Exploited WordPress applications is one of the most common security issues that we see.. This is not to say WordPress is not a secure application or any more/less secure than another CMS (that would be a whole new debate on its own), however due to the popularity of WordPress, it’s undeniable that it is a common target.
In this post, I’m going to go through some basic security steps that you can take to keep your WordPress secure.
How To Keep Your WordPress Hosting Secure
By no means is this an exhaustive list and it doesn’t serve to be a tutorial, but it is a good starting point and gives you scope to learn and explore more about the steps mentioned here.
1. Limit Access
You should only give access to those that absolutely need it. Disable user registrations if you do not need them and delete the admin account as well, replacing it with a different admin user. Avoid typical administrator usernames such as ‘admin’. Restrict access to login by a small scope of IP addresses only and it’s a good idea to do this at a server level using .htaccess (InnoHosting customers can contact InnoHosting support for assistance with setting up the .htaccess). Make sure you use a long & complex password that you will change regularly. One major benefit of the .htaccess restriction means too many incorrect login attempts will result in the server automatically blacklisting the IP address on the server firewall – preventing a brute force attempt.
2. Keep it up to date
Keeping WordPress up to date is an obvious precaution you should take, but this also goes for everything else you have on WordPress as well which includes plugins and themes that you use.
3. Keep it relevant
Only use the plugins you absolutely need. Test plugins you may have installed and even themes that you no longer need should be completely removed.
4. Use correct file permissions
Not every file needs write access and be careful not to give a whole directory indiscriminate write access as well. Ensure only the files that need write access have it – that doesn’t mean give everything 777 permissions either.
5. Consider using security plugins
Plugins such as Lock down WP-Admin and Better WP Security (now known as iThemes security) can greatly enhance your security. Don’t overdo it with the security plugins – keep it relevant and only what is necessary.
6. Stay up to date with the latest vulnerabilities
Visit http://www.cvedetails.com to keep on top of the latest security announcements and make sure you take regular preventative action.
7. Follow the security hardening steps to secure your WordPress at http://codex.wordpress.org/Hardening_WordPress
One more which is often overlooked – keep your own work station secure! This aspect is overlooked so commonly that it’s actually becoming a growing problem. We recommend the following security tools to keep your work station secure:
1. ESET Smart Security
We Like: small foot print, lightweight and great crowd sources process monitor
2. Hitman Pro
We Like: Often finds malware that other programs sometimes miss
We Like: Keeps your connections secure especially over public unencrypted WiFi connections
activGuard Web Security
InnoHosting activGuard already provides significant security enhancements to your WordPress. It runs on the web server level and analyses the behavior of your visitors. XSS & SQL Injection attempts are automatically thwarted, ‘just-in-time’ patching ensures your WordPress is patched on the fly without modifying any files. activGuard is non-intrusive and doesn’t affect the normal functioning of your WordPress. activGuard is only available to InnoHosting customers and is included for free with all our hosting plans.
Remember that security is not a one-off thing but it is a continuous process that should never be neglected. While we do everything we can to ensure the tools we deploy keep your web applications secure – lack of user effort remains a credible attack vector and one of the weakest points in security. It may seem like a lot of work now, but if you make it a routine process and do it regularly, it will save you a huge amount of time if your WordPress was exploited and you have to spend time in cleaning it up.