Keeping Your WordPress Site Secure
Part 1 of 2.
More and more of our customers are opting to use WordPress to build and maintain their websites. WordPress is an excellent Content Management System (CMS), and now is used for approximately 20% of websites out there.
With WordPress being so popular, it has become a target platform for hackers and spammers to attack WordPress sites. The platform is mature and secure, however there are steps every developer should take to help protect their websites from these people. Some are just common sense, and some involve adding additional plugins to your website.
While the following recommendations will largely apply to any CMS platform like Joomla & Drupal, in our examples here, we’ll be focussing on the Web’s number one CMS platform, WordPress.
1. Change Your Admin Username
Until quite recently, by default the admin account when you install WordPress is called “admin”. Most developers when installing WordPress would leave the admin user with this default name. For hackers, this makes their job so much easier since they only have to come up with the password for the account. If your admin account is compromised, the hacker can upload any content they choose, delete any files they wish, etc.
If you you have a current WordPress site with the Admin username, change it before reading any further!
2. Use and Enforce Strong Passwords
By default, when creating a WordPress installation, our implementation of the Softaculous installer will require a password strength rating of 75 or more. This is for the safety of your website. A strong password should be at least 8 characters long; longer is better. It should contain a mixture of upper and lower case letters, as well as numbers and symbols. A password should never be part of the domain name, a dictionary word.
3. Keep WordPress Automatically Updated.
When installing WordPress, you will see further down the page Advanced Options. Click this and you will see:
- Auto Upgrade
- Auto Upgrade WordPress Plugins
- Auto Upgrade WordPress Themes
You should select all of these options, and also check the Limit Login Attempts plugin. You can also update your current website to automatically update the software, plugins and themes. The WordPress.org Codex has a good guide on how to configure an existing site to auto-update.
A large team of people work on updating WordPress, and new releases are published fairly frequently. These updates usually patch vulnerabilities that have been discovered in the code that runs WordPress.
The limit login attempts plug in helps prevent against brute force attacks where hackers will use a computer program to try to crack a site’s username and password.
4. Use an SSL (Secure Socket Layer) Certificate.
More sites are now moving to use SSL for all of their connections. If you’ve visited Google, Facebook or Twitter lately, these sites are all using https:// as the connection protocol instead of http://. When using https://, you will see a green lock icon or similar icon on the location bar of your browser, indicating that your connection to the site is encrypted and safe. If your website asks users to register an account or provide contact information, you need an SSL certificate.
An SSL certificate allows your website’s visitors to be able to connect using https:// and not receive a browser warning. These are available from Register4Less, starting at $12.95/year.
5. Use SSL when publishing with FTPS
When the FTP protocol was originally developed, security from hackers was not a problem. Since then, things have changed, and sending data over a public network without encryption is considered very risky.
In addition to having an SSL certificate installed, when you connect using FTP to publish your website’s content, it’s better to connect using SSL instead of plain text FTP. You can do this by selecting Require Implicit or Explicit FTP over TLS option in your FTP program.
The second installation of will be published next Monday.