WordPress is a completely free tool used to create dynamic websites. Originally, WordPress was developed as blogging software. Recently WordPress has become one of the most popular blogging and CMS system on the Internet which makes it a favorite target for hackers.
WordPress’ popularity makes sites hosted on it a regular target to brute force login attempts and other security vulnerabilities. Insecure WordPress installations are also commonly used to attack other sites through DDOS attacks. These attacks are automated across all the hosting platforms and attempt to find authors that are using default usernames, weak passwords and outdated WordPress installations.
Most content publishers may not even know that a successful attack has taken place before it is too late and they lose their visitors and search engine rankings.
While security measures are built into WordPress and WordPress out of the box, there are a few basic things you should be doing to keep your customers, team, and data safe in the event of those worst-case scenarios.
Here, I’ve compiled five steps to WordPress security that you should know about. Continue reading to learn what they are.
1. Choose a reliable hosting provider
The first and foremost step you take should be choosing a reputable, reliable host that makes site security one of their top priorities. Ideally, you should seek out managed WordPress hosting from a company that clearly states what they do to make your safety and security a priority. Look for features like:
-
- Up-to-date server software
- Attack monitoring and prevention (using industry leading tools and implementing viable security policies)
- Continuous reviews and patches of security threats like older versions WordPress bugs, potential plugin exploits, etc
- Ability to isolate and prevent the spreading of infections so that any infected WordPress installation or virus cannot move to other sites on the same server
2. Check and adjust the settings on your FTP directories
Compromised passwords or plugin exploits might make it possible for a hacker to access your site’s FTP, where they could upload harmful files to your WordPress directories. But limiting the write access on these directories can keep them out and reduce or even completely eliminate the potential for damage. You should ensure that only your FTP account (admin or otherwise) has write access to the following folders:
The root directory (excluding .htaccess if you use a WordPress plugin to set up URL redirects)
wp-admin
wp-includes
wp-content
For example - Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.
3. Block Search Engine Spiders from Indexing the Admin Section
Search engine spiders crawl over the entire blog and index every content unless you program accordingly. You should exclude the admin section from web crawlers as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory, a sample code like this could be added to the text file:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
4. Blacklist IP addresses from logging into your admin
An even stronger solution would be to blacklist everyone from logging in to your admin except yourself.You can do this by either using a wordpress plugin such as wordfence security to restict access to the wordpress admin for all but your own IP. Alternatively, power users may configure their webservers' configuration files. Either by editing the /etc/sites-available/sitename (most common location) file for nginx or editing the .htaccess file within the wp-admin folder of the site installation for apache based web servers.
5. Limit Login Attempts With a Plugin
The Limit Login Attempts plugin is a plugin which limits the chance of brute-force attacks by blocking access to the login page after a series of incorrect login attempts. You can decide how many login attempts to allow before the plugin blocks the user.
Final Words
Prevention is better than cure.
How secure is your WordPress blog? If you have a tip or a piece of code you would like to contribute then use the comment box. Or start a chat to chat with our support team to find out how we can optimize your wordpress speed and security today!