Making your Wordpress Site more secure

20th August 2013

Following on from a previous Blog where we looked at how Web Sites are compromised using FTP an increasingly common trick, we're going to look at Wordpress web sites and how you can reduce the chance of your site being compromised.

For those who don't know, Wordpress is a very common Web Site CMS and Blog tool - although it was primarily developed for blogging, it is increasingly used to build whole web sites, especially if they'll want a blog feature in any case. We provide Wordpress on our Linux Essentials and Linux Xi Web Hosting Plans and the number of customers using this package continues to skyrocket each month.

Unfortunately so too do the number of customers who get compromised when using Wordpress - so what can be done about it? We already provide and deploy a number of systems and tools to prevent many of the more common exploits, but we can't do everything - much of the issue with tools like Wordpress is within the control of you as Web Site Developers - so here are our top recommendations:

1. Update your Wordpress ALWAYS

There are regular updates released for the core Wordpress software - these almost always are addressing potential security concerns, so it's vital to keep yourself up to date. You can do this either using the Control Panel for your Linux Web Hosting account, or within Wordpress (where you'll be prompted on the Dashboard if an update is available). This bit many people do, but the next step many forget:

2. Update the Plugin's, Themes and Extras

These are often overlooked but they're possibly even more important as there are literally hundreds if not thousands of themes, plugin's and updates you can add - each of these has the potential to be vulnerable to attack. So update them - you'll find the dashboard menu in Wordpress shows that there are updates available, so go ahead and apply them. You can check your themes are good by using plugin's such as Theme-Check:
http://wordpress.org/plugins/theme-check/

3. Don't use a ridiculously easy password

If the password for your site is "password" or some variation, your name, the site name, or anything vaguely obvious, change it, NOW. And use long passwords, complex passwords are always better - use symbols like # and *, use UPPER and lower case letters, and numbers. It's better to write it down somewhere at home or work than to use something so obvious anyone on the internet can guess it. This is something we make a fuss about every day and customers still think isn't important, but this isn't a Wordpress thing - you should ALWAYS use good passwords - the longer and more complex the better. If your password is dictionary word based, it'll be exploited in no time. Make sure if you have multiple users they ALSO have STRONG passwords.

4. Consider using the "All In One WP Security & Firewall" plugin

Among it's many many features, this plugin scans your Wordpress site against the published, public version and alerts you if something seems amiss. It can also scan your site for obvious vulnerabilities, so we strongly recommend you install and use it. Find out more here:
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

5. Make the default "admin" account something else - rename it

This is technically classed as "security through obscurity" - but in fact it is a simple way to help reduce the "low hanging fruit" approach to wordpress - by renaming this account there's a little extra work to be done before compromising the password, so it can help. If your site is a bit more tricky than the next site, attackers often move on (and automated tools don't work so well). Don't think that by doing this though you've magically solved the problem - far from it.

6. Check that FTP Security

Customers still use FTP routinely and it's still the most common way of uploading. However it sends passwords in plain text and is quite vulnerable. There are also numerous ways to get your FTP details (see our Analysis of an FTP Attack Blog) - so please make sure that if you are using FTP you use a Secure Password, and change it regularly.

7. Get your Site Scanned Regularly for Vulnerabilities

Companies like Securi offer excellent tools for scanning for common attacks - Securi has a free basic scanner that can help you identify if you're compromised, but also offer Paid services that will help you regularly and automatically scan your site to check it's clean. Check out Securi's scanner here:
http://sitecheck.sucuri.net/scanner/

8. Prevent "Spam Comments"

Use tools and plugin's like Akismet helps ensure that people can't publish spammy comments to your site that contain various links to other sites - the type that send you to online "pharmacies" and the like - it saves you time in moderating comments too. Check out the plugin here:
http://akismet.com/

9. Install the Limit Logins Plugin

Another plugin that will help you reduce the ease with which your site can be attacked is the Limit Login Attempts Plugin - you can use it to stop the default behaviour of Wordpress that allows unlimited attempts at logging in - blocking those who login too often with wrong details and preventing further attacks to compromise the passwords. Have a look here:
https://wordpress.org/extend/plugins/limit-login-attempts/

10. First install of Wordpress? Use a different database prefix

if you're deploying a fresh install of Wordpress, consider using a different prefix for the database than the default "wp_" - it's again a bit of security through obscurity but it can help reduce the ease with which your account can be compromised.

Other things you REALLY should be doing:

1. Backup your Wordpress site - REGULARLY - there are tools BUILT IN for this or you can use excellent tools like BackupBuddy

2. Backup your Databases too - REGULARLY - if you're using tools like BackupBuddy this is sorted.

3. Backup your Linux Hosting Account too - REGULARLY - your Control Panel has options for this

4. Don't use or leave enabled TEST accounts or those with WEAK passwords on the site.

5. Deploy Wordpress from your Linux Control Panel - never elsewhere for a trusted version

6. Change your Control Panel Passwords regularly to keep your Hosting Account secure

7. Avoid using the same password for the Control Panel as Wordpress - or anything else either!

8. Make sure your computer has Anti-Virus - many attacks start by getting the details from your computer - and yes this includes Macs - it's not good enough to say "Hey I use a Mac, they don't get viruses" - they do, and increasingly so.

If you think your site has been compromised, our Support Team can help you check for sure - please note that this is not included in your Hosting Package charges, so you may be charged for our help and assistance - using the tips above should help you reduce the chance of needing our assistance.

Making your Wordpress Site more secure

1. Update your Wordpress ALWAYS

2. Update the Plugin's, Themes and Extras

3. Don't use a ridiculously easy password

4. Consider using the "All In One WP Security & Firewall" plugin

5. Make the default "admin" account something else - rename it

6. Check that FTP Security

7. Get your Site Scanned Regularly for Vulnerabilities

8. Prevent "Spam Comments"

9. Install the Limit Logins Plugin

10. First install of Wordpress? Use a different database prefix

Other things you REALLY should be doing:

<< Back to the Blog

Popular VPWSYS Services:

Making your Wordpress Site more secure

1. Update your Wordpress ALWAYS

2. Update the Plugin's, Themes and Extras

3. Don't use a ridiculously easy password

4. Consider using the "All In One WP Security & Firewall" plugin

5. Make the default "admin" account something else - rename it

6. Check that FTP Security

7. Get your Site Scanned Regularly for Vulnerabilities

8. Prevent "Spam Comments"

9. Install the Limit Logins Plugin

10. First install of Wordpress? Use a different database prefix

Other things you REALLY should be doing:

<< Back to the Blog

IT Survey & Challenge Quiz!

Popular VPWSYS Services: