This week there’s been a lot of buzz around WordPress security and botnet site attacks. Truth is, these types of issues have been around a long time and simply changing the default admin account and your password isn’t enough to keep you secure.
WordPress, while easy to install and use, is NOT set it and forget it. You must be vigilant and keep it up to date. While no solution is 100% foolproof, taking a few precautions will go a long way towards protecting your online business.
1. If you only do one thing, do this – invest in Sucuri.net. For less than $10 a month, you can have a yearly subscription to this service that scans AND cleans your site if malware or other security issues arise. With your subscription, you also get a great WordPress plugin that provides 1 click options to “harden” a number of default security issues.
2. Delete the default admin account – Whenever I setup a site, I always use a custom unique username INSTEAD of “admin”.
3. Use a strong password – I like to use a password generator to create unique passwords for every site and account. Change your passwords on a regular basis. Using admin123 or some variant? CHANGE THIS IMMEDIATELY.
4. Don’t reuse your passwords for multiple accounts.
5. Don’t email your passwords – share passwords with a system like lastpass.
6. Backup and update your site on a regular basis.
(I like to use a great plugin called BackupBuddy and I store backups locally and in a cloud service such as dropbox). You can also invest in a monthly service such as vaultpress.
7. Make sure the computer you’re working on is free from viruses! Sites have been known to be compromised if you’re working on a pc/mac that has a virus and the virus uploads via FTP.
8. Use a specialty wordpress host such as ZippyKid or WP Engine – I’m also a huge fan of MediaTemple.net. If in the budget, get a dedicated server (a number of issues can arise when using cheap shared hosting).
9. Add your site to google webmaster tools – you’ll get notified if google spots malware on your site.
10. Not running a membership site? Turn off “anyone can register” under general settings.
Plugins extend the core functionality of WordPress – however, not all plugins are created (or coded equally). Before you install ANYTHING onto your site, take a few minutes to review and evaluate it.
1. Review the plugin first in the wordpress repository – plugins MUST be tested before they are included in this directory.
2. Evaulate why you need the plugins – are you just installing them willy nilly or do they serve a specific purpose?
3. Questions I ask BEFORE I install a new plugin:
• When was the last time the plugin was updated (Longer than 3 months? I’d be wary)
• Are there multiple outstanding issues in the support threads?
• Is the developer active on the support forums? (If not, take heed)
• How many people have downloaded the plugin? (100? or 100,000? – More downloads typically infers a well-supported and working plugin)
4. Delete (don’t just deactivate) any plugins you aren’t using (even deactivated plugins can cause issues)
5. Install the Sucuri plugin and perform 1-click hardening on your site
1. Use a solid framework such as Genesis that is regularly updated – while it can be tempting to use a “pretty” theme made by a one-off designer, in a year or two it is likely that there will be no support – and there’s no guarantee that free or low-cost themes are free from malware or suspect code.
2. Update your theme framework AND WordPress when prompted
3. DELETE any themes you are not using (often people like to “test” different themes, and then leave them in the themes folder (or some host have themes pre-installed). Often these “test” themes don’t get updated, leaving your site vulnerable to attack.
(This part is a bit more techy – if you’re not sure about these terms or how to do this, I recommend consulting a tech person to do it for you – the Sucuri plugin mentioned above addresses a few of these issues)
1. Add random secret keys/salts to the wp-config.php file
2. Use dyanmically generated strong DB (Database) usernames and passwords
3. Lock down your .htaccess file to allow only certain IP addresses to make modifications
4. Editing your site? Use SFTP instead of FTP
5. Need to modify folder permissions? Don’t set file permissions to 777
6. Other recommended plugins to use
Bad Behavior – Denies automated spambots access
Akismet – Spam blocker
Login Lockdown or Limit Login attempts – Limits number of login attempts by IP
Exploit scanner – manually scans your site for possible exploits
Other General Security Precautions
1. Using gmail? Add two-step authentication to your account
2. Don’t store passwords in your email account
3. Don’t edit your site on an open wireless network
While this post doesn’t fully cover all aspects of what you can do to lock down your site, staying on top of the latest info will go a long way to protect your site investment.