WordPress is one of the most popular content management systems (CMS’s) available, partly because it’s easy to use and there is a tremendous amount of support. To get the inside scoop on securing WordPress I contacted my colleague Brandon Zundel, a programmer and WordPress expert. According to Brandon, “Hacks vary. Sometimes they’re blatantly obvious. Sometimes they’re easy to clean up; other times not.”
He said, “One of the things that amazes me is people rely way too much on firewalls and scan tools. Scan tools are great and they will get 90% of the infection but if you miss one back door, the hackers will be coming back. The only real way to clean out the hack is to hire a developer like myself or someone who knows PHP to go through every file to find the malicious code and files and get rid of it.”
1. The whole point is not to get hacked in first place. The host isn’t necessarily the problem; it’s how your site is protected. Brandon’s recommendation for hosting is Liquidweb and some major reasons for that are uptime and support. With Liquidweb, if he gets runs into trouble he can get someone on the phone or live chat within two minutes no matter the time of day.
Ed Note: Another option is Siteground, which has been given a strong recommendation by popular blogger Jon Morrow.
2. Once you choose a host and install WordPress, back up the database and the files and do that daily.
3. Store the backup on the cloud. Do not store it on the server. Brandon recommends Google drive to store your backups. If a hacker gets onto the site, they will mess around with WordPress files, other files on the server and they will corrupt your backups.
4. To back up your files, a good, free plugin is UpdraftPlus. It will upload the files where ever you want such as Amazon, Google drive, etc. It will send them by FTP, email the files to you, etc.
One thing to realize is it’s very rare for the database to get corrupted by a hack. It’s usually just the files. Most hackers want your server’s resources to hack more sites or they want to send spam email. They don’t want or care about your site.
When you install a WordPress site, you need to take away the low-hanging fruit. It’s important to realize there’s no way you’re going to stop a determined hacker. If a hacker has a vendetta against you and personally wants to break your site and there isn’t a plugin you can buy that will stop them.
5. Hackers are going through thousands of sites and if you make it a little bit hard for them, then most of them give up. After backing up your site the next thing is to secure your admins. Don’t use anything obvious in the user name. Examples are “admin,” or any part of your site name. Other obvious names are “root,” “administrator,” “webmaster,” etc. Note that a brute force attack is used to hack your user name and it’s all automated.
Ed Note: I use LastPass for my password security. I’ve set it to 20 characters, alphanumeric and special characters.
6. You need to keep WordPress and all of your plugins up to date. If you don’t update them, you will get hacked. 85% of the hacks are due to XSS vulnerabilities within the plugins. This also underscores the reason why you back up your installation. If you install a new plugin and something breaks, you can revert to a previous installation.
7. Install Wordfence. If a hacker gets in, one of the first things they will do is to modify your files and Wordfence will detect that immediately. It checks your files every day so you’ll know within 20 hours if you’ve been hacked. It will also check for files that seem malicious. You need to add your email address so you get alerts.
8. The other part of WordPress security is monitoring. You need to pay attention to the emails that you get, because if someone is being persistent, you need to know you need to lock things down better. It’s important to go beyond the basic settings with the plugins for extra security. As an example, scanning against the repository is not a default option so that needs to be enabled.
There are many settings within Wordfence and time needs to be taken to understand them. Within the options section a good option to enable is Block IP’s who send POST requests with blank User-Agent and Referer. This blocks bots that are trying to post data to your site.
9. Install iThemes Security (formerly Better WP Security). It is the real backbone here. The number one thing that iThemes does is make it easy to hide your back end. If you use the hide back end feature, instead of your site being yoursite.com/wp-admin, you make it something completely custom, related to your site.
i.e. BrandonZundel.com/archerypro. No one would every guess that, right? If hackers try to access the site, they will get a 404 error. This would lead to about 90% of hackers giving up on your site.
When you launch iThemes you are presented with the following pane which they recommend you set up, first. Initially, you also want to allow the software to write to your wp–config and your htaccess files. After that, you want to uncheck the box about that checkbox and save it again. You’ll find that box under the settings tab. This ensures the code you need is in there to protect your site.
Other settings: you want to whitelist your IP, you want to enable 404 detection, you want to enable HackRepair.com’s blacklist feature. This will add a list of known bots and bad IP’s to your htaccess and block them.
If you need to use outside API’s to access your site, the user agent option might need to be turned off, depending on your setup. You want to enable their brute force protection. Enter your email and get a free API key. If hackers try to log in more than 5-10 times with the invalid user or password, the software will lock them out. You can change the defaults and ban them if necessary.
Also enable the immediately ban a host that attempts to login using the “admin” username. If they try to log in with “admin” you know they’re a hacker. All of these features are free. It’s necessary to take the time to learn all of these steps.
Brandon can take care of all of this for you and save you the time and energy, which could well be the case if you’re not technically inclined.
If you have shared hosting and you have multiple WordPress installations, you need to enable this protection on all of your sites.
10. Use SFTP (Secure File Transfer Protocol). SFTP encrypts your password and other data while being transmitted from your computer to your website. This prevents the data from being accessed by an attacker.