WordPress is used by over 25% of the world’s websites. With that amount of popularity, it’s no wonder that it’s a prime target to be attacked, whether to get data or to be used to affect other systems, or just to deface your website. That being said, WordPress security is now more important than ever.
WordPress Security – Basics
- Keep your WordPress installation and plugins up to date.
- Remove plugins you are not using.
- Make sure your hosting provider keeps their underlying software up to date.
- Use two-factor authentication for any administrator accounts.
- Have up-to-date backups(off-site).
- Use a security plugin.
WordPress Security – Not So Basics
Besides the basics, there are more advanced settings that you or your hosting provider can solidify.
- Make sure file permissions are accurate for your website. Some of the WordPressSecurity plugin tools will check that for you (i.e., iThemes Security Pro). Directory access should be 755 with most file access at 644. For example, your .htaccess file, wp-config.php files should be “read only” by your web server user (444). The initial configuration of your .htaccess file will require 644 access and after configuration is complete, permissions can be reduced to 444 (read only). In Redhat/CentOS this would be the apache user by default.
- Change the default admin login page. Instead of using default site.com/wp-admin use www.site.com/mylogin or any other name you would like to use. This is configurable at the web server level or can be handled by some of the WordPress security logins. Changing the default slug makes it more difficult for unauthorized people to find your admin login page.
- Filter long URL requests. Some common exploits can compromise systems by sending long URL strings with bad characters. By filtering them on initial request, you help reduce the risk of these types of attacks. Don’t let PHP files execute from your “wp-content/uploads”
- Have your web hosting provider implement Mod security rules, if capable, to block repeated attempts to log in to yourWordPress site. Have scheduled scans for detecting Malware. You’ll want to block repeated failed login attempts with the same username and hosts that keep probing your site for non-existent files.
At minimum make sure to do the WordPress Security Basics listed above. This alone will help reduce your risk and keep your website safe. Nothing is impenetrable and no one can guarantee your site won’t be hacked, but by working down this checklist, you greatly reduce your risk and keep your site up and running.
Contact us if you have any questions about this article, checking the security of your website, or need managed web hosting.