Making Your WordPress Site More Secure

Home >> Blogging >> WordPress Security Tips

securing wordpressI love, love, love WordPress and think it's a great website creation option, but I hate how vulnerable it is to being hacked.

Without getting too technical, WordPress is written in PHP which makes it easier for hackers to find exploits.

So if they somehow figure out your login credentials or gain access to a certain file on your server, they can do some major damage.

How Hackers & Spambots Kept Killing My Websites

What a lot of you may not realize is hackers don't just ruin your site by cracking your credentials and deleting or replacing your content with their own.

They can also cause your site to become unresponsive (inaccessible to visitors) because the repeated hack attempts can overwhelm the server.

So if your site is sluggish or even down, it could be due to a repeated hack attempt from a script that is sucking your site's bandwidth.

That is the problem I have been plagued with. The issue got so bad, my dedicated server was going down almost daily.

But I finally got a handle on this and will talk more about what I did to remedy the issue in a bit.

"My Site's Not Popular Enough To Be Hacked."

You may not be concerned about getting hacked because you think your site is pretty unknown relative to others.

Think again.

Hackers don't discriminate. In fact, most people who told me their sites were hacked, didn't have popular sites at all.

Granted, popularity puts you at a greater risk, but hackers also look at exploits in popular scripts (plugins, etc.) Then they look for sites that use that script and target them.

So whether your site is popular or not, you are always at risk if you use WordPress or any PHP script.

WordPress Security Infographic

If you're a visual person, check out this simple infographic I created below that provides some quick tips for protecting your site.

Yes, I'm really getting into the world of infographic creation, so I thought I'd hone my skills by adding more images to my content.

Below the graphic, I will discuss some of these tips in more details...

WordPress Security The Next Web website Symantec.com

I Bet You Have Most Tips Covered

Don't let this info overwhelm you. You may not have to perform all these tasks, and you probably have some of them taken care of anyway.

For example, the "admin" username is no longer the default when you install WordPress so you probably don't even use that.

If you do, create a brand new username under Users >> Add New from your WordPress dashboard.

Assign the new user the Administrator role.

Once you do this you can delete your "admin" username and re-assign all your posts to the new username.

The reason you don't want to use "admin" is hackers know a lot of older blogs use this username for their login (when it was the default), so they run scripts that attempt to guess the password for that account.

If you happen to use that username and they crack your password, you're in trouble. Now the hacker will have administrative access to your site and can do God-knows-what.

The Limit Login Attempts plugin will actually show you how many times bots or users have tried to login and what username they've tried. You can even configure it to block an IP after a certain amount of attempts.

I discuss this plugin and how to set it up in the video below...

Plugins can help, but you should really try to address hackers at the hosting level and utilize some of the tips below like CloudFlare, firewalls, etc. Also, blocking IPs may help some, but most hackers user proxies so they have access to tons of IP addresses. Once you block one IP, they simply use another.

Backing Up Your Site

There are many plugins available to ensure your site is always backed up, but probably the one I hear the most good things about is Backup Buddy.

There are also tons of free ones too. A quick Google search will reveal several of them.

WP Better Security is another popular plugin that will improve the overall security of your site and back up your database regularly.backup website

You can also back up your site manually if you'd rather not use plugins.

Just remember there are two parts to a WordPress site...

1) The theme folder/files (controls your design and layout)

2) The database (posts, pages and comments)

You can back up your theme files by FTP-ing up to your website and downloading the entire theme folder. (You can also do this from your hosting account's file manager).

Your theme folder is located at...

/wp-content/themes/your-theme-name

Download your database from your WordPress dashboard by going to Tools >> Export. This will download all your posts, pages and comments to your computer.

If you want to do a FULL database backup (the best kind of backup), login to your hosting account and go to myphpadmin (under Databases) and "Export" your blog's database.

CloudFlare

Remember when I mentioned I finally resolved my "unresponsive" problem from bots attacking my server? Well, CloudFlare was the solution.

I was a bit skeptical about installing Cloudflare because you have to change your domain's nameservers.

Honestly, that part scared me. I felt like I was giving up control of my own website by pointing my domain to a service that was not hosting my site.

But to put it in simple terms, the reason you have to do that is CloudFlare acts as a bodyguard.bodyguard

So imagine a "bad" visitor trying to access your site. If CloudFlare sees they fit the profile of a malicious visitor, they will block them before they can even get to your server.

So if they pass the test and are considered a "safe" visitor, the CloudFlare "bouncer" gives them the OK and they pass onto your server/site.

If they don't, they will not even be able to access your website.

This process is seemless and not detected by a normal web surfer.

Without CloudFlare, the visitor may not be able to crack into your site but they can keep trying. With CloudFlare, they are blocked before they can even reach your server -- saving you tons of bandwidth.

Their service is free, but they also have paid options. But to be honest, the free service will be fine for 98% of sites.

You can also see how much "bad" traffic CloudFlare is blocking at any given time. Check out this graph for napturallycurly.com's reports.

cloudflare

Almost a quarter of the traffic logged was from "bad" visitors (illustrated by the color red). Green represents "good" traffic and purple is from search engine bots/crawlers.

The "bad" traffic is typically from bots trying to register or login to my WordPress admin panel and forum.

So, in addition to attempted hacks to my 2 Create a Website blog, bots were also killing my server trying to register and/or hack into my forum on this site as well.

Now you can see why I was having so much server instability. Bots were accessing my site with thousands of connections at once and overwhelmed my server.

Now, many of these visitors aren't even making it to my server. It's been almost 3 weeks since I setup CloudFlare, and so far my server performance has been greatly improved!

So unlike plugins that try to remedy the issue once a hacker is already on the premises, CloudFlare keeps them from even getting to the front door.

TIP: When you sign up, you are given the choice of Low, Medium or High levels of security protection. Start with Low and work your way up if needed. And remember, you can ALWAYS turn the service off at any time.

OSE Firewall

A lot of WordPress users use the OSE Firewall to block bad visitors, but you don't necessarily need this plugin.

Talk to your host and sometimes they can install a firewall for you at the hosting level. Plus, if you go with CloudFlare, you may not need it.

Don't try to install too many things at once. Start with one item at a time and monitor the results.

Keep Plugins and WordPress Up to Date

This is EXTREMELY important. When you see the notifications of an update for a theme or plugin when you login to WordPress, upgrade them as soon as you can.

Sometimes theme and plugin developers discover security exploits so you want to patch them up with an upgrade.

This is another reason I don't like installing too many plugins. They are often exploited by hackers and not all developers keep their code updated.

I have become a plugin minimalist. I think using too many can pose more of a security threat and some of them can slow down your site's loading time.

Password Protecting The wp-admin Folder

password protectWhy would you want to do this?

Because it will add another layer of security to a location that hackers love to crack into.

There are plugins that will add additional security to the wp-admin folder, but as I mentioned above, you should try to use as few plugins as possible.

Plus, plugins often conflict with one another and cause parts of your site to break and other instability issues.

If you are going to password protect the wp-admin folder, it's best to do it manually.

Here is an excellent tutorial provided by InMotionHosting.com.

If setup successfully, you will now have to enter two passwords to get into your login area of WordPress.

The Bottom Line

I know this is a ton of information to absorb, but it's worth taking the time to ensure you've protected your site.

Granted, nothing is 100% fool-proof, but if you take many of the steps above, you will greatly enhance the security of your WordPress site.

In my opinion, the most important action items are...

1) Consider CloudFlare since they block bad traffic before even reaching your server.

2) Always keep WordPress and plugins up to date and try to minimize your use of plugins.

3) Use passwords that contain lowercase, caps, numbers and symbols.

4) Talk to your host about installing a Firewall before using a plugin. Many of the major hosting companies may already have something in place.

Check out more WordPress tips here.

If you liked this, please share. Thanks!