Every day, some scary report about a major site being hacked or a sensitive database being compromised hits the web … and freaks everyone out.
Last week, in preparation for an interview about my work at Copyblogger’s managed WordPress hosting division, I chicken-scratched a top 10 list of tips for keeping your WordPress website(s) secure.
It’s worth your time to look over this list of security tips, and to take the few simple actions to implement them. How secure is your website?
Let’s go over the basics right now …
Why take WordPress security so seriously?
Why all the security talk? Because staying vigilant about security is an ongoing responsibility for any WordPress site owner.
In fact, it’s an ongoing responsibility for everyone online, whether you’re using WordPress or not.
So we’ll continue to discuss it here as much, if not more so, than performance. Hey, sub-second load times are great, but not if you’re hosting hidden links to Viagra sites or Google is flagging your site as malware-infected.
I know that security can sometimes be a nebulous, obtuse topic. If you don’t have a technical background, the risks and the necessary safeguards can be difficult to comprehend.
You’re not alone.
When I first launched Midwest Sports Fans some four years ago, I couldn’t have told you the difference between DDOS and Mike Doss. I was among the ranks of those who used the same password for my MSF admin login as for my Gmail account … and my bank account … and, you get the idea.
Over time, I learned the importance of taking security seriously. Some of the lessons weren’t pleasant. But they provided me with the knowledge to be able to educate you on simple steps you can take right now to make your site safer.
As you read this list, consider it less a “top 10 list” and more of a checklist. If you come across one, two, or ten of these that you cannot mentally check off as being part of your current security arsenal, stop reading and go implement it.
Let this motivate you: we see between 50,000-180,000 unauthorized login attempts every single day at the sites we host. The vast majority of these are hackers using brute force techniques to get into websites and wreak havoc. It is possible, perhaps even probable, that a hacker halfway across the globe is trying to hack into your site at this very moment …
… I hope your password isn’t password123.
And now, on to the most important top 10 list you’ll read all week:
1. Maintain strong passwords
Let’s kick off the list with the easiest step you can implement immediately. Hopefully you already have.
If not, do not procrastinate on this one.
I’ve linked to this post before, and I’ll link to it again: “Password Protection: How to Create Strong Passwords” from PCMag. I used a number of the tips listed in that post to completely overhaul my personal password strategy.
Take this seriously.
Excuses like, “But I want one password for all of my sites so that I won’t forget!” or “My (generic) password is good enough, and what are the odds that someone is really going to try to hack me?” are not acceptable.
If you aren’t using a password that’s at least ten characters, with numbers and letters, capitals and lowercase … you’re doing it wrong. Do it right. Especially this one.
2. Always keep up with updates
WordPress updates are not just released for the Google News search results. They are released to fix bugs, introduce new features, or, most importantly, to patch security holes.
Will WordPress (or any software program, for that matter) always be one step ahead of the hackers? Of course not. Quite the contrary. For the most part, as with performance-enhancing drug testing in sports, software is always going to be one step behind the hackers. That’s just how it goes, it’s the world we live in.
But when major security holes are known — and patches are available — there is no excuse not to implement them. Thus, there is no excuse not to keep up with WordPress updates. The same goes for plugins and themes.
I know that many of you feel trepidation when it comes to updating WordPress, afraid that it might break your theme or disrupt a plugin’s functionality. My response to this is simple: if you’re afraid of it, then you need to re-evaluate your theme and plugin strategy. Your theme will certainly get disrupted when a hacker injects half a page of a nasty encrypted code into it.
One of the benefits of investing in a WordPress theme framework like Genesis is that our StudioPress division will have the Genesis Framework updated damn near instantaneously when a WordPress update is released. In fact, there’s a good chance they had input in the WordPress update itself! So, you never have to worry about your theme breaking.
As for plugins, this is why vetting plugins is so important. If a plugin isn’t updated regularly, or you’re not paying for support, then you should be afraid of it possibly breaking with a WordPress updates. Thus, you might want to rethink using it at all.
3. Protect your WordPress admin access
Should you change the name of the default “admin” user that every WordPress installation starts out with? Sure, you can. It certainly isn’t going to hurt.
Just know that it isn’t the pinnacle of security measures. Hackers can find usernames fairly easily from blog posts or elsewhere.
More important than disguising the specific admin username is to make sure that every username of your site with administrator access is protected by a strong password. (Yes, I’m referring you back to #1 in this list.)
And, if you really want to protect your site, go the extra step of requiring a Yubikey to login. That way, even if someone does have the password to a username with administrator access, he or she cannot login without physically possessing the Yubikey (which is easily used via simple USB insertion when it’s login time).
And no, it’s not a hassle. It’s peace of mind.
4. Guard against brute force attacks
Remember the stat I cited above? It’s worth citing again: we see between 50K and 180K failed login attempts a day on the sites we host. The site you’re reading right now (Copyblogger in case you’re somehow reading a scraper site) sees 275 unauthorized login attempts … every hour.
Before you pass out at the magnitude of that number, know that you’re far from powerless against these nameless, faceless hack attempts.
First, your web host should be helping to protect you from brute force attacks. We do. We regularly monitor where failed login attempts are coming from and then lock out the offending IP addresses.
Second, make sure you’ve checked off tips 1, 2, and 3 above.
Third, there are programs that can be installed (such as Limit Login Attempts) that will make it much more difficult for brute force techniques to work.
5. Monitor for malware …
It’s imperative that you have some kind of system in place to constantly monitor your site for malware.
How you monitor is vitally important. Choose a method that can actually dive into your file structure and detect deep breaches, rather than one that just shows you where you’re vulnerable.
6. … Then do something about malware!
Monitoring for malware is not a solution in and of itself. The solution is what happens once malware is detected.
If you are not a Synthesis customer, the Sucuri team is a great one for you to partner with because they’ll not only scan for malware, they’ll help you clean it up once it’s detected.
And if you are a Synthesis customer, you already know that we’ll take on the job of cleaning and repairing your site should anything bad happen to it.
A couple of the oft-overlooked “true costs” of WordPress ownership are those associated with downtime due to security issues and cleaning up those issues. This is part of the value proposition that should be rolled into your managed hosting provider’s offering.
7. Choose the right web host
I’ve already told you about the server-side scanning and malware cleanup guarantee that we give all of our customers. And that’s far from the only reason why our WordPress hosting is a great choice for the security-conscious WordPress user. Just saying.
One major security risk is being on a shared server. Think of it this way: take the security risks inherent in your own WordPress installation, then multiply it by the number of sites on the server. And if you go with generic hosting, chances are you’re going to be lumped in with hundreds and hundreds of other websites.
Your own VPS may not the right option for you. It may be too expensive, or your traffic may not necessitate it. That’s fine. But if you’re going to be on a shared server, make sure it’s shared with just a small number of sites (our shared servers have no more than 10 sites) on a hosting stack that has proven safeguards in place to protect it.
Also, find a host that doesn’t get complacent about security.
Anyone who would claim to “have security figured out” has no clue. Online security is constantly changing. Web hosting companies need to constantly evolve with that changing landscape, and the threats the come with it. Make sure whoever you trust your website to operates with this mentality.
8. Clean your site like you clean your kitchen
Did you know that your WordPress installation could easily have ticking time bombs sitting on it that you’re not aware of?
If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach. A messy site also makes it much more difficult for security professionals to operate should your site be compromised.
You wouldn’t leave dirty dishes and silverwear sitting in stale water for three days in your sink would you? Of course not. It would be a breeding ground for filth and muck.
So clean up and organize your file structure like you would your kitchen. It will keep you safe in more ways than one.
If you’re asking, ‘Where do I begin?’ Start at the root. Compare your file list to that of the default WordPress core. A few extra files, like your favicon? OK. Two times as many files including Power Point presentations for work? Time to do some dishes …
9. Control sensitive information
And when you are doing that cleanup of your file structure, check to make sure you are not leaving bits of valuable information available for all the world to see.
For example, the readme.html file by default will say what version of WordPress you’re running. If you’re running an older version of WordPress with a known security hole, hackers will find you.
Similarly, look into your phpinfo.php or i.php files. They’ll tell a hacker everything about your setup and serve as a “road map to the house” before they even break in.
And leaving .sql database backups files is a big no-no. If a hacker can download your entire database they’ll have every username and encrypted password you’ve ever used at their disposal.
While your website host should be scanning for items like this, why leave anything to chance? You wouldn’t walk out your front door without pants on (at least I’d hope not!) … so don’t run your website that way.
10. Stay vigilant
This is one is pretty easy to explain. Just stay on top of what’s going on out there.
You don’t need to understand the intricacies of a DDOS attack or churn out a blog post about GoDaddy getting taken down. But when an issue like the TimThumb fiasco rears its ugly head, are you aware of it? Early detection is the best prevention.
You should be with a managed WordPress host who has your back, but it never hurts to have your own too.
Follow Twitter accounts like Sucuri’s or ours, where we’ll update you when we hear of relevant security issues affecting the web. And just keep your eyes peeled. Don’t think that security issues are only affecting those other sites. They could just as easily be affecting yours.
Respect thine enemy, as they say.
Over to you …
Most importantly, we need to respect the critical nature of taking website security seriously.
The ten steps above are not the only security safeguards you should be considering, but they are a well-rounded start, especially for those who may have trouble implementing the basics.
Take action on these tips and you’ll have the essential WordPress security measures in place.
Any other WordPress security tips out there? Drop them in the comments below …