Protect yourself from predators! They come in all shapes and sizes. Some with big fangs and others with pocket protectors. If your website is build using WordPress, there are some things you NEED to do to make sure it is secure from predators, a.k.a. HACKERS!
se·cu·ri·ty (si?kyo?orit?) noun
1. The state of being free from danger or threat.
2. The safety of a state or organization against criminal activity such as terrorism, theft, or espionage.
Simple Solutions to a Secure WordPress
Being hacked is never a good thing. It makes us feel violated. Our life gets hugely interrupted. And, if your website is crucial for your business, it is costing you money.
You cannot completely prevent your website from being hacked, but you can make it more difficult, which causes many hackers to move on to the next victim.
1. Password Security
If you are like most people, you have a single password for all of your online accounts. The same password is used for your gmail account and your administration account for your website.
Rule Number One, secure your password. Immediately, log into your website, go to Users/Your Profile and change your password. Use something complex. Use numbers, letters and special characters. A password like abc123 is not nearly as secure as b477m4n* (battman using alpha-numeric and symbols). Make it unique yet memorable.
Now. . .
Don’t read another word, until you have made this change. . . . I’ll wait!
2. WordPress is Vulnerable
Let’s be frank. WordPress is an open-sources application. Although this is wonderful for many reasons, it also introduces several potential problems. The fact that any one can download the source code means that a non-friendly person, HACKER, can download the software, explore it’s code, find vulnerabilities and exploit them.
This presents a constant problem and the friendly people at Automattic are continually offering updates that help address these issues.
Therefore, update WordPress as quickly as possible. They roll out updates 3 – 4 times per year. Keep your install up to date.
This goes for Plugins also.
3. File Permissions
Most of your directories and files installed with WordPress should be protected based on file permissions. By limiting who has access to files and directories, you can limit potential points of exploitation.
Using an FTP client, such as FileZila or FireFTP, you can access your WordPress files. Check the permissions and make sure the directories are set to 755 and the files are set to 644.
These are the recommended permissions settings from WordPress and limit access from non-authorized users.
4. Secure wp-config.php
By default, this file is placed in the same directory as all WordPress files and directories. You can move the file up one directory to place it outside the grasp of would be hackers.
This is a critical file because it contains the username and password to your database as well as the security keys used to keep the site protected.
If wp-config.php is in public_html/wordpress/wp-config.php move it to public_html/wp-config.php.
You can also add the following to your .htaccess file to add another layer of protection:
[code]# to protect wp-config.php
deny from all
5. Database Security
When WordPress is initially setup, wp_ is the default database prefix. Since this is well know and most users do not take the time to change it to a random string, this poses a potential vulnerability.
Use the WP Prefix Changer to change the prefix. This should only be used on a currently installed site. Use a very random sting alpha-numeric characters. Because this is not something you need to remember for later use, make it as random as possible.
6. Username Obscurity
The default username upon a WordPress install is admin. If you have not created a unique username, then everyone knows half of the login credentials to your site. And if you have not changed your password, they can probably figure out the other half.
Make it more of a challenge.
You cannot change the username once it is created. So, the simplest solution is to create a second username with administrator rights and delete the Admin account.
7. Backups are Critical
Making regular backups of your database and your source files is imperative for security. If your site gets hacked and you have a fresh, secure backup, you can restore your site in a matter of minutes and be back up and running in no time. Without a backup, you are at the mercy of your hosting provider and that is not a good place to be.
I recommend WP-DB Manager to monitor and create regular backups of the database. It is a free plugin and works well for database maintenance and security. You can create scheduled backups and have those emailed off site so you have a copy on your local machine and on your server.
For more protection, I recommend using BackupBuddy. This is a premium plugin that provides backup of database and file system. This plugin enables you to create complete backups and restore when needed.
8. Monitoring Changes
Monitoring changes to your site is a critical step in knowing what to correct if a security breach occurs. If you are hacked, you need to make sure you get all the files corrected and cleaned or you are exposed for multiple attacks.
WordPress File Monitor keeps track of any files that have any added/deleted content. You can then know where the hack has occurred and are better able to prevent future events.
You Can’t Be Perfect
There is no such thing as perfect security for a website, just ask Bank of America and the Department of Defense. Being hacked is part of the risk we take by being on the web. It is fairly unregulated and open to all comers. Our best option is to prepare for an attack and be ready to respond immediately.
If you would like added security and support for your website. Be sure to check out our maintenance and support services. We can provide various levels of support for you website.