«

»

Sep 19

Keep Your WordPress Site Secure

Cyber Attack

This is the 4th post in a series about WordPress security. If you’re the type that likes to start at the beginning, you can pick up on the full series here. If you’re the sort that likes to jump in with both feet, keep reading about how to keep your WordPress site secure.

1. Chose the Correct WordPress Hosting Solution

There is no, one size fits all, “best” hosting solution. Choosing the Wordpress hosting vendor means you pick the solution that works best for you.  If you prefer a hands-on hosting solution you need to have a provider that has a strong security team that  can support your questions (and problems) as needed.  You may also want the provider to have relationships with web security specialist that you can hire if you need them.

If you never want to worry about WordPress security, consider using the simpler WordPress.com hosting solution. You’ll have far less flexibility but the maintenance is taken care of for you.

2. Monitor Your Website

There are a few free, simple things you can do to monitor your website to be sure it is up and clean. I’m recommending three tools: Pingdom, Google Webmaster Tools and the Wordfence WordPress plugin. Some of these tools may be a bit duplicative, but there’s no cost, so no worries.

Pingdom

Pingdom is a free service that monitors your site and sends you an email notification if your site goes down. It also provides a weekly report of your overall site uptime.  If I had gotten this notification I would have caught the problem sooner.

Pingdom's 7 day report

Google Webmaster Tools

This recommendation comes from a commenter on this blog. Bhavesh Desai recommended using Google Webmaster Tools to clean my infected site. As you can see below, Google didn’t detect my infection.

Google Webmaster Tools didn't sense an attack

Google Webmaster Tools didn’t sense an attack

HOWEVER, Google Webmaster Tools did have concrete evidence of the outage and if I had set up the email notifications to be more inclusive, I would have been emailed an outage notification.

Set your notifications to be "All Issues"

Set your notifications to be “All Issues”

Google's outage notification

Google’s outage notification

Wordfence

Wordfence is probably the best tool for monitoring your site and preventing it from attack.  I only became aware of this WordPress plugin through writing about my site issues and I’m thankful that a previous commenter recommended it to me.  The features you get from the free version is very impressive.

Wordfence free features:

  • Realtime security scans
  • Scanning of core WordPress and theme files
  • File repair
  • Malware scanning
  • Backdoor scanning
Congratulations, no problems found. Music to my ears!

Congratulations, no problems found. Music to my ears!

If you want scheduled, frequent scans and premium support you can upgrade to $39/year.

3. Monthly Maintenance Plan

Before the hack I was taking a monthly backup of my WordPress database and saving it in the cloud. Dreamhost provides infrequent backups but I want to have my own, monthly backup that I can rely on. Backing up your WordPress database is pretty straightforward once you figure out the command.  Here’s a resource on it.  It’s pretty techie, but once you figure it out you can save it and run quickly.

To keep my site secure, this is my new routine:

  1. Backup WordPress database as described above – monthly
  2. Review and upgrade WordPress, themes and any plugins – weekly
  3. Run a Wordfence scan – weekly
  4. Check pingdom report – weekly

Now if you want to upgrade WordPress core files automatically, you can modify your wp-config.php file to allow for auto upgrades.  I went with the “minor” updates which means it will automatically upgrade minor updates, but I will manually do major upgrades, which are pretty infrequent anyway.

define( 'WP_AUTO_UPDATE_CORE', minor );

[important] If you have other tips for keeping WordPress secure, put them in the comments below…[/important]

Photo credit: Flickr
  • monica blake

    I don’t think that Pingdom is the best and it is not exactly free as the best option you get only when you pay for it and the price is not cheap. I use the software Anturis to monitor everything that happens with my site and I think that Anturis is much better than Pingdom, although it is less branded.

  • Hi @disqus_is7we6VHp5:disqus
    Thanks for your advice. I only use Pingdom to monitor one site so I haven’t experienced any cost. I activated Monitor in Jetpack and that’s been working well, providing “site down” notifications via email. I’m curious as to what features to you get in Anturis that you like?