12 Essential Wordpress Security Tips

In light of the recent XSS security flaw here are some tips and tricks for Wordpress security.

1. Updating

Always keep your Wordpress installation, themes and plugins updated. An out of date Wordpress installation is a vulnerable one. Newer versions of Wordpress are constantly being issued with security and bug fixes, so keep your installation up to date!

 

2. Passwords

One of the most fundamental areas of any type of online security, and one that is easily overlooked is passwords. Always use strong passwords with upper and lowercase numbers and letters e.g dr7wrAPh.

A simple to guess password means hackers can log in and create admin accounts. From there they can do as they please, installing malware, spam or simply taking your site down.

Wordpress.com have a great article on selecting strong passwords, check it out.

 

4. Themes and Plugins

Remove the default Wordpress themes if they are not being used. Always keep themes and plugins updated. Always. This is just as important as keeping the Wordpress core updated.

 

5. Backup

Keeping a backup of your site means you will always have a recent snapshot of your installation should anything go wrong.

There are many very reliable plugins currently available including VaultPress, Snapshot Pro, and BackupBuddy.

Check out this article which compares the top 7 backup software plugins available for Wordpress.

 

6. Brute Force Attacks 

A Wordpress site is usually an easily identifiable one. Once this is known, a hacker immediately knows the default login URL. From here they may make Brute Force Attempts at logging in.

There is an excllent plugin Limit Login Attempts, This plugin can be used to limit the number of failed login attempts from a single IP address.

 

7. Change the Default "admin" Username

By not changing the default Admin username hackers have only to guess your password to gain access to the admin area of your site.

Here is a lenghty, very in depth article on how to change your Worpress admin name.

 

8. Use SSL

By using HTTPS, you add an additional layer of security. With plain HTTP, your password and any confidential information sent in forms, are sent as plain text. SSL certificates are available from us here.

 

9. Change the Database Table Prefix

Usually a default Wordpress installation has the table prefix wp_. Again this is another easy target for hackers as these tables will be the same for millions of users worldwide. Some plugins are available to make this change easier:

All In One WP Security & Firewall

BulletProof Security

A word of caution! Always backup your site before making any major changes like this.

 

10. Protect wp-content with .htaccess

Stop any .php files being executed inside this directory by placing a .htaccess with directives inside.

Here is a sample .htaccess file:

order deny,allow
deny from all
allow from all

 

11. Remove Unused Accounts

Remove any unused user accounts. These accounts could have poor passwords and is any easy target for hackers.

 

12. Use mod_security

Mod_security is a strict Apache firewall with advanced features. It is a fantastic tool in the fight against hackers, but it can be rather complex to set up. Once this is done you will have an extremly secure Worpress site.

A comprehensive article on setting up mod_security is available here.

 

 

Share this post

Comments

© Webcore Cloud 2015. All rights reserved.