Last week one of my readers asked a very good question:
“Is there anything in particular you recommend to secure a WordPress website? In talking to a tech at my hosting provider, he recommended adding security plugin. Is that something you recommend? Should I worry about security?”
WordPress security can be a deep and technical topic. Just take a look at the explanation on WordPress.org – Hardening WordPress.
So I thought I would put together a short-list of the basics of WordPress security – the essentials that you need to know about to protect your website.
How Do WordPress Sites Get Hacked?
The most common attacks against a WordPress blog usually fall into 2 categories:
- Attacking specific vulnerabilities in older versions of WordPress or WordPress Plug-ins.
- Attempting to gain access to your blog by using “brute-force” password guessing.
Ok, so if that is the case, what can you do to protect your site against those types of attacks as much as possible?
How To Avoid Getting Hacked
Here are the most important basic things do to to secure your WordPress Blog/Website – no matter which theme you use:
1. Use a good hosting provider
One who is familiar with and supports WordPress. I recommend BlueHost. I’ve noticed a huge variation across different hosting providers in how they handle WordPress installations and file level permissions. BlueHost has always been reliable and secure for me.
2. Keep WordPress up-to-date
WordPress does a good job of identifying issues and updating their code quickly. They will notify you in the Admin Dashboard when new versions are released. Make sure you keep your installation up-to-date.
WordPress update notification in the dashboard
3. Be careful which plugins you install
Only use plugins from the WordPress Plugin directory that have a lot of good ratings and are supported by the author. And keep them up-to-date as well. You will get notifications in the WordPress dashboard when there are updates for the plugins you have installed. Keep your use of plugins to a minimum to simplify updates and reduce the chance of vulnerabilities.
WordPress plugin update notifications in the dashboard
5. Make sure you change the default Admin userid
Create a new one and delete the old one. When you delete the old one, make sure to “attribute all posts and pages” to your new id.
Make sure to attribute your posts to the new user id
6. Backup your WordPress database
By using a plugin like WP-DB-Backup to backup your WordPress database automatically. That way if you do get hacked, you can restore your site. You can find more WordPress backup options here.
These steps are just the bare minimum – the essentials. If you want to dig into the technical details I’ve added some links to advanced resources below.
Advanced Precautions
There are plugins that help you lock down your WordPress installation and scan for issues. Here are a few:
- Login Lockdown Plugin allows you to limit login attempts to your blog.
- WP Security Scan scans your WordPress installation for common vulnerabilities and provides recommendations on how to fix them.
You can also consider using WordPress security keys, as described in this post on WP Beginner.
This presentation also goes into some more advanced topics on WordPress Security – How to Protect WordPress.
Discuss!
What are you doing to keep your WordPress blog or website secure? Do you have any questions about it? Let’s discuss it in the comments below!
If you enjoyed this article, get email updates (it's free).
If you're building a business website these days, you're in luck.
WordPress has revolutionized the ease and power of what a website can do and be. Now you can quickly create a website that is optimized for top search results, and update it yourself whenever you want.
As you'll see in a moment, the SmallBiz Theme is much more than a mere WordPress theme. It's a complete solution for your business web presence including a Website, Blog, Facebook Page and Mobile Website.
Let's take a look at each of these, and how they help you generate new business from the web…
Click to continue...See my disclosure about advertising and affiliate links
{ 19 comments… read them below or add one }
WordPress is a great tool, but like anything can have vulnerablilities. Though blogging is a huge part of online marketing, some people are still hesitant to put their information on the web. Thanks for sharing these tips to help keep your blog secure.
My pleasure Nick. Nice to hear from you.
An ounce of prevention …is worth a pound of cure.
Thanks for the insight on this post. I have several clients that have been very sloppy with their maintenance and password security. Because of this, one of them was recently hacked and called me in a panic because their site was being re-directed.
Several hours and phone calls later, he was back in business (with a big lesson learned by the client).
Believe me, adding a few plug-ins and regular upkeep (the prevention part) to keep your site safe will save you many, many hours of frustration (the cure part) if you need to un-hack your site.
Thanks for the post, Don.
I just learned about the security keys and have implemented them on my blog. I have noticed quite a bit more spam comments than normal.
What do you recommend for spam comments?
Thanks for the article Don. Always a pleasure.
Hi Scott,
I use either Akismet (which requires a WordPress API key) or the WP Captcha Free plugin which doesn’t require one. I also require moderation of comments before they go live. Both work pretty well for me.
Don,
Thanks for the article; very timely I must say.
I kept putting off adding some to very security measures you mentioned in your post; much to my dismay (and considerable anguish) my site was recently hacked, literally costing me over a thousand dollars to recoup the lost time and money I could have been making.
Like Nick and Eric mentioned, Word Press is a great tool, but laziness and lack of proper security can cost dearly! I won’t be making that mistake again.
By the way, what chat service/plugin is in use on Expand2web’s site? I’m looking into online chat and would like to research this one.
Thanks.
Hi Reggie,
Wow that’s quite a story. I’m sorry your site was hacked and I’m glad you’ve got it sorted out now. The live chat plugin I’m using in the sidebar is just Google Talk’s chat. You can get it here.
Hi Don
Wordpress security is something to take seriously.
When I first set up my site I started to hear about hacked sites so I stopped writing posts and set up a few security measures.
This post is a fantastic summary of what every wordpress user should be doing.
Nice one Don.
Hi Don,
I had already put all your regular suggestions to use and feel great to have them in place. However, I was just wondering yesterday if there were any other steps that I might want to consider, and what hits my inbox today? Your post with advantaged strategies.
Thanks bunches,
Jenn
A great primer, Don, for all of us struggling to bring our Wordpress websites up to speed!
hey Don,
i’ve been wondering about this, even worrying, ’cause i’ve heard about security issues regarding Wordpress, primarily because these blogs are high targets for hackers… so, thanks a lot for this informative article!
Hi Don
Might pay to install the Wordpress Firewall plugin by SEO Eggheads – don’t ask me what it does technically but it’s one of the plugins that John Hoff recommends in his Wordpress security eBook.
Don – this is great info to have. We just started using WordPress for our business blog since Google changed its crawling methods.
Thanks for sharing this information.
I use some of them, but will add more. To make sure I can sleep at night.
Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.
good post about wp Secure realy i thank you more.
A great primer, Don, for all of us struggling to bring our Wordpress websites up to speed!
an awesome plugin and tutorial
thanks a lot man
Continue to keep up sharing informative blog. I really enjoyed reading this.
{ 1 trackback }