Security for Your WordPress Website
When it comes to website platforms, WordPress is arguably the best– now powering over 20% of the world’s websites. It has one major downfall- hacking. With some nimble measures, hackers can be kept off your website, but unprotected sites are like a sitting duck.
WordPress is open-source, so its functionality is extendable with software add-ons written and maintained by other parties. Poor choice of username/ password, themes and plugins that aren’t updated to the latest versions, and lack of other security measures in some WordPress installations give hackers an embossed invitation that says “please hack me”!
After learning the hard way a few times, I have come up with a system that has yet to be beaten. That’s not to say I won’t get hacked again- whereas security measures are an necessary precaution, they don’t guarantee success. Security is never 100%- but we can do our best to get close. The key concept is to think of your website as a potential target that can be either seen as large or very small to a hacker who is out looking for poorly protected websites.
Why do they do it? It is hard to conceive of a reason someone in the Ukraine (for example) would want to inject code into your holistic bath products website that renders porn advertisements, or lots of great information about hotels in Miami. They are very poor to start off with. Someone pays them to do this- mainly because the links they hide on your website give their site a quick SEO boost.
Here are some easy steps to follow to secure your site.
- Before you do ANYTHING, make a backup of your site files and your database. If you don’t know how to do this, it’s easy. Just highlight all the wordpress files in your cpanel file manger or FTP program, and compress them into a .zip file to be downloaded or stored in another file on your server. This is super important, because sites can “break” when updates are made to previously infected files (you may not know). With backups of the files and database, you can always restore the website if it breaks.
- Install the free Wordfence Plugin and then go to the Options panel under Wordfence in the WordPress dashboard left- sided navigation. Scroll down and adjust some settings. First, make sure your alerts are all selected and your email is correct to receive updates when a potential hack happens, so you can fix it before it does any damage. Under the Scans to Include heading, check the boxes for Scan theme files against repository versions for changes and Scan plugin files against repository versions for changes.
- Scroll down to Login Security Options and change the value of 20 in the Lock out after how many login failures and Lock out after how many password failures field to 5. Set Count failures over what time period to 1 hour. Set Amount of time a user is locked out to 1 day. Scroll to the bottom and click save changes.
- Click on the Scan subheading under Wordfence on your dashboard sidebar navigation. Click Start a Wordfence Scan. Kick back with a beverage.
- When the scan is complete, look at the list of new issues. If it’s all plugin and theme updates, or small changes in readme.txt files, not to worry, your site is probably clean. If you have suspected malicious files, select and delete them.
- Go to your plugins and update them all one by one.
- On your FTP program or file manager, delete all the themes that you aren’t using. Update your current theme to it’s latest version.
- Go to your users panel and update all the passwords. The latest version of WordPress comes with an insanely good password generator, no one will ever hack these babies. It’s great if you don’t have usernames like “admin” or the name of your business as well, if you want to change this after installation, you will need to delete and re- create the user.
- You may want to take the additional measure of setting the file permissions on your server to keep anyone from writing to them, altering the file with malicious code. Here are recommendations from the WordPress codex:
- The root WordPress directory: all files should be writable only by your user account, except
.htaccessif you want WordPress to automatically generate rewrite rules for you.
- The WordPress administration area: all files should be writable only by your user account.
- The bulk of WordPress application logic: all files should be writable only by your user account.
- User-supplied content: intended to be writable by your user account and the web server process.
/wp-content/you will find:
- Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
- Plugin files: all files should be writable only by your user account.
If you find you want more detailed technical information, or want to get into advanced aspects of website security such as managing error logs, the WordPress codex is a great resource.
Of course, Holistic Web Design is happy to provide help if needed- if so please contact us and we will lock down your precious intellectual property for you.