Worried about WordPress security?
You must be if you’re really serious about your business.
If Chris Brogan found the process of restoring a hacked website really painful, surely it will be a nightmare for you and me.
It’s always better to be safe than sorry.
To help you to keep your WordPress secure, I asked the following question from WordPress gurus.
Q: What is your best tip to secure a WordPress website or blog?
Don’t just read the answers, implement the tips right away.
#1 Jesse Petersen
Jesse is a Preferred Genesis WP developer, husband, foster dad, and all-around geek. Quality + Integrity.
Secure the database several ways:
- make it accessible by only one username
- use a 15-20 character password and use it only for that install
- change the table names to not be wp_
- move the database-related content of the wp-config.php file to an off-the-Web folder (above www or html folders) on your server like so:
- o <?php
- o include(‘/home/userdir/sample-config.php’);
- o define(‘WPLANG’, ”);
- o /** Absolute path to the WordPress directory. */
- o if ( !defined(‘ABSPATH’) )
- define(‘ABSPATH’, dirname(__FILE__) . ‘/’);
- o /** Sets up WordPress vars and included files. */
- o require_once(ABSPATH . ‘wp-settings.php’);
- the best tip, though, is to migrate to a managed WP host, such as WP Engine, who handles all of the security via firewalls and proper techniques.
#2 Mark Forrester
Mark is the proud co-founder of WooThemes working most days from their headquarters heading up the product design & development and working closely with fellow co-founder Adii Pienaar on business strategy, marketing, and day-to-day administration.
Constant vigilance. Be sure of what code is on your website – choose the plugins you use on your website carefully. Register with a service like VaultPress or WP File Monitor which keep track of changes to your WordPress core files.
#3 Coen Jacobs
Coen is a web developer currently working for WooThemes on the WooCommerce plugin. He has worked at various internet agencies and development gigs before and is now making eCommerce and WordPress love each other. Most of his time he can be found in The Netherlands, but likes to travel and visit fellow geeks all over the world and speaking at conferences. If you can’t find him, try the local Starbucks or read his blog.
Security and hosting go hand in hand. I see it every day at my work on the WooCommerce plugin. People are still using cheap web hosting when it comes to a website that they hope will make money some day. Please invest in a more stable web host that is there to support you when you need them most.
Also, a good thing to invest in is a backup strategy, or maybe something advanced as VaultPress.
To keep your website secure from the ground up, always check the plugins and theme that you are using. You will not be the first (and unfortunately not the last either) to use a plugin that has a massive security hole in it.
It is best to use plugins and themes from trusted authors, or at least have a good look at reviews and Google the name of the plugin and see if anything weird comes up. Another benefit of the big WordPress community is that we like to write about bad plugins and themes, so check that first.
#4 Jared Atchison
Jared is a WordPress consultant, Genesis developer, Texas A&M graduate, and proud Texan.
He has been using WordPress for over 5 years and specialize in the Genesis Framework. He works with clients of all sizes – from WordPress VIP customers to small businesses and individuals.
It’s hard to really nail down good security practices in a few sentences. I usually refer people (and clients) to http://www.slideshare.net/armeda/wordcamp-chicago-2011-wordpress-end-user-security-dre-armeda as Dre does a great job hitting all the essentials in that presentation.
However, to try to answer your question:
Securing your WordPress site isn’t a difficult task and there are a few key things that can be done that give great results. Do not use an ‘admin’ user account, don’t let any admin users use weak or simple passwords, keep all plugins/themes/WordPress up-to-date, and lastly don’t get plugin happy. All plugins are not created equal. Before you install a plugin check and see if it is from a reputable author, check the plugin rating and when it was last updated, and lastly look and see if the plugin has outstanding support requests. If all those things check out, then the plugin is typically well written and safe to use.
#5 Jason Manheim
Jason design and develop WordPress solutions for businesses on the web at Designpx, drink green at HGD, and am interested in almost anything pertaining to health, fitness, tech, and learning/improving in general.
In my experience you really only have two options: Let VaultPress and Sucuri handle your security and backups or go with a dedicated WordPress hosting company like WP Engine or Page.ly. I push my clients to go with the latter but if they insist on sticking with cheap hosting, the former is a must.
#6 Adrian Spiac
Adrian is the co-founder of Cozmoslabs.com, a platform powering WordPress Solutions for Developers. You can follow him on Twitter.
Always use strong passwords
It may seem pretty obvious, but people keep procrastinating on this one.
Having a strong password is probably the most powerful security tip, and maybe the easiest to implement. It diminishes significantly the chances of your website being hacked.
A good password rule when setting WordPress passwords is either use the password generator, or manually enter a password at least 10 characters long combining letters and numbers, lowercase and uppercase.
Also try not to use the same password for multiple sites you own. This way you just increase the chances of a disaster striking.
#7 Rachel Gogos
Rachel is the Chief Digital Strategist at www.brandiD.com Making the Web More Personal – that’s their mantra at brandiD.com. They offer Personal branding, digital marketing, WordPress design & dev.
Essentially, there is no one best tip–its more about keeping on top of maintenance and monitoring for the long term. You’d want to be following all the guidelines here:
http://codex.wordpress.org/Hardening_WordPress
The most common hacks I see come from: using plugins that are no longer supported/haven’t been updated; not updating the WordPress core in a timely manner; and using insecure/easy passwords. But everything in the codex link above is important.
Your Turn
Did you find the answers helpful to handle your WordPress security ? Please leave a comment below to let me know.