This is a beginning level tutorial on WordPress security. I marked it as beginner level because the security concerns in this tutorial should be priorities from day one of your WordPress experience. It is easier to implement security measures on a fresh new blog than it is to add them later. Whatever the case, they need to be added for your site’s secured future. If you have yet to tighten down your site’s security, read on and do it right away before you lose it all!
In order to follow along in this tutorial, it is expected that you know the basics of WordPress admin dashboard, server administration and a decent understanding of the WordPress infrastructure is always helpful as well. Since this is a beginner’s tutorial on WordPress security, don’t worry too much about the prerequisites as I will try to explain everything in detail so you should be able to perform the tips in this tutorial regardless of your experience level.
Backing up Your Data
To avoid mishaps, let’s make backing up both your entire WordPress site and it’s database our number one lesson on security. “That’s not security” some of you may be thinking. Well, it is in a way because if any of your security measures or lack of them cause you to loose data, then you will be happy to have a backup copy just in case.
For backing up your site and database, I recommend using the Backup Buddy plugin. I have used it several times and it is very easy to use and does a great job for a little price if any. To learn more about Backup Buddy, read my review about the plugin HERE
Keeping WordPress up to date is also a very important security issue. With each new release of WordPress, there are tons of new security fixes implanted and the only way to get them efficiently is to update your installation of WordPress each time you are notified to do so. How do you know if it is time to update your version of WordPress? It is simple. Just login to your WordPress admin and look for a notice at the top of the page as in the following image:
Notice how the image above mentions that a new version of WordPress is available. When you see this, be sure to back up your entire site and database before clicking on the link to update. You should do this each time a new version comes out to get all the new features and security fixes available through the new version of WordPress.
Make Sure Your Server is Secured!
As soon as possible after installing WordPress on any server, make sure it is secured. To do so, make sure that directories are not readable through a web browser. This can be done by including a blank index.html file in any folders that do not already have one. Another approach to securing your directories from public view is to locate your site’s robots.txt file and add the following line of code to it that will secure any folders with wp- in the name. Of course if you have any other folders in your public root folder, make sure you add something for them too.
Another thing you should do is make sure that the owner of any folders in the public HTML folder is the user you set up for web services and that both folders and files have reasonable security permissions in place. Look for any with 777 permissions and lesson the permissions to at least make the files no longer writable by the public. You can use the chown and chmod command line commands to change ownership and privileges respectively. If you don’t know what you are doing, learn first because some of the files and folders may need special permissions in order for WordPress to function properly
After reading this beginner’s tutorial on WordPress security measures, you should have at least the most important security practices at hand. Security is a constantly changing technology that needs constant attention. How much time and effort you spend on securing your WordPress website depends on the nature of your website. If you have sensitive information and user data on your site, then the security measures mentioned here are only a start. Some sites will require a lot more than what was presented to you in this tutorial. On the other hand, if you just have a personal blog, then doing the steps here may be all you need. Just remember to do them often enough to keep everything up to date and you will be fine. Happy blogging!