How to Secure a WordPress Installation
WordPress is a free and open source content management system that allows website owners to easily and quickly create great looking websites. Although this system started as mainly a blogging platform for individuals, it quickly grew to support large corporate websites. A couple examples of a popular websites that uses the WordPress system are CNN and Tech Crunch. According to the WordPress statistics site, this CMS is now being used on close to 65 million websites.
Needless to say, with a piece of software this popular, there are bound to be people that are looking for ways to break into your website through security holes. We often get asked the best way to secure a WordPress installation. Here is our recommendation on a great place to start to make sure your WordPress website is safe.
Security starts with your computer
The most common reason that a WordPress website gets hacked or defaced is due to compromised passwords as a result of malware or viruses on a users computer. Most of the free FTP software, such as FileZilla store your passwords in plaintext and do not use any sort of encryption. This means that if you have a piece of malware or spyware on your computer, it is possible that it can access the list of usernames, passwords, and hosts that you have saved in your FTP program.
Make sure that you have an up-to-date Anti-Virus and Anti-Spyware program and that you are routinely scanning and checking your computer.
Keep your Installation up to date
WordPress releases new versions of their software fairly regularly and it is very important that you stay on top of the updates and keep your system at the latest version. These updates are released for a reason – normally due to security issues found in the previous versions and you are risking your website if you choose not to update.
It is also very important to keep all of your plugins and themes up to date. In a recent Tim Thumb exploit found by Mark Maunder, hundreds of thousands of websites were being compromised due to out of date plugins and themes that used an old version of the popular Tim Thumb image resizer.
Protect your Admin area
Protecting your admin area is also very important to ensure no one has the change to brute force your installation, and cannot spy on your passwords attempts. There are two great ways to do this. Firstly, make sure that you log in to your admin area (/wp-admin/ folder) by using SSL (https://) instead of standard http. This will ensure that your username and password is encrypted when sent to the server.
Another thing you should consider doing is blocking all IPs except your own within a .htaccess file. Although this may be a little inconvenient at times, it will go a long way in making sure no one can access your WordPress installation except you. Enter the following lines of code into your .htaccess file within your /wp-admin/ folder:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName GetOut
AuthType Basic
order deny,allow
deny from all
# whitelist IP address
allow from x.x.x.x
Replace the x.x.x.x with your IP address. You can add multiple IP addresses if you commonly access your website from multiple locations such as home and at the office. It is important to note that if your IP address changes or if you want to access your website from a different location, you will need to update your .htaccess file beforehand.
Check File Permissions
Another reason that websites get defaced is due to incorrect file permissions. More commonly, a user will have multiple files and directories that are read and writable by anyone (chmod 777). Although some applications may require this setup, it is best to avoid it wherever possible.
It is possible that if an attacker gained access through another website on the same server, they could also deface your website if you have improper permissions set.
Be Prepared for the Worst
Sometimes no matter how hard you try to protect your website and beef up your security, hacks do happen. It is your responsibility to have a local backup of your files and databases. You can do this quickly and easily through the Plesk backup manager, or with a variety of WordPress backup plugins. If you suspect that you are hacked, simply get in touch with our support department and we’ll be happy to assess the situation for you.