WordPress Security I

WordPress Security I

During the last few weeks there has been a very large scale Botnet attack on WordPress sites targeting the admin using account. Due to this I have removed all instances of admin user name login credentials and will be implementing further security enhancements as the rise in WordPress popularity is likely to encourage more of these sorts of attacks in the future. Towards this end, I have created a series of tutorial which I hope will help to explain some of the steps necessary to protect WordPress based sites from hacking. This is the first of three posts in the series. I hope you like…

When you build a website using WordPress, security is not a one size fit’s all situation and there is no perfectly secure WordPress environment.  There are, however, a number of easy to maintain, practical steps you can take to ensure that your WordPress installation is secure and your data is protected.  For this tutorial, I’m going to assume you are not hosting the site internally and have a chosen a good quality ISP. If your ISP is not very good, or you are hosting on a home or business machine. I suggest you consider changing to a reputable hosting company immediately, maintaining security on a WordPress web site is a relatively simple task. Maintaining security on a server accessible to the public is a Full Time Job, and is simply too costly and demanding to be practical for most small to medium sized businesses.

Step # 1 Do not host your site internally. Host your site with an established Web Hosting Company, who’s job it is to maintain their servers 24/7.

Look for the following features in your ISP: Daily, Weekly, and Monthly backups; Dedicated Hosting Plans, 24/7 Technical Support, Technical phone lines that answer the phone within 2-3 minutes, speak English and actually know what they are talking about. I can’t emphasis this enough, so call your prospective ISP a couple of times during the day and once or twice at 2-3 in the morning. If they answer and the technicians actually appear to know their stuff then they are good candidate for hosting your site.

Personally, I recommend Bluehost to most of my clients but, Hostgator, Inmotion, and Site5 are excellent too. And for even higher tier hosting solutions I recommend Synthesis and WordPress Engine. Beyond this we a looking at more serious stuff Rackspace and cloud based AWS solutions. Which is well above anything you would be likely to require for a simple WordPress site.

When choosing a hosting plan, choose the plan that best meets your hosting needs as they are today and in the near future. Not three to five years from now but where you expect to be realistically in the next year or so. If bandwidth is an issue choose something with adequate headroom and do your homework if your planning on emailing 50,000 clients every other day, make sure they can handle it. Next and this is most important is don’t use a shared hosting plan. The reason being, even if your ISP is running the latest and greatest, most secure, stable version of your server, you’re still just as vulnerable as the least secure site on your shared server and if your not personally controlling them they you can’t ensure your website is adequately protected.

Step #2 Do not use a shared hosting plan (unless you are personally maintaining all the accounts on it.) If you are on a shared server, your website can be compromised even if you have taken all precautions against it.

Next Passwords… As absurd as it may seem, one of the most common ways of breaking into web sites is to brute force your way in by simply guessing the password. Here is a list of the tem most popular password and if you use anything that looks even remotely like this I recommend you change it immediately.

    1. 123456
    2. password
    3. 123456789
    4. welcome
    5. ninja
    6. abc123
    7. qwerty
    8. 12345678
    9. princess
    10. sunshine

Step #3 Use a well designed password at least 12 characters in length, consisting of capital and lower case letters, numbers, and symbols. It should never be an actual word, saying or name.

Furthermore, remove all standard user names specifically admin if you have an older WordPress installation. Here is a link to a WordPress Password Generator that you may find useful for your sites that will encourage people to choose more secure passwords.

Next make sure your site is running the latest updates, this include your plugins, WordPress and your theme. Remember not all updates are equal. Major security holes should take a priority to all other projects especially if there is exploit being heavily leveraged in the wild.

Step #4 Keep your WordPress installation up to date, plugins, drop ins and theme.

Congratulations for 90% of you the above 4 steps is all you have to do. For those looking to “really” lock down WordPress Tomorrows article will describe how to harden WordPress so it’s even better defended. It’s going to be really dry though so I’m still debating if I will be email it. Let me know if you think you would be interested in finding about more about securing WordPress through a structured containment policy with secured file permissions, server-side password protection, renaming administration and .htaccess.