Worried about security for your WordPress-based website? You should be. Due to its popularity and ease of installation, WordPress sites are hacked more often than any other. There’s a reason for this. But that doesn’t mean you have to give them one. Here are ten things you can do right now to ensure that your WordPress-driven site is a bit more hack-resistant.
- Be sure WordPress itself is updated to the latest version. There should be no excuse for this since you can update WordPress from within the WP Dashboard (back up your database first of course).
- Be sure your plugins are updated. Again, this can be done from within the WP Dashboard.
- Be sure your theme is updated (unless you are using a completely one of a kind, hand-rolled, custom theme).
- If something prevents you from using the latest version of WordPress, you should disable WP from broadcasting the WP version your site is using. It’s done with a very simple peice of code in your
functions.phpfile (see below).
- Backup your database regularly (and TEST that backup to be sure it’s functional). You can use one of several plugins — we recommend either BackUpWordPress or WP DB Backup — to backup your databse from within the WP dashboard and have a copy of the SQL dump sent to the email address of your choice or have it downlaoded to your hard drive. You can also schedule periodic backups with either of these plugins.
- Do not use the default admin account. In all “brute force” hacking attempts, admin is the User ID hackers will target. Don’t let them have it.
- Set file permissions correctly on key files and folders. You should only allow your
.htaccessfile to be writeable when you are setting or changing permalinks. Otherwise, that file should be set to 444. Most files should be set to 644. Most folders should be set to 755.
- Use secure FTP (SFTP) to access your files.
- Clean out your site’s user base. Delete unused users and review each user’s level to be sure they are not granted any more rights than they need to accomplish their tasks.
- Delete unused plugins and themes. Just because you aren’t using them, doesn’t mean they can’t be a backdoor in for some hacker.
Removing Version Information From Older WordPress Installs
Here is the code that you should place in your
functions.php file to disable version reporting. Use this only if you cannot upgrade to the latest WP version.
Joni Mueller has been designing web sites for hire since 2003, when she first blew up her web host’s server by insisting on running Greymatter. Since then, Joni has designed for Blogger and Movable Type, TextPattern, WordPress and CMS Made Simple. She lives with her cat and shoe collection in a bucolic old section of Houston called Idylwood. For some strange reason, Joni likes to refer to herself in the third person. When she’s not working on web design, she’s ordering lawyers around. And blogging about it. Or both.