While some WordPress designers don’t give a second thought to the security of sites they design, others turn to a variety of plugins they hope will keep hackers at bay. Others, as you’ll see, have taken a more fundamental approach to security concerns.
The world’s most popular content management system and a mainstay for businesses, WordPress and its sites are a popular target of hackers. The Flashback botnet attack that has infected more than 700,000 Macs, for instance, has now been traced to hacked and malware-rigged WordPress blogs.
So with the security of client websites at risk and a designer’s credibility lost as easily as a hacker can populate a site with links about erectile dysfunction, here are 10 WordPress security basics.
Keep the WordPress core up to date
While the folks at WordPress do a great job of identifying and patching security vulnerabilities, those efforts don’t do any good if updates aren’t installed. With an estimated 70% of malware attacks the result of running outdated software, there’s no excuse for not taking advantage of WordPress’s one-click automatic update feature.
Keep themes and plugins up to date
The principle of “if it ain’t broke, don’t fix it” may work in some endeavors, but not to maintain a website. Just as an out-of-date core is prone to hacking, so too are outdated themes and plugins.
Remove disabled plugins and inactive themes
Just because a plugin or theme is inactive doesn’t lessen its vulnerability to attack as proved in an August 2011 attack that targeted the TimThumb script included in various WordPress themes and plugins. Although affected plugins and themes were disabled, the script remained on the site waiting to be scanned as the point of attack for hackers.
Replace the default admin user
By using WordPress’s default “admin” username, a site is automatically 50% easier to hack since it’s the presumptive username with which hackers start their efforts. To replace it, simply create a new username with administrative authority, log out and then back in using the new name. Then delete the “admin” username.
Use a secure password and keep your password secure
If you guessed that 2011’s most stolen password was “password,” you’d be right. But even more complex word-based passwords aren’t safe from dictionary attacks and other hacker tools. Security experts recommend passwords of at least 8 characters long that include a combination of uppercase and lowercase letters, numbers, and keyboard symbols. Passwords shouldn’t contain complete words nor your real name, username or company name.
Using passphrases as passwords is one way to protect a password and still remember it. “2beeRknot2be!” is one such example. In addition, use common sense to protect passwords by not sharing them, not keeping them on your computer (KeePass or LastPass are two password management tools) and routinely changing them.
Use a different table prefix
Not a step for beginners, changing the default prefix of WordPress tables from the standard “wp” can help protect a site from attack since any scripted attack on WordPress sites presumes that standard prefix. Changing the prefix during a fresh install of WordPress is easy by simply opening the wp_config.php file prior to the installation and changing the value of “$table_prefix = ‘wp_’;” from “wp_” to any other value.
If WordPress is already installed, you’ll need to rename the tables by opening the database with phpMyAdmin, selecting a table and then selecting “Operations” in the top right of the window. Next change the value in the “Rename table to” field to reflect the new prefix. Then edit the wp_config.php file as already described.
Remove version information
Information that identifies the author and WordPress version is contained in the source code of pages and can help hackers determine which sites are using vulnerable versions of WordPress and plugins. Removing version information is as simple as adding the following line to the functions.php file:
Use trusted plugins
If you’re a designer who grabs the first plugin that does what you want, you may be leaving your sites open to attack. Poorly coded plugins can provide an open door for attack. Research the plugins you use and read the reviews. Look at the plugins you already use to see if there are more popular, highly rated plugins that are also more trusted.
Use a good host
Since any structure is only as strong as its foundation, one of the most fundamental steps in a secure WordPress site is selecting a highly rated host that has a good track record and is proactive about addressing security concerns. Do your homework by asking providers what their security measures are and determine how good of a job they are doing in keeping their servers updated.
Keep your computer secure
Finally, make sure to keep your computer’s OS and software up to date by installing updates and security patches as they are issued. Install a good anti-virus program that will not only protect your computer from viruses but detect malware. Be sure firewalls are and practice safe browsing by staying away from sites that give any cause for suspicion.