, and almost all of the owners had done some or all of these things.
So please be reasonable with your post titles. We don’t mind getting more work, but it’s not fair to lead someone into a false sense of security.
hello DK,
thanks for taking your time and updating our readers about the same. Well, I can surely know that being a security expert you are in a better position than me to say that the title is misleading but think from this point of view that for doing the same work, there are “so called” security professionals who’ll charge their clients some $400-$500. Now, if a post that’ll save someone 500 dollars then I won’t think that this will mislead the people.
I think i should include “words of caution” that by any means these are not the only solution just like you’ve mentioned in the comment. Thanks for making me realize this much… of course, the idea was not to mislead anyone, i’m sure someone who is making money will just not settle for something like this… they’d consult a security professional.
I agree with both of your points. The two biggest problems we’ve had in this industry are:
1. All the poseurs who read articles such as this and then start selling WordPress security services. We get many jobs from people who got hacked after they’ve paid a “so called” expert lots of money.
2. It seems like most WordPress users who earn income from their sites can’t understand, or don’t want to believe that they need more than just basic protection. Then “after” their site has been attacked by a skilled hacker they call us… whining and sometimes begging to get the mess cleaned up and their site protected right away.
Our company mission is to stop hackers “before” they do damage, and it’s clear this was your goal too. Adding those “words of caution” you mentioned can turn a good post like this into an excellent one.
@DK – Lol! i understand your frustration because of both the points. I’ve seen various security experts who claim they can make site un-hackable and eventually don’t do anything more than what’s been mentioned in this post or may be couple of things extra…I’ll certainly add the words of caution and all thanks to you for pointing this out.