Wordpress Security 101 - All you need to know

WordPress is one of the world’s most popular Content Management Systems (CMS) largely because it is so easy to install, customise, and get your website online, but one does not simply ‘run’ WordPress. As it is so widely used, it’s an easy target for hackers looking to cause trouble or maliciously gain access to your data, so it’s paramount that you take the necessary steps to secure your website and your data and maintain maximum WordPress security.

Keep WordPress Updated

Keeping your WordPress up to date is the single most important thing when running this platform, or any CMS for that matter. Every 1-2 months, you will typically find a core WordPress update to apply that addresses security vulnerabilities, so you must keep on top of this.

If you opt to install WordPress on your VentraIP service using Softaculous or Installatron, be sure to enable the automatic update function, as this will take care of this matter for you.

The easiest way to keep all your plug-in updated with mitigating the risk of breaking your website due to an update is by opting for a managed WordPress hosting. This is a hosting that has additional features for WordPress websites the provide the ability to auto-update plugins that are checked by the system to ensure that they do not create any issues on the website before they are updated. Visit our WordPress hosting learn more about VentraIP Australia’s WordPress hosting.

Plugins

Plugins are a particularly vulnerable part of any WordPress installation in many ways. Firstly not all plugins are legitimate. Make sure that you Google your plugins before installing them to identify legitimate, still in active development and have no known vulnerabilities. Installing a plugin that isn’t trusted could lead to you being impacted by malicious developers who have ulterior motives.

As with your core WordPress installation, you absolutely must keep all of your plugins up to date; an out of date plugin is another vulnerability.

Finally, if you’ve installed many plugins in the past that you no longer need, uninstall them. If you’re not using the plugin(s), you have an additional unnecessary point of weakness there, so uninstall it.

Themes

These function the same as plugins. Only install trusted themes, always keep them up to date, and when you no longer need old ones, make sure they are removed.

Admin accounts – username and password

The default username for WordPress primary administrator user is ‘admin’, don’t keep this as is. Always change your administrator username to something else. This makes it harder for hackers to guess your administrator username, making it more difficult to brute force your WordPress.

In addition to your administrator username, it’s important to choose the passwords you use carefully; this means using combinations of upper and lowercase characters, numbers, and, if possible, symbols. Always use passwords longer than 8 characters and, if possible, change them every few months. Never store your passwords in plain text anywhere and never share them with untrusted people, particularly via email or IM.

Lastly, be sure to change your password every few months.

Limit access to your WordPress Admin login

Your WordPress admin area (wp-admin) will often be targetted by automated bots trying to hack their way in, so it’s a good idea to lock it off. If you haven’t installed a WordPress admin lockdown plugin, try setting up the following your .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.xxx$
RewriteCond %{REMOTE_ADDR} !^123.123.123.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

In this example, you will change “123.123.123.xxx ” to match your IP Address(es), locking down access to wp-admin to just your location(s).

Log admin logins

Using a WordPress plugin such as Simple Login Log, you can alert all login events via email. A simple way to keep a check on what’s happening.

Appropriate File Permissions

This is a bit of an advanced one, but definitely important. I don’t have any 777 permission sets chmodded in your files. If you’re unsure what this means, you can run the Permissions Fixer within your VIPControl. Furthermore, ensure you set your WordPress config file (wp-config.php) or your Joomla config file (configuration.php) to a chmod of 600 to avoid it being read – apply this same rule to other CMSs as well. To set the CHMOD on your configuration file, you may do so using cPanel’s File Manager or FTP.

Moving your wp-config.php out of reach

wp-config.php, as above, is where your WordPress configuration data is stored. By default, WordPress will actually look within its installation directory and one directory above it for this file. If you have installed your WordPress to /home/your user/public_html as your primary website, move your wp-config.php into your /home/your user folder, and this keeps it out of reach of most.

Backups

Taking backups doesn’t stop you from being hacked, but it provides you with a fallback if you do. If you are hacked, for whatever reason, a backup allows you to restore your website to a functional state before the hack – it is then absolutely critical that you then identify how you were hacked in the first place and then patch it to avoid a repeat.

So with this in my, you need to ensure you regularly take your own backups, don’t just rely on the automated web server ones. By taking your own periodic backups and storing them on your own computer, you’re giving yourself peace of mind that you have your data secure for disaster recovery. Always take backups!

The final word

These are just some of the ways you can secure your WordPress setup, and anyone can apply many of these tips to many other CMS platforms, but it’s by no means covers all of your options. If you’re serious about security, and we hope you are, we encourage you to apply each of these recommendations and seek out additional options, such as keeping your own computer secure.