WordPress is an easy to use, quick to learn, and secure content management system. However, just like any popular software, it is also targeted by hackers looking for security vulnerabilities in the software. Most such vulnerabilities get quickly patched by the WordPress community, if a threat is of more serious nature, WordPress team can also release a security update. Still the most commonly reported WordPress hacks can easily be stopped by strengthening your WordPress Security settings.
WordPress Codex has an excellent article on how to strengthen WordPress Security by following best practices. Some of them are:
- Strong Passwords, use passwords that contain letters, symbols and alphabet. Use strong passwords not just for your WordPress Admin section but also for FTP, Webhosting control panel, and Database.
- Check File Permissions. Make sure that files on your website are not publicly writeable.
- Clean up plugins and themes you are not using. This will help you save so much time in case you ever get affected by malicious scripts injected into your website.
- Security through obscurity not only makes your websites more secure but also slow down unwanted spam.
There are also some WordPress security plugins that can help you make your website secure.
Better WP Security
Better WP Security is a free WordPress plugin that claims to be the best WordPress security plugin. However, the plugin author scares the users by warning them that this plugin makes complex changes to their settings and things might break if they used this plugin. It is highly recommended that you backup your website before installing this plugin. In fact the plugin itself asks you to create a backup of your database you visit the settings page after installing it.
Better WP Security offers a comprehensive set of features. However, unlike other WordPress security plugins it can make changes to your website. You will have to approve actions before it executes them. On the first run it shows you the current possible security vulnerabilities of your website and suggests action.
- It can create regular automated database backups and sends them to user’s email address.
- Can make several changes to your WordPress powered website’s settings to make it secure. This includes changing table prefix, changing admin username, enforcing strong passwords, removing information from meta tags and hiding information from the login screen.
- Ban illegal and potentially dangerous requests to your website.
- Allows you to turn off your site’s admin area for specific hours.
WordPress Exploit Scanner Plugin
Exploit Scanner plugin is a well maintained, trusted, and awesome plugin to check your WordPress powered website’s posts, comments, files and directories for potential exploits, malicious scripts, injections, and suspicious activities. As it is obvious from the name that it is a scanner and even though it does recommends changes when run but it does not make any changes to your WordPress database or files. If you think there is some malicious code on your website then Exploit Scanner is the first tool you should run to find it.
- Searches your WordPress files and databases for exploits.
- Makes no changes to your files or data.
- Recommends actions and explains each warning.
- You can search your entire website at once (This usually takes sometime) or you can check particular files, or database.
- Easy to use, well maintained and well documented.
Cloudsafe365 – Extreme Web Protection
Cloudsafe365 is a cloud based WordPress Security plugin that provides an array of features to secure your website. It is currently in beta stage but in perfect working condition to deploy on any commercial or personal website. Currently, Cloudsafe365 is offering their basic package for free. It has basic protection and right-click prevention for a single website for free on a monthly subscription basis. The unique and interesting cloudsafe feature is that it has added data theft and content protection features in the plugin.
- Provides automatic encrypted backups and recovery for your Website’s database.
- Detects and stops illegal requests to your website to prevent SQL injection, Meta Injections, Brute force attack and anti site-hacking techniques.
- Right click prevention to stop people from copying your content.
- Stops data mining by stopping unrecognized bots, programs, and scripts to prevent automated content theft.
WordPress - Security Ninja Plugin
Security Ninja Plugin combines highly advised security best practices into one plugin and then checks your website for those standards. It runs tests on your website and then provides you with results and detailed analysis for each check. In case a test fails on your website you can see how to resolve that issue in the details and tips tab for that test. Remember just like most other security plugins, Security Ninja does not make any changes to your website, in case there is something wrong with your website it will report it and provide you with instructions to solve it on your own.
- Checks for exploits on your website.
- Checks for obscurity best practices recommended by many experts such as changing the default username from admin to something else, removing generator tag, etc. It only provides you details on why and how you should change these settings.
- Checks file permissions on your website.
- Checks PHP and Apache for not sending unnecessary information in headers.
- Doesn’t slow down your website, easy to manage, safe and secure plugin. It will also help you learn a thing or two about securing your website even without plugins.
WordPress Safer Admin Plugin
As the name says WordPress Safer Admin plugin changes your wp-admin directory to something else which only you know. This reduces the chances of automated attempts to login, people trying to access wp-admin section. It also saves you from malicious scripts that look for files in wp-admin folder to inject malicious code or make changes to your files. This plugin is particularly useful for WordPress users who are noticing unexplained activity or login attempts on their websites. The plugin requires you to make .htaccess writeable. I believe this is unnecessary and once the plugin has written changes to .htaccess file you can change file permissions.
- Keeps a log of login activity on your website. It also logs IP addresses, Date Time , URL accessed , POST & GET Data.
- Logs will also keep you informed about who activated or deactivated a plugin on your website and when.
- The logs also show you when someone has updated a plugin.
- Logs can be turned off if you want.
- When the plugin is uninstalled or deactivated, your website falls back to default settings and you can access wp-admin directory.
We have previously published Backup Buddy tutorial on WPLift. As a comprehensive automated cloudbased backup solution, Backup Buddy is a great plugin to keep your website and data secure all the time. BackupBuddy not only makes it easier for you to make backups it also helps you quickly restore your website from backups.
Securing your WordPress installation is not a difficult task. If your website has never faced trouble that does not mean that it is immune to malicious attacks. It is wiser to be cautious than to be sorry. Making these best practices part of your website maintenance routine can save you from hours of frustration and may be loss of valuable data as well.