This is the last post in the series on WordPress security. In previous posts I’ve covered how to diagnose an attack, how to clean up your WordPress site and how to keep your site secure. After my site was hacked I reached out to my network of techie friends to see if anyone had recommendations on Wordpress security. Luckily Jim Spencer of JBS Partners answered my call. JBS Partners is a full service WordPress design and development company and Jim has helped numerous clients get their site back online after a security breach. I’m very thankful to have Jim lending his expertise in this guest post.
Keeping WordPress secure requires some initial effort and then ongoing maintenance, but it is not harder than teaching a Corgi to ride a pogo stick.
Here is where to start:
Managed WordPress hosting is becoming a popular hosting option and typically includes the following advantages over a garden variety shared hosting account:
- Security monitoring
- Automatic updates for WordPress
- Free clean up after getting hacked (which rarely if ever happens)
- Support from staff who know WordPress
- CDN (content delivery network) to speed up your site
- Staging or development server
- Secure backups stored separately from your site files.
Expect to pay between $30 and $100 or more per month for this kind of managed service. If your budget or requirements can’t support Managed WordPress hosting ensure that your host is keeping the operating system, web server, database and other fundamental software up to date and has proven backup systems in place.
Once your site is installed, create a new user. For those that will be primarily authoring, as opposed to administering, set their permissions to “author”, even if they own the site. Use this account for publishing.
Then create a new user with “admin” privileges but with a unique name, one that is not “admin” and is not your name. Using “admin” as the username gives hackers one of the two required entries to login to your site. It is the same with your name. Once the new account is created and tested, delete the original “admin” account.
Your password must be unique – that means not used anywhere else in the universe. It should be long, that means more than 8 characters and it should be complex and use letters, numbers and characters.
Using RoboForm, LastPass or 1Password will allow you to use very complex passwords without having to remember them all. There are also articles explaining various systems for creating and remembering passwords, whether it be keyboard or keyword based, it is worth the effort.
Unless you rent a bare metal server all hosts tell you that they provide backups. Unfortunately, far too many are not able to provide the restoration of files that you need after being hacked. Find out how often your site is being backed up. Know the day and time that backups occur.
The more frequent the backups and the longer they are stored the better. In some cases the fact that something is wrong may not be detected visually for a long time, sometimes even a period beyond the backup retention policy. To combat this issue of not noticing, start monitoring your site.
Setup more than one type of site monitoring to be notified immediately of changes to your site. There are paid and free services including Pingdom, UpTimeRobot and ChangeDetection. Each has different monitoring, notification, API usage options. Pricing ranges from free to enterprise pricing.
You want to know that the site is up, but also that the text is readable. Why? In some cases I have seen a site return a Server Response Code 200 (a typical uptime monitoring test), but the home page was showing a long technical coding error message and no content. Testing for both the server status and specific words on the home page avoids this false positive.
In addition there are plugins like https://wordpress.org/plugins/wordpress-file-monitor-plus/that will send you an email every day to show you every file in WordPress that was modified that day. Some changes are normal and you will get into the rhythm of seeing what is normal and what requires further investigation.
5-WordPress Security Plugins
Plugins are the go-to tools in WordPress for adding functionality. The official WordPress repository has over 33,000 plugins available for all kinds of useful purposes. As with other aspects of a site, if you don’t understand what the plugin does or how to correctly configure it you are entering a danger zone.
I have seen clients get locked out of their own sites over and over due to the settings of their security plugins. I have read about Google being banned from a site due to misconfigured security plugins. This was discovered through Google Webmaster Tools. So, study up on the settings or hire help.
Here are a few categories to organize your thoughts on security plugins.
- Defense and modification
There are hundreds of WordPress security related plugins. Be selective in only choosing what you are comfortable configuring. Some plugins listed below are single purpose while others are more like “Swiss Army knife” plugins.
- WordFence – 2,825,000 downloads – https://wordpress.org/plugins/wordfence/
- iThemes Security – 2,971,000 downloads – https://wordpress.org/plugins/better-wp-security/
- Securi – 410,000 downloads – https://wordpress.org/plugins/sucuri-scanner/
- WordPress Simple Firewall – 78,000 downloads – http://wordpress.org/plugins/wp-simple-firewall/
The possibilities for further hardening a WordPress installation are extensive. Consider two-factor authentication, custom login links, limiting access by IP address, resetting permissions on files, using SSL and more if you are technically advanced and have additional requirements.
The fact that all of these plugins and modifications can be made does not imply that WordPress is insecure. These are additional steps available when circumstances justify them. There is no doubt a point of diminishing returns once you have the basics covered.
If you approach security through the five themes listed above you can come home, check your website and smile.
- Choose a premium managed hosting provider and keep all of your code up to date
- Use complex usernames and passwords
- Backups – verify and know the schedule and retention policy
- Monitor, monitor, monitor
- Selectively install and configure security plugins you understand
Written by Jim Spencer
Jim is located in the Boston area where he manages two companies focused on helping clients strategically manage the inception, hosting, maintenance, marketing and migration of websites on WordPress.
Photo credit: MorgueFile