Security - Wordpress 101

WordPress is one of the worlds most popular Content Management Systems (CMS) largely due to it being so easy to install, customise and get your website online; but one does not simply ‘run’ WordPress. As it is so widely used it’s an easy target for hackers looking to cause trouble or maliciously gain access to your data, so it’s paramount that you take the necessary steps to secure your website and your data.

Keep WordPress Updated

Keeping your WordPress up to date is the single most important thing when running this platform, or any CMS for that matter. Every 1-2 months you will typically find there is a core WordPress update to apply which addresses security vulnerabilities, so it is critical that you keep on top of this.

If you opt to install WordPress on your VentraIP service using Softaculous or Installatron, be sure to enable the automatic update function as this will take care of this matter for you.

Plugins

Plugins are a particularly vulnerable part of any WordPress installation in many ways. Firstly not all plugins are legitimate, make sure that Google your plugins before installing them to identify if they are legitimate, still in active development and have no known vulnerabilities. Installing a plugin which isn’t trusted, could lead you to you being impacted on by malicious developers who have ulterior motives.

As with your core WordPress installation, you absolutely must keep all of your plugins up to date; an out of date plugin is another vulnerability.

Finally, if you’ve installed a number of plugins in the past which you no longer need, uninstall them. If you’re not using the plugin(s) then you have an additional unnecessary point of of weakness there, so just uninstall it.

Themes

These function exactly the same as plugins. Only install trusted themes, always keep them up to date, and when you no longer need old ones make sure they are removed.

Admin accounts – username and password

The default username for WordPress’ primary administrator user is ‘admin’, don’t keep this as is. Always change your administrator username to something else, this simply makes it harder for hackers to guess your administrator username, making it more difficult to brute force your WordPress.

In addition to your administrator username, it’s important to choose the passwords you use carefully; this means using combinations of upper and lowercase characters, numbers and if possible, symbols. Always use passwords longer than 8 characters and if possible, change them every few months. Never store your passwords in plain text anywhere and never share them with untrusted people, particularly via email or IM.

Lastly, be sure to change your password every few months.

Limit access to your WordPress Admin login

Your WordPress admin area (wp-admin) will often be targetted by automated bots trying to hack their way in, so it’s a good idea to lock it off. If you haven’t installed a WordPress admin lockdown plugin, try setting up the following your .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123.123.123.xxx$
RewriteCond %{REMOTE_ADDR} !^123.123.123.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

In this example you will change “123.123.123.xxx ” to match your IP Address(es); locking down access to wp-admin to just your location(s).

Log admin logins

Using a WordPress plugin such as Simple Login Log, you can be alerted to all login events via email. A simple way to keep a check on what’s happening.

Appropriate File Permissions

This is a bit of an advanced one, but definitely important. Don’t have any 777 permission sets chmodded on your files, if you’re unsure what this means you can simply run the Permissions Fixer within your VIPControl. Furthermore, ensure you set your WordPress config file (wp-config.php) or your Joomla config file (configuration.php) to a chmod of 600 to avoid it being read – apply this same rule to other CMSs as well. To set the CHMOD on your configuration file you may do so using cPanel’s File Manager or FTP.

Moving your wp-config.php out of reach

wp-config.php, as above, is where your WordPress configuration data is stored. By default WordPress will actually look within it’s installation directory and one directory above it for this file. If you have installed your WordPress to /home/youruser/public_html as your primary website, move your wp-config.php into your /home/youruser folder and this keeps it out of reach of most.

Backups

Taking backups doesn’t stop you being hacked, but it provides you a fall back if you do. If you are hacked, for whatever reason, a backup allows you to restore your website to a functional state before the hack – it is then absolutely critical that you then identify how you were hacked in the first place and then patch it, to avoid a repeat.

So with this in my you need to ensure you regularly take your own backups, don’t just rely on the automated webserver ones. By taking your own periodic backups and storing them on your own computer, you’re giving yourself peace of mind that you have your data secure for disaster recovery. Always take backups!

The final word

These are just some of the ways you can secure your WordPress setup, and many of these tips can be applied to many other CMS platforms, but it’s by no means covers all of your options. If you’re serious about security, and we hope you are, we encourage you to apply each of these recommendations and seek out additional options such as keeping your own computer secure.