WordPress is by far the most popular CMS on the internet for blogging, not only for a friendly user but for attackers and hacking attempts. WordPress is always upgrading and improving thanks to their team of developers and community which makes it easier to detect any bug or error on it.
We know that if you run a WordPress site, you care about protection (which involves your data and your customer's and visitor's data). Here is a summary of the practices you can apply to your WordPress site in order to make it safer. Remember that these actions don't guarantee a 100% protection against hacking attempts, but will protect you for the majority of the attacks.
Protect your WordPress Admin Area
WordPress admin area must not be where everybody logins and modify anything that they want. What you should do is restrict the access to the people who really needs it. If your site is not for front-end creation, your visitors or customers should not be able to access your /wp-admin folder. You can add add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.
order deny,allow Deny from all Allow from xx.xxx.xxx.xxx
Don't use admin username
People often forget changing their username "admin" to a complex or safer one. As admin username is very popular attackers often make brute force attacks to your admin login and others attack simply by naming your username differently. If you're installing a new WordPress site, you will be asked for username during the WordPress installation process.
Remove WordPress Header
WordPress can add a lot of stuff in your header for various services, this will remove everything, but take care, it also removes some functionality ( for instance if someone is looking for your RSS feed). If you want to keep some just comment the line out.
1 // remove junk from head 2 remove_action('wp_head', 'feed_links', 2); 3 remove_action('wp_head', 'feed_links_extra', 3); 4 remove_action('wp_head', 'rsd_link'); 5 remove_action('wp_head', 'wlwmanifest_link'); 6 remove_action('wp_head', 'index_rel_link'); 7 remove_action('wp_head', 'parent_post_rel_link', 10, 0); 8 remove_action('wp_head', 'start_post_rel_link', 10, 0); 9 remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0); 10 remove_action('wp_head', 'wp_generator'); 11 remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0); 12 remove_action('wp_head', 'noindex', 1);
Monitoring your files for changes
When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc). If you are using OSSEC for example, it will monitor your files and alert you when they change.
Schedule Local Backups
Regular backups are a must and having tiered backups is even better. That means backing up the WordPress database and also your server disk. There are several backup plugins and services that will back your data up, wordpress or server side its very important to have at least 1 backup monthly.
Wordfence plugin is a complete Anti-Virus and Firewall for your WordPress. It not only protects your site from many possible attacks but also keeps you off Google’s SEO blacklist, repairs hacked files, even if you don’t have backups. It also includes some features like login brute force protection, hiding your WordPress version number, blocking fake google crawlers and many other security elements. Remember Wordfence offer the free and the paid version for enterprises.
Akismet is a really good plugin which checks your comments against the Akismet Web service to see if they look like spam or not and lets you review the spam it catches under your blog's "Comments" admin screen.
Login Lockdown checks for a specific ip which is trying to login to your site but it never happens. It will block that IP after a certain number of attempts and will disable any request of it for a certain amount of time.
Currently, the plugin defaults to a 1-hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Protect your computer from Virus/Malware
Protecting your computer from malware or virus is not hard. Remember that WordPress allows you to upload any file or plugins, thats why any file that you want to upload, must be clean in order to maintain your wordpress folder free from virus and malware.
Here are some actions you may need to take in order to do it:
- Install an antivirus program
- Use a firewall
- Use a pop-up blocker with your browser
- Keep your computer updated
- Don't open email attachments unless you're expecting them
WordPress & Plugin Up-to-date
It is really important to keep your WordPress version up to date since there are always vulnerabilites which can be hard to exploit but you need to get them fixed ASAP. Remember that if you are going to update your WordPress to the latest version you must check your plugins and compatibility with all your setup.
Use Strong Passwords
You will be surprised that most of the people who own a blog site or any website often set "password" or "123456" as their personal account passwords. Its not hard to guess what will happen to their site with those passwords. We recommend using complete phrases instead of words and numbers.
There are lots of things that you can implement in your WordPress or even in your server besides of just these ones, remember these tips will add more security to your site and defend it for you.
If you encounter any problem setting any of these solutions, here in ClickIT we can help you to set all of these items and even more security items for your WordPress! Contact us".