How to keep your WordPress Installation secure

September 1, 2015

WordPress SecureSecuring your WordPress installation should be one of your very first priorities. Even if you think your website could not possibly be of interest to hackers, the sad reality is that many of them will count it as a success just breaking into a website, any website. Legions of bots crawl around the Internet checking for vulnerable installations. If they find one and hackers manage to break in, the amount of damage inflicted can vary from a harmless front page hacking announcement, to embedding your pages with malicious scripts that infect your visitors’ computers or redirect them to illegal sites.

The first line of defense starts at your very own computer. If hackers have made it into your computer and are collecting passwords and other information, they will keep breaking into your website using your own credentials. You must make sure the computers you use are not infected with spyware, malware, and/or virus. No amount of security in your WordPress installation or on your web server will make any difference if there is a keylogger installed on your computer that keeps sending out your usernames and passwords to hackers.

You must always keep your computer’s operating system and the software that runs on it up to date to be protected as much as possible from the latest security vulnerabilities. This is specially important with your web browser Always try to avoid visiting untrusted sites, but if you need to visit any, a good security measure would be to turn off JavaScript, Flash and Java in your browser.

All of the above are preventive measures that you should implement by yourself, as they require working on your own computers. If you feel overwhelmed by the technical aspects involved seek the help of a more knowledgeable person who you trust completely, don’t leave that important part of security in the hands of untrusted contractors.

Second to check for are vulnerabilities within your WordPress installation. Since WordPress became widely known it has attracted a lot of attention from hackers. WordPress today is the most popular Open Source CMS, currently powering about 25% of all websites on the Internet, and is often under the radar from hackers trying to harness its reach for malicious purposes.

The core files of WordPress are updated regularly to address performance and security issues, as well as to implement new features. Those updates are applied to your installation automatically in the background since WordPress 3.7 (October 24, 2013), but you still need to keep your plugins and Themes up to date manually. Failure to do so could lead to your site being hacked by any of the numerous exploits freely available in the wild.

However if your WordPress site is hosted at RackNine you’ll have the possibility of having all your WordPress plugins and Themes automatically backed up and updated as new versions become available. That way you never need to worry about your site being vulnerable to the latest attacks. However, automatic updates of plugins and Themes might not be advisable for large websites that use a large number of plugins, specially commercial ones. Most commercial plugins need to be updated by downloading them first from the developers’ site using a licence, meaning they cannot be updated automatically, and in some cases they could cause incompatibilities with the rest of the installation.

And speaking of plugins, if you want to add yet another layer of security to your WordPress installation, there are several of them that constitute great additions. Below we list some of the most effective:

WordFence:
WordFence is a very popular security plugin that will monitor your WordPress website for common vulnerabilities and send you alerts if there are security issues that need to be addressed. Wordfence also implements several additional security measures, such as a WordPress Firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
https://www.wordfence.com/

BulletProof Security:
BulletProof Security adds firewall security, database security, login security and more. Its interface is a bit complex to navigate and configure, but is worth the effort This plugin keeps itself automatically updated against new exploits and vulnerabilities. It has a pro version which offers some advanced features to improve the security of your website even further, although the free version should be good enough to make your website fairly secure.
https://wordpress.org/plugins/bulletproof-security/

Sucuri Security:
This plugin comes from Sucuri, the well known security and auditing company. It offers security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor, and more to check your website. If there is anything wrong, it will notify you via email.
https://wordpress.org/plugins/sucuri-scanner/

iThemes Security (formerly Better WP Security)
iThemes Security claims to offer 30+ ways to secure and protect your WordPress website. It scans the entire website and tries to find if there are any potential vulnerabilities in your website. It also prevents bruteforce attacks and automatically bans their IP addresses, while requiring legit users to use secure passwords.
https://wordpress.org/plugins/better-wp-security/

All In One WP Security & Firewall
Another popular WordPress security plugin that is easy to use and reduces the security risks by adding recommended security practices. It protects against bruteforce login attacks and sends you an email notification if somebody gets locked out due to failed login attempts. It also monitors the account activity of all users and keeps track of username, IP and login date time.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

There are other potential issues to watch out for, such as those related to your web hosting server and network, but they are server-related and unless you are a professional and know what you’re doing, you should not tamper with server settings. Always make sure you are using a trusted host that takes care of all these things for you. Additionally RackNine can manage the setup, backups and security of your WordPress sites, so you can focus on creating awesome content, please visit https://www.racknine.net/cms-software/wordpress/ for more information.

We hope this Post helps to clarify the issues concerning WordPress security and helps you build an effective defence against hackers, please do not hesitate to contact us if you have any further questions or concerns.