This week there’s been a lot of buzz around WordPress security and botnet site attacks. Truth is, these types of issues have been around a long time and simply changing the default admin account and your password isn’t enough to keep you secure.
WordPress, while easy to install and use, is NOT set it and forget it. You must be vigilant and keep it up to date. While no solution is 100% foolproof, taking a few precautions will go a long way towards protecting your online business.
The Basics
1. If you only do one thing, do this – invest in Sucuri.net. For less than $10 a month, you can have a yearly subscription to this service that scans AND cleans your site if malware or other security issues arise. With your subscription, you also get a great WordPress plugin that provides 1 click options to “harden” a number of default security issues.
2. Delete the default admin account – Whenever I setup a site, I always use a custom unique username INSTEAD of “admin”.
3. Use a strong password – I like to use a password generator to create unique passwords for every site and account. Change your passwords on a regular basis. Using admin123 or some variant? CHANGE THIS IMMEDIATELY.
4. Don’t reuse your passwords for multiple accounts.
5. Don’t email your passwords – share passwords with a system like lastpass.
6. Backup and update your site on a regular basis.
(I like to use a great plugin called BackupBuddy and I store backups locally and in a cloud service such as dropbox). You can also invest in a monthly service such as vaultpress.
7. Make sure the computer you’re working on is free from viruses! Sites have been known to be compromised if you’re working on a pc/mac that has a virus and the virus uploads via FTP.
8. Use a specialty wordpress host such as ZippyKid or WP Engine – I’m also a huge fan of MediaTemple.net. If in the budget, get a dedicated server (a number of issues can arise when using cheap shared hosting).
9. Add your site to google webmaster tools – you’ll get notified if google spots malware on your site.
10. Not running a membership site? Turn off “anyone can register” under general settings.
Plugins
Plugins extend the core functionality of WordPress – however, not all plugins are created (or coded equally). Before you install ANYTHING onto your site, take a few minutes to review and evaluate it.
1. Review the plugin first in the wordpress repository – plugins MUST be tested before they are included in this directory.
2. Evaulate why you need the plugins – are you just installing them willy nilly or do they serve a specific purpose?
3. Questions I ask BEFORE I install a new plugin:
• When was the last time the plugin was updated (Longer than 3 months? I’d be wary)
• Are there multiple outstanding issues in the support threads?
• Is the developer active on the support forums? (If not, take heed)
• How many people have downloaded the plugin? (100? or 100,000? – More downloads typically infers a well-supported and working plugin)
4. Delete (don’t just deactivate) any plugins you aren’t using (even deactivated plugins can cause issues)
5. Install the Sucuri plugin and perform 1-click hardening on your site
WordPress Themes
1. Use a solid framework such as Genesis that is regularly updated – while it can be tempting to use a “pretty” theme made by a one-off designer, in a year or two it is likely that there will be no support – and there’s no guarantee that free or low-cost themes are free from malware or suspect code.
2. Update your theme framework AND WordPress when prompted
3. DELETE any themes you are not using (often people like to “test” different themes, and then leave them in the themes folder (or some host have themes pre-installed). Often these “test” themes don’t get updated, leaving your site vulnerable to attack.
Other Notes
(This part is a bit more techy – if you’re not sure about these terms or how to do this, I recommend consulting a tech person to do it for you – the Sucuri plugin mentioned above addresses a few of these issues)
1. Add random secret keys/salts to the wp-config.php file
2. Use dyanmically generated strong DB (Database) usernames and passwords
3. Lock down your .htaccess file to allow only certain IP addresses to make modifications
4. Editing your site? Use SFTP instead of FTP
5. Need to modify folder permissions? Don’t set file permissions to 777
6. Other recommended plugins to use
Bad Behavior – Denies automated spambots access
Akismet – Spam blocker
Login Lockdown or Limit Login attempts – Limits number of login attempts by IP
Exploit scanner – manually scans your site for possible exploits
Other General Security Precautions
1. Using gmail? Add two-step authentication to your account
2. Don’t store passwords in your email account
3. Don’t edit your site on an open wireless network
While this post doesn’t fully cover all aspects of what you can do to lock down your site, staying on top of the latest info will go a long way to protect your site investment.
This is another great article! So glad I discovered you. My WP site has been acting very wonky lately with posts not “sticking” to my blog page and updates to headers/banners not showing up on browsers until a day or two have passed. I’ve been concerned that in some way my account has been hacked.
I have a quick question for you. I’d like to follow your advice to delete the automatically generated “admin” account, but I’m afraid that if I do this I then won’t be left with a way to access my wordpress dashboard. Should I set up another account first and then delete the admin account? Will I lose the work that I’ve done to date under my admin account?
Hi Michael –
You’ve got it exactly – if you’re concerned that you might have malware on your site, you can use Sucuri’s free scanner here – http://sucuri.net/.
To make a new administrator account, login as usual, then add a new user with a strong username and password and assign that user the administrator role (It is critical that you assign the role correctly). Then log out and log back in using the new account and delete the original “admin” account. Make sure that you reassign the work to the new admin before you delete the original admin account (you get this option when you delete a user) and you won’t lose any work.
Thank you! So very helpful! (And I downloaded the sucuri software this morning–thanks for the link!)
Best of luck!
Wow, Michelle, once again an outstanding post brimming with extremely useful information.
I recently moved to a dedicated, managed server with Godaddy – I know I know, but I’ve been with them since they were an upstart and I can’t seem to part with them. The managed server is very expensive, $159 a month, but well worth the sense of relief it feels to have 24/7 access to real geeks, not call center rookies reading off a script, and scheduled security updates, lickity split speeds on a WordPress site that you just can’t get with shared hosting.
These security suggestions are really useful for any WordPress DIYer. Thanks for the great work, again!
Sondra – I think you made a wise investment! When it’s in the budget, I always recommend upgrading the server.