Contact
Site: US UK AU |

How to secure your WordPress site

How to secure your WordPress site

Overview
This guide provides 12 methods of reducing your WordPress site’s vulnerability to attackers. While no security can claim perfection, these methods can mitigate many common threats to your site.

Rationale

The popularity of WordPress makes it a high-priority target for hackers. The default WordPress settings are inadequate for protection, but it is a relatively simple matter to implement effective safeguards. Though security can never be perfect, the guide can help prevent the most common vulnerabilities and exploits. Prevention is the most effective medicine, and as your site rises in popularity, it will also become more visible to potential attackers.

Essential security measures

This section provides eight critical safeguards for any WordPress site. Ignore these at your own peril.

Monitor patch releases and apply them immediately

Like all Internet software, you must use the latest version to maintain a secure environment. These upgrades provide feature upgrades, bug fixes, and critical security updates designed to address the latest exploits and attacks. If you ignore or postpone these patches, you compromise your security and endanger your data. WordPress provides automatic incremental updates for versions after 3.7 for minor security updates, but you will still need to manually update for major feature releases. You can find more information on updating WordPress at their website.

Remove unused plug-ins and themes

Plug-ins and themes offer convenience and aesthetics in exchange for increased vulnerability. Every plug-in and theme on your site is another potential risk; therefore, removing unnecessary ones increases security. Even if inactive, a forgotten theme or plug-in can provide an attacker with another gateway to your site.

Implement and maintain a strong password policy

A password policy states requirements for passwords. A strong password follows the conventions outlined in our article, How to create a strong password.

Consider using the Nexcess Secure Password Generator to help generate a secure custom password. For assistance, refer to How to use the Nexcess Secure Password Generator.

Hide the wp-config.php file

Your wp-config.php file contains extremely sensitive information, including your database connection. WordPress allows you to move your wp-config.php file one directory above your webroot so it is hidden to the public. Even if your permissions are set incorrectly or your version of WordPress suffers from an unpublished exploit, your wp-config.php file is not accessible in a browser and your database information is safe.

For example, the path, /domain.com/public_html/wp-config.php would become /domain.com/wp-config.php.

Remove "admin" user

Hackers use programs specifically designed to guess massive numbers of usernames and passwords until it successfully logs in, otherwise known as a brute-force attack. These programs start with common login credentials, and "admin" is at the top of the username list. Remove the "admin" username and switch to a unique one to help prevent these types of attacks.

Set proper file permissions

Permissions can often lead to security concerns if set incorrectly. If a directory is set to 777, then anyone, anywhere, can read, write, and execute any file within that directory. This is hardly advisable. The proper and safest permissions for most environments are 755 for directories and 644 for files to prevent anonymous users from making changes to your site. You can view a detailed breakdown of the numeric value permission system here.

Perform regular malware scans on your PC

Your PC can compromise your site if infected with malware. For example, attackers may gain access your FTP account, infect the site files stored on your PC, and then wait for you to upload them to your site, giving them access. If you use a PC to work on your blog, then your other security measures are irrelevant  if and when hackers infiltrate that PC.

Perform regular backups

Even if your hosting company already does so, create your own backups and update them on a regular schedule. Some "sleeper" malware will lay dormant for months or years in an attempt to "outlive" the available backups. Having a deep history of backups will allow you to return to a clean version of your site without relying on your host's backup policies.

Additional security measures

This section highlights three additional security measures for your WordPress site. If you have a popular site or just want more safeguards, consider applying any or all of these recommendations.

Use two-factor authentication

Two-factor authentication adds an extra layer of security to your administrator panel login. Many exploits aim to gain access to the administrator panel to gain full access to the site. This implementation can alleviate any worries you have about password-related WordPress security risks. Duo Security offers an option to apply two-factor authentication to your WordPress site. Duo Security offers a cloud-based solution and there is no need to install additional software.

Prevent search engines from indexing your admin login page

This is easy, effective, and prevents anyone from finding a direct link to your login page by simply searching for your site. To prevent search engines from indexing your admin login page, input the following line into your robots.txt file:

Disallow: */wp-admin/

Hide your wp-plugins directory

Hackers have a multitude of ways to expose your site's list of installed plug-ins, which they will then use to search for exploits. In addition to removing unused plug-ins, you can hide your wp_plugins directory to keep such information private. To do so, place a blank index.html file within your wp-plugins directory, and anyone attempting to view that directory in a web browser will instead see a blank page.

 

For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to configure the Nexcess CDN with WordPress and W3 Total Cache
Added on Thu, Mar 8, 2018
How to add Favicons to WordPress
Added on Thu, Oct 31, 2013
How to change WordPress URLs
Added on Tue, Dec 10, 2013
How to purchase Nexcess shared hosting plans
Added on Mon, Jan 4, 2016
How to improve the security of your Magento store
Added on Wed, Nov 12, 2014
How to install WordPress
Added on Tue, Aug 6, 2013
How to password-protect web pages with .htpasswd
Added on Thu, Jun 29, 2017
How to configure WordPress plug-ins
Added on Tue, Jul 30, 2013
How to configure a WordPress multi-site network
Added on Thu, Mar 13, 2014
How to install OpenVPN
Added on Fri, Mar 17, 2017