I’ve never had a bad experience with WordPress security, blog I built for Amazon affiliates. The blog has good number of visitors and generating decent amount of money. But suddenly, one day, the blog is hacked. Worse, I was out of town for a week and had no access to my website when it was successfully attacked by hackers. As a result, the blog is experiencing a significant drop in SERP and traffic loss. If you’ve experienced the same thing, you know how it feels—you get all cranky.
According to monthly data available up to January 2014, there are between 100 and 200 attempts to log into the ssiddique.info website without authorization every day. Average efforts made by hackers to get into this website employ the brute-force technique. At this time, the website may well be one of the targets of the hackers. Then, how to secure your WordPress blog?
Maintaining the security of a WordPress blog is viewed from two sides, namely, the security of the server, and achieving wordpress security at maximum level. Blog ssiddique.info currently uses a Virtual Private Server (VPS), so I have to optimize my own security server. In contrast to a WordPress blog on shared hosting, it is quite simple to optimize the script.
Oh yes, it was my special time to hire someone to optimize my VPS security, because to work this one, is very vital and should be done by a competent person. In this article, I specifically discuss security optimization of WP blog from WordPress script side.
WordPress Security: How to Secure your Blog from Hackers
1. Full Backup of WordPress Blog Files
Before doing anything else, the first step is to do a full backup of all your blog files. This is necessary, especially if there is an error in setting up the security of your blog. You can do a full backup of files through cPanel.
2. Use a Strong Password
This step is actually the most convenient, so easy that people often forget to do it. Create a strong password to log into WP admin and cPanel of your blog. Some people may not want to bother creating strong passwords for their blog, but you will feel very dizzy if your blog is hacked by someone because it did not have a strong password.
If you are wondering how to create strong passwords, please read my article “Tips to Make Passwords Stronger.” But please do not use a password that is in the article, as many people may have read it.
When you install WordPress on your hosting account, by default your administrator username will be “admin.” This is not a unique admin name because it is easily guessed by the hacker. If you are already using the username admin while installing WordPress, I suggest that you replace admin with a unique name. This can be done by adding a new admin user:
- b. Once you create a new admin user, please log out of your dashboard. Then log into the dashboard again with the new user.
- c. Click the “Users” – “All Users”, the old user please click EDIT, then change his role to “no role for this site”. Then click SAVE. (Credit to klikhost.com)
On your dashboard, click on the “Users” – “Add New”. Use a combination of uppercase letters, lowercase letters, and numbers in a username and password, each at least 8 characters.
4. Install WordPress Security Plugins
WordPress itself has many security features built in. But, of course, any website that uses WordPress script requires its own security settings. Well, for that we need to install the following plugins:
A. Better WP Security
This plugin helps protect your WordPress installation from attackers. Strengthening standard WordPress security by hiding vital areas of your site, and protecting critical files from unauthorized access through htaccess, it prevents brute-force login attempts, detects attack attempts, and much more.
Update: I have not used the Better WP Security (renamed to iTheme Security) plugin for the latest updates released by the developer because of my server problem.
B. Bulletproof Security
Bulletproof Security protects your website from XSS, RFI, CRLF, CSRF, Base64, and Code Injection, including SQL Injection, hacking attempts. This plugin protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php, readme.html, and other files with .htaccess security protection.
C. Login LockDown
This plugin adds some extra security to WordPress by restricting the number of failed logins and blocking the ability to log in for a range of IPs if the number of failed logins exceeds the number you set.
D. WordPress Firewall
This plugin will block requests that seem suspicious to WordPress. Setting this plugin is very easy, in fact it left the defaults alone and plugin is working properly.
5. Change Permission to Files in cPanel
The next step is to change the permission to some files in the cPanel of your WordPress blog. These include
. Htacces> change permission into 0404 wp-config.php> change permission into 0400 index.php> change permission into 0400 wp-blog-header.php> change permission into 0400 wp-admin> change permission into 0705 wp-includes> change permission into 0705 wp-content> change permission into 0705 wp-content/bps-backup> change permission into 0755
6. Perform Regular Update on WordPress and Plugins
WordPress always does an update every time there is a bug in their script. This information update can take a look through our blog WordPress dashboard. So also with plugins. Most WordPress plugins now support automatic updates to optimize the plugins. You have to be careful on a plugin that was never updated.
Some people may not want to update their script WordPress and plugins for fear of something going wrong at the time of the update. But it will surely be more painful if your blog was hacked because the script did not update your WordPress blog. So come, choose.
7. Buy a Reliable and specialized WordPress Hosting
As I mentioned at the beginning, our WordPress blog security also depends on the server side. Because my blog uses a VPS, I also have to pay attention to the security server. I am currently using a VPS from Bluehost and the good thing is that the package I bought comes with security features.
In contrast, if you are using shared hosting, you just focus on the security of its side script WordPress. If you want to use shared hosting, you should choose a quality hosting with a good level of security.
The above are a few steps to improve the security of your WordPress blog. I am not saying that by doing so your WordPress blog will be 100% safe. But at least it will help ensure that your WordPress blog is much safer than before.
Follow Best Practices to Achieve high level of WordPress Security
Secure your Local Protection for better wordpress security
1. You must maintain a clean PC or laptop . With automatic updates turned on in case of Windows.
2. Always login with a user having no administrator privileges .
3. Use antivirus and firewall software and set it to automatically updated daily.
4. If you can virtualize a system do it, it works better. This reduces the risk of infecting and corrupting the files. Use VirtualBox.
5. Protects your browser. For Firefox, you can use the noscript extension . To store passwords, use a reliable password manager like KeePass or LastPass . For e-mails, try encrypting mails with a free application like Enigmail and PGP.
6. Scan your system for malware and viruses. List of free apps for these tasks ( MalwareBytes , CleanUp, Argente Utilities, Combofix , CCleaner, Avira Free, AVG Free, DefenseWall, ZoneAlarm).
7. Use a backup program to backup all your files, either through a NAS or synchronizing with a virtual hard drive in the cloud ( DropBox , SugarSync, JustCloud , myMA, Box.net, Amazon S3).
Maintain local PC Security
9 Host your domain with a secure and reliable hosting company, that take necessary security measures frequently and keep its system upgrade all the time. Some of the features we should look before buying hosting plan are frequent system upgrades, installation of security modules , antivirus and firewall – Mod_Security, APF, CSF, Suhosin , mod_evasive, Qmail, SpamAssassin, DrWeb, rkhunter, spamhaus blacklist update type, DDoS protection.
If it’s a VPS, or a dedicated cloud with unmanaged plan, you must take responsibility for this or outsource it to someone you trust. Once installed everything correctly, no need to check every day. But it is recommended that you should check all the components are working properly every month, it not at least quarterly.
10. Always connects to the panel of your hosting or file system via SSH and SFTP respectively. reviews the panel version and if it is outdated, ask the support for their reasons of not getting a update (they are sometimes incompatibilities with apache, php, cache systems .. but most of the time they just forget or by accident).
11. Avoid shared hosting or ecommerce projects for important websites and if you can not afford it, at least purchase a dedicated IP for your blog. Remember that if a neighbor of yours IP is banned by Google or it is going to effect your website.
12. Use monitoring tools to monitor your server state. Some famous services are Pingdom, UptimeRobot or Ping Monitor. They usually send you alert message if there is any problem with your server, or if they find any downtime on your server. You can check your error log for any downtime or any other server specific problem.
13. Download WordPress from the official site. So you can enlist databases, users and passwords manually (long, complicated, and prevents non-user ‘admin’) using wp-admin/install.php. Avoid installing any plugins that you come across. There are handful of WordPress plugins that could fulfill all requirements.
14. Edit. Htaccess, wp-config and wp-admin assigning them at least CHMOD 644. make sure to delete wp-install.
15. Shields and WP. Htaccess with security policies, and adds the 5G Blacklist 2012 of Perishable Press(you can do with some free plugins). You can also edit the robots.txt file to block some crawlers and bots, but is ineffective.
16. Remember that the standard permissions for wordpress are: folders (755) and files (644) . Some folder as wp-uploads or cache may require up to 775 or 777 on some servers (Talk to your administrators to solve this).
17. You can move the wp-config.php and wp-content folder where wordpress is hosted and prevent exploits.
Server Setup for WordPress for Best Security
18. always update to the latest version of WordPress and all plugins that require it. Make a copy of the database and the content before your perform upgrade, as there may be incompatibilities with plugins and themes. To monitor your sites, it is recommended to install WP Remote .
19. Don’t let plugin to modify the permissions. (Some will warn you such as W3 Total Cache). Tip: Install Wordfence, WP Security Scan, Ultimate Security Check, or WP Exploit Scanner File Monitor so that you can monitor it and fix vulnerabilities that may cause these actions. Some of them allow you to modify parameters such as: Hide wp version, change the prefix of the database, hide the debug mode, etc .
20. Shields the wp-admin folder , or if you can force authentication using SSL .
21. Install plugins security authentication. If your blog is multi author, remember to assign roles to each of them (there are several plugins that automate the process).
22. Better to use BulletProof Security, WP Firewall 2 to Ask Apache . Besides the login, create files htaccess. which is necessary to protect the best known attacks (antiflood, hotlinking, cross-script, sql injection …).
23. If you want to optimize the performance and security of WordPress (spam filtering, SQL injection bots, etc.) install Cloudflare .
Avoid WordPress security vulnerabilities – sql injection – Spam Comments
24. Install antispam plugins and reduce consumption by unnecessary cpu php query (Suggested: akismet + API Key, spam free, bad behavior or + http:BL Key Block Bad Queries ).
25. Install User Spam Remover when you detect a high activity of spam on my blog (if you have installed akismat or any of the one mentioned in point 24, you may not need it). WP-Spam Free is also an alternative to prevent undesirable comments .
26. If you have contact forms add captcha plugin to your contact form.Tip: Really Simple Captcha, NuCaptcha, SI Captcha are some of the good examples of captcha plugin.
27. formulas If you want to avoid backlinking , you can remove the “website” field in the comment form and disable trackbacks or pingbacks.
28. Use alternatives outsourcing comments services like IntenseDebate or Disqus Comments (you will greatly reduce the queries to the database and filter out spammers).
Database Protection and Backup Policy
29. Make backup of your blog at least 1 time a week but if you can do it daily , leaving the last 3 copies you have made recently. Always keep backup copies on your local system, in cloud such as dropbox and on your server. Never keep backup copy in same folder where you have installed your wordpress. Try to keep at least two different locations for your copies. It is better to do it automatically from your hosting panel with plugins.
You can also use wordpress plugin to send you the backup every day in your email. It is also faster way because you can restore your website using the backup copy, very easily. WP-DB Manager, WP-DB Backup, Backwpup or Xcloner are some best backup plugins for your wordpress.
Most of these allow save and restore database, locally and on other sites like Amazon S3 or Dropbox . They are also able to be activated by Cron to help you schedule your time to create a backup. In addition to the 2 mentioned, you can use free services Cloud Storage like SugarSync, SkyDrive, Box.net and myMA .
Content Protection and Copyright
30. Use services like Plagium, or DocCop Copyscape to discover stolen or plagiarized content and take appropriate steps to sort it out.
31. Contact the webmaster first and explain him everything. If you don’t get any response from him, use google webmaster tools to contact google about it.
System Audits to find WordPress security vulnerabilities
33 Use authoring software for scanning current bugs and vulnerabilities: GFI LanGuard or Nessus .
34. Performs hacking test for wordpress locally, using tools such as Nikto or Metaesploit .
35. If you are an advanced user and you have your own server , you can try the sql injection or new techniques to crack WordPress program using Havij ITSEC Team .
36. Consultation provided on official WordPress page to stay updated minimally once a month. While new versions will appear on the dashboard, the patches often take days to emerge as a public download, so that your wordpress is vulnerable during this time. Schedule a weekly alarm to check for available updates.