Improve and Increase your WordPress Security

by Brittany Horton on September 12, 2011

Improve and Increase your WordPress SecurityThe world of the internet is never 100% safe. Have you ever wondered what would happen if your site got hacked? Not only does it cause errors on your page for your users, and make users not trust you, but it also causes spiders used by search engines to not trust you because of the hacked content and code.

So, what do you do?

WordPress developers have done a great job to add security improvements to each and every release of their program, but hackers still can find holes. You need to follow these steps to improve and increase your WordPress security.

1. Choose a good hosting company. First you want to make sure that you choose a good hosting company to host your wordpress blog or website. We have always chosen to trust the Rackspace Cloud, they have fast and secure servers that we have always been able to rely on. Learn more about why we trust them in our IT tale.

Cloud Computing & Cloud Hosting by Rackspace

2. Choose a good theme that has kept security in mind.We have discussed the advantages of a theme framework before, and security is one of those reasons. If you purchase or use a professional theme that has kept security standards in place, then you are automatically increasing your WordPress security. If you do not have a professional theme or framework, make sure to follow the other steps below to make sure you keep you WordPress blog or website safe.

3. Always keep up to date with the latest WordPress version. Each time WordPress comes out with a new release, it is not only for new features and upgrades, it is also for patching security problems or bugs found. When you see the small yellow bar across the top of your dashboard letting you know that there is an upgrade available, make sure that you upgrade. Click on the WordPress version link to see the change-log, or click on “Please update now” to begin your upgrade. Please make sure to make a backup of your files and database before upgrading to new WordPress releases. In most cases you will not have issues upgrading, but in some cases, you may run into issues with a plugin or theme not working properly with the newer version. If you do not see this warning, or have hidden it, but know that you need to upgrade, you can go to the “Updates” tab under “Dashboard” in the WordPress menu.Update WordPress Dashboard Warning

4. Create a good password. When you set up your WordPress blog or website, you have to choose a username and password for your account. You want to make sure that neither of these are easily guessed or found using spiders. When you are choosing a password, try to use both capital and lower case letters, numbers, and characters. Try to not use a word or phrase that could easily be guessed. You also of course want to make sure you follow the password guidelines provided by WordPress.

5. Do not use the default “admin” username. When you created your blog, you may have kept the default username of “admin.” If you were able to do a click install provided by your hosting company, you most likely were assigned the username of admin. This username is not safe. Since this is the default username, hackers know this information, and already knowing your username is a one up for them and makes it easier for your site to be hacked. We found the best way to change this username since you can not edit the user to change the username, is to create a new user (WordPress will not let you use the same email address, so change the email address on the default admin user to a test address). Create a new user with a custom username, set them to administrator abilities, and then go back in and delete the admin username user. Make sure to record this new username and your good password from the previous step.

6. Keep your plugins up to date. Just the same as the WordPress releases, you want to keep up to date with the plugins you have installed. Plugins also provide security holes, and the plugin developers will make sure to plug any holes and bugs as they are found and provide upgrades. Again, make sure to backup your files and database before updating a plugin. If you run into any issues, like the WordPress white screen of death, we have some troubleshooting tips here.

7. Delete any unused plugins. Not only do you want to make sure to update the plugins as they are available, you also want to delete any unused plugins. Keeping unused plugins might keep open holes to your WordPress install available. Deleting unused plugins will ensure that these files and programs are no longer able to access your site.

Backup WordPress8. Backup your database and files. This is not only important within some of our other tips, but it is also a tip in itself. Keeping your files and database backed up is a huge security advantage. If anything happens to your WordPress install, you want to make sure that you have a recent backup to revert back to. This includes security issues, like being hacked. If your site gets hacked, you are able to revert back to your latest backup, and hopefully not loose much or any data. We have run into issues before with content management systems that are similar to WordPress where we were unable to work the site properly and found that the site had been hacked. In this scenario, we had recently made a backup that we knew was clean and were able to revert to that backup and clean the site back to its normal state. WordPress also has some things you should do if you find that your site or blog has been hacked. We recommend making backups that match with your content, if you post only a few times a week, then you probably only need weekly backups; if you post a few times a day, you will want to schedule daily backups. Check out this recent post on backing up your WordPress for some more tips on backing up.

WordPress Security Keys in wp-config.php

WordPress Security Keys in wp-config.php

9. Fill in the security keys in wp-config.php. When you first installed WordPress they walked you through the process of setting up your wp-config.php file. If you did not set the security keys that are at the bottom of this file, go do this now. You can edit this file by downloading it through an FTP client (we suggest FileZilla), opening it in any text editor, save it, and upload and replace the old wp-config.php file. This file will be located in your root directory, the same location that you will find the wp-admin, wp-content, and wp-includes folders. Don’t know what to fill in for those keys? WordPress helps you figure that one out too. You do not have to remember these keys; they simply make your site harder to hack and crack by adding random elements to your password.

10. Install the BulletProof Security by AIT Pro. The BulletProof Security plugin by AIT Pro will help you go through the steps of creating, securing, and backing up your .htaccess files to increase the security on your blog. The .htaccess file on your blog is a file that is very vulnerable; this plugin helps protect your site from hacking attempts. Along with its .htaccess features, it scans your site for other security vulnerabilities, the use of the admin username, removing the version of WP that you are using so that it is harder for hackers to know which one you are using, and provides you with a status page so you can see your security stats in one location.

So, now that you have these ten steps you can take to increase your security, you better get started! Don’t be too overwhelmed, each step should only take a few moments, and once completed you should only have to make updates and upgrades 1-2 times per month. Do you have any suggestions you follow to keep your blog secure? If so, please list them in the comments below!

Sign up for our newsletter for timely tips about maintaining your WordPress blog.

Leave a Comment

Previous post:

Next post: