Twenty Two percent of active domains on the web use WordPress, that’s near 1 in every 4 websites. WordPress is the most popular content management system (CMS) in the world because it’s intuitive, easy to use, and you can literally set it up and start building a website in just minutes. Anything that’s popular or mainstream has the potential to be exploited. Since WordPress has the largest footprint, it’s the biggest target for hackers. If you own a WordPress website, you owe it to yourself to learn about basic security and hardening if you value your online presence. Websites serve one basic purpose in nearly all cases: to directly or indirectly make money. If your website was hacked or infected with malware, your website could be defaced, broken and taken down, or your traffic could be hijacked.
You may think you have to be a web design expert, or some coding techno genius to better secure and lock down your website – but that’s really not the case. Much like car maintenance, a tiny bit of knowledge and understanding can go a really long way.
Who Breaks Into Websites?
Websites get broken into all the time. I have personally fixed hundreds of infected and hacked WordPress websites, and one thing I hear over and over again from clients is “how do I protect myself from the hackers”? My response is always the same – hackers don’t break into your website, scripts and bots do. In the third quarter of 2012 hacking attempts exceeded one billion. There aren’t enough hackers worldwide to make that many hack attempts in a quarter – even working 24 hours a day.
There are however, enough scripts in the wild – and Internet bots. Hackers write scripts and bots to automate the task of breaking into websites. Often these scripts are distributed via compromised PC’s infected with Trojans, malware, spyware, etc. Once multiple computers are infected in the wild, they form a Zombie network, or botnet. These networks then collectively seek out servers and websites with vulnerabilities they can use break in. The bulk of these scripts are created by hackers in Chinese and or Russian block countries.
Why Do They Want Your Website?
The next thing I’m usually asked is “what do they want with my website, what’s in it for them?”. There was a time when most website hacks were merely to deface the website with some kind of message. Over the last year, nearly every hacked WordPress website I’ve fixed was completely functional – and in most cases you couldn’t even tell it had been hacked (unless you knew where to look). While the intent of hacks in general varies (Facebook, Twitter, Hotmail), in most cases WordPress websites are hacked to hijack traffic and / or Google rankings for the purposes of spam. They want to hijack your website authority and page rankings so they can redirect and promote drugs, gambling, and adult web sites.
WordPress Security Anyone Can Do
A little preventative maintenance goes a long way. Many times security goes out the window until something bad happens. Read my now infamous tutorial How to fix a hacked blog to see what’s involved in fixing a WP website after it’s been compromised. It’s not pretty, and you have to be fairly technical to fix it on your own.
What I’m going to discuss today are easy to use and simple to follow techniques for securing and hardening your WordPress website on your own.
If you were out in public using an ATM, and someone was right beside you watching you key in your PIN number – you would most likely be concerned (as well as aware someone was spying on you). People are trying to watch you login to your website all the time too (you just don’t know it).
At minimum, with a home WiFi network – you should have a secured password and potentially some encryption. But if you’re on public WiFi and connecting to wp-admin or FTP for your WordPress website – the connection is most times not secure. This would include connections in airports, hotels, Starbucks, etc.
Rules for engagement:
- try not to connect to your wp-admin unless you’re using something like one time password
- use SFTP (secure FTP) all the time, whether home or away
- use HTTPS secure login only when connecting to your web hosting control panel (home or away)
- reset passwords when you return home from using public WiFi
Use a Strong Password: Most people use a password that is easily cracked, such as their date of birth, or a simple word. Most people use the exact same password for all of their online accounts. Both are really bad practices. Visit StrongPasswordGenerator.com to find out what a strong password really is. Usually it’s one you can’t remember.
One thing that surprises me are systems that force you to choose a password between 8 and 12 characters. The most secure passwords are 15 characters or more. Believe it or not a password like reallylongpasswordIcantremember is MUCH more secure than [email protected]!#8aJ8[ is.
The main point here is to use a lengthy and more secure password, AND to change your password every 30 days or so. Most people “set and forget” their wp-admin passwords. You should do the same for your web hosting and email passwords.
Who Has Access?
How many accounts are in your website? How many of those accounts are admin accounts? Have you removed access for those that no longer need it? Do a little audit and review who has access to your website.
You might be better off with some tools to help you manage the accounts within your website.
WP Last Login is a plugin you can use to show the last login of all users as a column in the user table.
The WP-Activity plugin allows you to display user activity on the front and / or backend – and has an option for IP blacklisting.
If you want higher login security, try WP Login Security 2. It requires users to whitelist their IP address to verify they are who they say they are.
If you’re feeling really paranoid, you could even enable Duo Two Factor Authentication. This allows you to login, verify the login using an app on your cell phone (that’s the ‘two factor’ part) for an additional layer of security. I can personally attest this method works quite well, having used it on multiple projects.
Limit Users to “Need to Know”
Many websites give admin access to anyone who needs to login to the backend. WordPress has great default roles out of the box, like subscriber, author, and editor, in addition to admin. You can worry about WordPress default roles and capabilities here.
If needed you can extend these roles, or even create new roles specific to your needs. Plugins like Capability manager enhanced, Role Scoper, or User Role Editor make this pretty easy. You can usually find plugins for specific things as well, like allowing the user to choose their own roles at registration from a dropdown list.
Making sure that all users only have access to the capabilities they need makes your website more secure.
Scan Your Own Website
It never hurts to scan your own website for malware and infected code. There are several free online scanners that can do this in just a minute. Check out the Sucuri SiteCheck Malware Scanner (free), as well as the Quttera Scan for Malware (also free). Both services check for known malware and code infections (from the outside), as well as a cursory check to see if you’re listed on any blacklists. Both services have a free WP plugin you can install and use as well.
If you want something that’s a little more automated, a plugin like AntiVirus can do a daily scan of your website, and notify you via email of changes or suspected problems.
Setup All-In-One WordPress Security
There are multiple “all-in-one” security plugins for WordPress. Most are easy to install and configure, and have dozens of options. In most cases, you should pick and install one (at a time). If you don’t like it – deactivate, uninstall, and choose another. Having more than one all-in-one plugin installed at once isn’t a good idea.
Also, you may not know what all the options mean – and trying them out you might accidentally lock yourself out of your own website. Don’t panic if you do – just delete the plugin in FTP from the /wp-content/plugins folder and try again. Most plugins tell you to backup your website and database before configuring any options (which is a good idea).
Every security plugin works differently – please realize your mileage may vary. First I’ll give you two popular options to consider:
Both are well reviewed and have hundreds of thousands of downloads.
The all inclusive WP security plugin I personally use and recommend is Better WP Security. They claim to be the #1 WordPress Security plugin. I don’t know how you prove that, but it’s worked well for me in all my client sites for the last few years.
- Backup: it has the ability to backup and email your database before you begin configuring anything
- Logging: it tracks 404 errors, bad logins, lockouts, file changes, and more (when configured)
- Footprint: it can remove the WordPress version and generator info from your theme code
- Admin: can rename your account from (the obvious) “admin” to whatever you want, and can renumber the admin account from user #1 to another number
- DB Prefix: it can rename the default wp_ database prefix on the fly
- wp-content: you can change the wp-content path to something else
- Errors: remove wp-admin login error messages altogether
- Updates: remove update notifications from users that don’t need to see them
- Ban: ban bots and known bad hosts
- Passwords: setup strong password enforcement for all accounts
- Detect: detect and block attacks
There are all kinds of other features as well. Besides the features, another reason I have used this plugin for so long is that it’s constantly being developed – and new updates come out all the time. It’s very popular, and the developers take great care of it.
Every webhost has some kind of backup, and normally that’s not something you even think of (unless you’ve had to use it). Many (if not most) webhosts have a clause in their TOS (terms of service) stating they are “not responsible for your data”. The bulk of the time there is only a single backup copy at any given time (taken every day or once a week), and some charge a fee for any backup restore.
For most people a web site is an investment over time. The information is usually used to generate sales and leads of some kind. If your website was lost tomorrow you probably couldn’t even calculate the monetary damages in terms of lost revenue and reputation. Odds are you probably couldn’t put a price on time invested – and may not even have a way to restore all your incremental changes from your own records.
You have insurance on your house, car, health, life, and usually your business. One thing nobody seems to have insurance on is their website. At the Enterprise level, corporations call this “disaster recovery”. They put a disaster recovery plan in place to mitigate a loss of data for web applications – and they even test it multiple times per year to ensure everything is backed up, working properly, and if they had to do a restore it would work.
Believe it or not, it’s not that hard to do the same for yourself (without a whole lot of tech know-how). What you want is “off-site versioned backup”. Think of this as an online safety deposit box that stores your website files and database. It stores a new version every day (for the amount of days you specify), and then you can restore your website to any point in time (within the amount of days you have saved).
Storing copies of your website “offsite” means storing them away from your webhost. If your webhost has a data center problem, security breach, hardware failure, or you just want to move – all your data is stored independent from them, ready to be restored at any point in time from the versions you have.
This may all sound a bit techie, but you can buy a simple plugin called Backup Buddy that takes care of it all for you. It can store copies of your website offsite in the cloud (Amazon S3), email, dropbox, Rackspace cloud, or even FTP on another server.
Another option (the one I personally use) is the Manage WP service. ManageWP is a web service that allows you to manage multiple WordPress websites from one dashboard. It also has options to backup all your files and database to the Amazon S3 Cloud, dropbox, email, FTP, and more. You can clone, migrate, or restore a complete website in just one click.
If you choose one of these options, your “disaster recovery plan” isn’t complete until you actually restore your website from the most recent backup (to make sure everything works).
WordPress is a very mature CMS out of the box with some pretty good built in security. What we didn’t mention (yet) was the common sense baseline approach – be sure to keep your WordPress core, theme, and plugins all up to date. Remove any themes or plugins your not using, minimize who you grant admin access too, and consider using one or more techniques we talked about in this article to give you an extra layer of hardened protection. Having multiple backups to restore from and a tested plan will also protect your website from being lost in the event of a disaster.
You have insurance for everything else in your life – shouldn’t your website be just as important?