In Articles, Tips Sep 16, 200915

Valuable Tips for Locking Down Your WordPress Website

There are a variety of Content Management Systems (CMS) that can fulfill many of your sites needs, however, WordPress is usually recommended as the leading publishing platform. With popularity comes vulnerability and WordPress sites are usually open to all sorts of potential attacks from hackers, spammers, and other mal-intentioned Internet users trying to compromise the security of your WordPress environment.

Below we’ve compiled a few Valuable Tips for Locking Down Your WordPress Website allowing you to add several layers of security to your site.

Update WordPress

It might seem a little basic and obvious though a surprising number of WordPress users forget to update their site. If you’re looking or are in need of an update and you’re super-security-conscious don’t upgrade to the next big release right away. Have a little patience and wait for the bug fixes to come in and then make the installment. This will save you tons of headaches as you’re likely to want to fix flaws yourself if they haven’t been exploited on a large scale.

Truthfully speaking you’re taking unnecessary risks by not updating, so if you have a WordPress installation that is at least two versions old, update it as soon as possible. It literally takes just about 5 minutes according to WordPress.

Back-Up Your MySQL Database on a Regular Basis

It should be at the top of your list to always back up your site files and database. Try to regularly remember having to back-up your MySQL database by exporting your MySQL data as a .sql file to be stored in a keep-safe location. Since it’s easy to forget having to back-up your files on a regular basis, it’s much easier to automate this task.

Download and use the plugin called WordPress Database Backup to automate your backups. This plugin provides you with the options to automate your back-up on hourly, daily, weekly, and monthly intervals. You can find a large variety of tools you can use for database backup automation, it would be a safe-haven to explore these tools and make a selection based on overall performance and effectiveness.

Using a Strong Password

Using a password that’s only easy to remember and offers no form of complex structure is one of the main reasons your WordPress site may be hijacked. A complex password is probably one of the easiest and most overlooked preventative steps you can take towards improving the security of your WordPress install. There are several tools available that gauge the complexity of your password. One of them being Microsoft’s completely free web-based tool called Password checker.

The Security & Integrity of Your wp-admin Folder

It’s no question that the wp-admin folder is a key component in your WordPress install. This file contains all of the elements of design and functionality that deal with the administration aspect of your site. If for any reason the security of the files in this folder were to be compromised, an awful lot of bad things can happen to your WordPress installation, as well as your domain.

You can stop a security breach on the wp-admin folder by limiting the IP addresses that can access it via an .htaccess file (for Apache web servers). Start by creating a new blank document in any text or source code editor. Save this file with the name: .htaccess.

order deny, allow
allow from 125.555.55 #Your IP Address
deny from all

Finalize this step by saving the file and placing it inside your wp-admin folder. This will tighten the security of your wp-admin folder along with the integrity of your site.

Secure Connections to Your WordPress Admin Pages

Another technique that will allow you to lock-in the security of your site is by logging into your WordPress Admin Panel through encrypted SSL connections. If your host doesn’t include an SSL Certificate along with your plan, they’re well worth the investment. As soon as you’ve obtained your SSL connection, run your sessions on https:// instead of http:// protocols by forcing SSL connections on admin-related pages and functions.

You will also have to access your wp-config file and insert the following code:

define('FORCE_SSL_ADMIN', true);

Hiding Your Current WordPress Version

Several WordPress developers often like to display the current WordPress version in their source code. By having this information publicly available this makes it easy for attackers to exploit possible known vulnerabilities specific to that WordPress version. In order to remove this from your source code you’ll have to access your theme’s header.php file, search for the string of code that looks similar to the following code block and then remove it:

Using SFTP instead of FTP

Contrary to what many believe FTP isn’t as secure as you may think. By utilizing an FTP application to connect to your site, you’re simply sending your password in plain, readable text every single time you log in. If a hacker wanted to ‘listen in’ or intercept that information, it wouldn’t be a far-fetched task for them to succeed through your FTP.

You can fix this issure by beginning to use the Secure File Transfer Protocol (SFTP) instead of FTP from the moment you decide to access your site. It’s simplicity is beyond FTP and there are a few web hosts who have this turned on by defualt (2Eleven). If your host does not provide this by default then all you have to do is ask your hosting company which port number to use in order for the SFTP to take effect, then change the settings in your FTP application.

Ask a question on Design Reviver Answers