How Secure Are Your WordPress Sites?
After 3 frantic days without sleep my site is back online and hack free. On reflection I have made mistakes as my site was simply open to hacks. In this article I’m going to cover what steps you can take to make your site more secure so you don’t experience what I have been through.
Hide WordPress Version Details
Firstly make sure all of your WordPress sites are using the latest version of WordPress. I made a big mistake of not updating to the latest version as my custom theme was not compatible with version 3 of WordPress. To be honest this was a stupid mistake. WordPress frequently releases updates which fix security issues. There are many free online hacks that can be downloaded so you can start hacking old versions of WordPress within minutes. If any of your sites are using old version of WordPress then you have a higher risk of being hacked.
Related to the point don’t advertise what version of WordPress you are using. Every default version of WordPress by default shows the version used if you view the source as below.
Change the Meta name so it looks something like the example below.
Change WordPress SQL Table Prefix
I would say that perhaps 99.99% of WordPress installs use the wp_ sql table prefix. This again is a mistake. Simply changing this to something else will mean that many of the current hacks will not be able to attack your site.
Move The WP-Admin Folder
Again most WordPress installations have the admin folder in the standard position. Simply moving this folder to another location will make your site more secure.
File Permissions
Think about the file permissions of your site otherwise you are in effect giving the whole world access to hack your site. Use the settings as below.
Common WordPress Themes
Be very careful with common WordPress themes that are used on thousands of sites. For example it would be easy to release a free theme with a security hole then attack those who use the theme. If you are using a well known theme then at least rename the theme folder and change the theme meta name.
Common WordPress Plug-ins
Again popular plug-ins have been subjected to hacks. Use as few plug-ins as possible and try and install with a different folder name than the default plug-in folder. Also if possible remove meta names etc.
Administrator Login Details
Don’t have your main admin login as simply “admin”. Also use a secure password to stop brute force attacks. There are many apps available online to generate secure passwords.
Backups
Make sure you have at the very least a weekly backup of your sql database plus a full database export using the WordPress tools option. Also make sure you have a copy of all custom theme files.
At the end of the day no site is ever going to be 100% secure. There is though no doubt that if you break away from having a standard WordPress install then you are going to reduce the chances of being hacked.
I will say that having one of my best earning sites hacked has been a wakeup call. Perhaps now the time has come for me to develop my own CMS so I can vastly reduce worries of future hacks.
In the next post I will talk about how to spot WordPress hacks. Remember not all attacks wil take your site offline!
Entries (RSS)