WordPress is great at what it does, but dont use it unless you are prepared to maintain it. If you are going for a wordpress site then do factor in the costs, both financially or in your time, for site maintenance. Its one of the most popular and flexible Content Management Systems (CMS) today, but this also brings with it alot of unwanted attention.
To help, here are some pointers to help you on the way,this is by no means a comprehensive list.
Build:
Do you need a WordPress site, will you need to add/change content on a regular basis, have multiple users, provide discussions etc, or do you just want a website that will remain pretty much static apart from the odd update of information? If its the latter you are looking for then take a look at our Web Presence Builder http://www.myhost.ie/website-builder/
Themes:
Avoid free themes from unknown sources, research them. Many free themes come with malicious code hidden in them. If you are looking for a free theme stick to themes available from wordpress.org. While free might sound good now, think about how it will be maintained and updated as WordPress updates. Themes must be compatible with WordPress as WordPress releases new versions, this means that themes must be maintained in order to stay compatible. Can you depend on a free theme for this?
Plugins:
Research the plugins you decide to use with your install. Check for issues on forums etc. Again source reputable plugins that have good support, as these also have to be maintained to stay compatible with new WordPress releases.
The basic wordpress core install is secure, vulnerabilies creap in through the use of badly maintained themes and plugins.
Logins:
Do not use the ‘admin’ login. Most hackers try to get your password by trying to bruteforce your admin username. If you have already installed your website and you chose “admin” as your username, don’t worry about it. There’s still a way to change it. Register another user and then give that user admin permissions. Then, login with that new username and delete the old “admin” username.
Review and Install one of the following Plugins:
http://wordpress.org/plugins/login-security-solution/
http://wordpress.org/plugins/limit-login-attempts/
or the more comprehensive:
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Passwords:
Use complex passwords, a mix of capitals, lower-case and symbols is best. You would be amazed at the amount of people that still use password1 as a password
Password Examples:
|
Terrible |
OK |
Good |
|---|---|---|
|
password |
Brian1968! |
M”N(Ndzm@5Bh>Q5 |
|
admin |
GriffinB68$ |
5!#4bbS9[@nfLv] |
|
brian |
*brian68griffin |
(*Hv3Zvq6r#}KJS |
|
briangriffin |
BrianG6819 |
x3ZG87}4~5?E:m, |
Use a password repository to manage your passwords;
Backups:
Use a backup system while developing your site, this has the advantage that if you break it, you can always roll it back. Remember to test that it works and test it on a regular basis.
Suggestions on backup plugins would be:
http://wordpress.org/plugins/ready-backup/
http://wordpress.org/plugins/updraftplus/
On a regular basis take a backup of the files and the databases from the host server, this can be invaluable in the case of a catastrophic failure on the site. FTP down the files and export the database and store on long term storage. Date your backups!
Updates:
Updates are contineously being released for the wordpress core, this can result in your theme and plugins requiring updates. ALWAYS research the compatibility of updates and themes with each other and new versions of WordPress before applying updates. If WordPress is updated to version 7 then check that your theme and plugins are compatible with that version and update them if necessary.
Security:
Security on websites is an ever growing issue. WordPress’s popularity has caused it, its themes and plugins to be scrutinised by hackers for secuity holes. We wont cover this issue in depth as there have been books written on the subject but here are some pointers:
Create Custom Secret Keys for Your wp-config.php File
All of the confidential details for your WordPress site are stored in the wp-config.php in your WordPress root directory. Secret keys are one of the bits of information stored in that file… so make sure you change the default secret keys to something else. Use this link to generate values for you:
https://api.wordpress.org/secret-key/1.1/salt/
Change the Database Prefix
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is very convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.
Protect the wp-config file
The wp-config.php file contains all the confidential details of your site. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
|
<Files wp-config.php> order allow,deny deny from all </Files> |
Limit The Number of Failed Login Attempts
Useful in case of someone is trying to guess your password manually or using a bot (automated script). Also known as a brute-force attack these are automated attacks that try a sites login page and keeps hammering it with words from a pre-defined list (dictionary) in order to ‘guess’ the password. This is the most common attack on wordpress sites that we see. This can result on a high load on the server on which the site is hosted, which results in us banning access to the wp-login.php file.
There are many plugins available to prevent brute force attacks e.g. http://wordpress.org/plugins/limit-login-attempts/
A more comprehensive security plugin would be http://wordpress.org/plugins/wordfence/
Disbable xmlrpc.php
There’s a vulnerability in WordPress’s XMLRPC implementation, that permits trackback spam – even when you disable trackbacks. The only way to prevent this spam is to disable XMLRPC entirely. Some people have suggested renaming or deleting the xmlrpc.php file, which if using trackbacks is not essential to your site may be an option.
Trackbacks can be disabled using the following plugin: http://wordpress.org/plugins/prevent-xmlrpc/
Malware Protection:
Keep up to date on security issues: http://code.tutsplus.com/categories/security and http://blog.sucuri.net/
We are happy to be partnered with a company we believe to be one of those at the forefront of website protection services, sucuri.net.
Currently we offer two main security services from them, Malware monitoring and removal and CloudProxy:
Malware monitoring and removal:
Your site is scanned every 3 hours. If malware is detected then you are notified, the malware removed and if your site is blacklisted because of this then they will assist in removing your site from the blacklists. http://www.myhost.ie/hosting/malware-removal/
CloudProxy:
In short, it protects your web site from attacks, malware and the dangers of getting blacklisted. It also supports any type of platform, from WordPress, Joomla, vBulletin to Magento, ASP.net and even custom designs. It uses a proprietary approach to application profiling, malicious URL filtering, and anomaly detection on all traffic. All logs are maintained within the Sucuri infrastructure and monitored by our security operations team.
This service provides:
-
Website Firewall (WAF)
-
Detect, Filter and Block Attacks
-
DDOS and Brute force protection
-
Intrusion Prevention System (IPS)
-
Prevent malware and blacklisting
If your website is your business then this is what you need to protect your interests. It can also aleviate the need to perform updates regularily as it can virtually update your content management system for you. There is more information here: http://www.myhost.ie/hosting/malware-removal/#firewall
Quick Check List:
-
Change admin login name
-
Use strong passwords
-
Limit login attempts – Use and configure a security plugin to prevent brute force attacks e.g. http://wordpress.org/plugins/wordfence/
-
Change the database prefix
-
Install the FREE sucuri plugin: https://wordpress.org/plugins/sucuri-scanner/
-
Disable xmlrpc http://wordpress.org/plugins/prevent-xmlrpc/
-
Backup, take a backup of the site when completed: http://wordpress.org/plugins/backupwordpress/
-
If your site is central to your business then do consider moving it to a business hosting package: http://www.myhost.ie/hosting/business/
-
If your site is central to your business then consider Sucuris monitoring service or their WebProxy: http://www.myhost.ie/hosting/malware-removal/
-
Stay up to date!
What happens if you dont?
Your site WILL be compromised, it WILL get blacklisted, it WILL loose its SEO standing, and if it causes an issue on the server then it WILL be suspended.
How can we be so sure?
Because hacking websites is a business and an ever growing one. Redirecting your sites visitors, gathering your visitors information, using your site to attack another, send illegal spam are just some examples of what compromised sites are used for.
This article is about WordPress in particular but the ethos can be applied to other CMS systems like Joomla, Drupal etc. We hope to do another post about Joomla in the near future with information targeted at hardening a Joomla install.
Hopefully this will help protect your site and give you some helpful pointers on working with WordPress, as I say this is by no means a comprehensive article on securing your site, but its a start.
We also find that many people are building websites based on WordPress that really don’t need a CMS behind them. The popularity of WordPress urges beginners to use it to develop their site, when many would prefer a static site that they can update once a year (if even), so do consider your requirements. An alternative would be a non CMS solution like http://www.myhost.ie/website-builder/ if all that is required is a static site that needs little to no maintenance.
