Of the content management system options currently available WordPress is the most popular since it has a user friendly interface, is easy install and has an active development community for quality themes, plugins, and answers. What may not be known by all is that the popular CMS options (while generally very secure) are often the most targeted by hackers since the code is open-source.
And if you’re thinking it won’t happen to me, trust me, it can. Security is an important concern of anyone with a database driven website since there are unscrupulous lurkers (often utilizing bots) who seek to find “exploits”. If you’ve ever come across a website with pharmaceutical ads randomly added to an otherwise legitimate site then you’ve likely found a site that has suffered from a Sql-injection.
If you visit the WordPress website they will stress the need to install the latest version of WordPress to ensure that you have the newest security patches and fixes. This is good advice, though in some cases the theme used for your WordPress site may not migrate well into a new WP version. And moreover, many of the themes, plugins, and widgets used in WordPress are version specific, so with every upgrade there is the potential that some functionality may be disabled.
General Advice:
- Back-up your database routinely once a month, or more frequently if you’ve made significant changes or are running an online store.
- Keep a list of all the plugins that you used for your WP site. For example, your SEO, security, email, cache management, and image/gallery plugin, etc. This will make it easier to locate them if you need to reinstall.
- Install the latest version of WP, and for the plugins, but always backup your site first. If you site breaks in some way then you can “google” for the answer to resolve it, or just revert back to your previous site version and ignore future updates.
- Use a good security plugin. When you’re choosing a plugin you’ll see the number of downloads, its rating, and the last updated date. These are good indicators of which plugin is considered the best. Our current favorites are IThemes Security and WordFence.
- Change the wp-admin path. Many of the better security plugins will allow you rename the login URL, which will prevent the bots from finding your login path.
- Put a limit to the number of login attempts before a user is locked out. If you’ve changed the login path you won’t need to do this, but for a community site you’ll want to keep the URL as-is since visitors will need to have the ability to login and do a password recovery.
- Disable front-end user registration. Unless you have a community site, there’s no real reason to allows someone to login as a subscriber; well, unless you set commenting to only subscribers. I have seen many instances where a hacker will create a subscriber account in an attempt to find exploits.
- Use a password generator that includes lower and uppercase characters, numbers, and symbols.
- Ensure that your file permissions are set right. Some folders need to be executable for everyone, yet many do not.
- Utilize your .htaccess and robots.txt file to block bad bots and restrict private directory access.
- Use secure FTP (SFTP encryption) for file transfer.
- Don’t use your hosting webmail unless you’ve very careful. There are numerous malware attacks through email, and all it takes is for you to open an infected document or hacker link for your hosting server to become infected. As a rule always mouse-over a link to check the URL path “before” you open it. Or better yet, don’t open it unless you are confident of the source.
If you need additional help there are lots of resources online, for which I would start with the links I’ve added below.
- https://www.wpbeginner.com/wordpress-security/
- https://wordpress.org/about/security/
- https://wordpress.org/support/article/hardening-wordpress/
Additional Option:
A good suggestion, one that my development partner frequently utilizes, is to install WordPress in a separate directory. When you download the WP install files you end up with a .zip file. Unzip it, and you have a folder called “WordPress”. One option is to upload the contents of that folder right to the root directory of your website server and start the installation process. We suggest a different approach. Instead, rename that folder something obscure, like “pizza” and upload that folder to the root directory of your site. But of course you don’t want the site’s URL to be https://mydomain.com/pizza/” Of course not, … that would be crazy. What you need to do to allow WordPress to control the root of your site is just move the index.php file and the .htaccess file from the “pizza” folder back to the root directory. Then open the index.php file and change this: require(‘./wp-blog-header.php’);
..to this: require(‘./pizza/wp-blog-header.php’);
You’ll now have to log in at https://mydomain.com/pizza/wp-admin/, but WordPress will be in control of the root just as if that were its actual location. Once you have installed WordPress and logged in to the Admin area, go to Settings > General and ensure that the settings for your WordPress address (URL) points to https://mydomain.com/pizza/ and Blog address (URL) points to https://www.mydomain.com. Of course, when choosing the name of your installation directory, you should use your own crazy word.
Why go through these extra steps just to install WordPress? The benefits are two-fold:
1. Security through misdirection. Any hacker bots scanning and probing your site looking for possible WordPress exploits probably won’t even be able to find your WordPress files.
2. It keeps your root directory clean. Nothing worse than a messy root directory. Except for maybe a hacked site.
One More Thing!
We suggest leaving that default admin account active, but removing its privileges. That way, you can keep the hacker-kiddies guessing, but even if they do break in, they get nothing. The would be hacker can still attempt to login but they’ll never get anywhere.