Some of you may already know the importance of keeping your WordPress business site as secured as possible. Sadly there are many reasons why your site can get attacked and it could come from a simple “hacker” that just do it for the sheer fun or, those deliberate attacks that are aimed to do your site some harm.
Obviously, there is simply no way that you can “bulletproof” your WordPress sites security to 100%, nonetheless, the more “counter-measures” you have in place, the less likely you will have to deal with potential problems in the future. Just think about it. All your hard work down the drain and your online business shut down instantly. Won’t happen to you? Hopefully not, but if it does, be prepared. Its not pretty. I know, it already happened to some of my sites and yes, more than once.
[note]May 2013: The recent botnet attack on websites running WordPress hasn’t had much impact — yet, but its likely that these attacks will continue, as there are way too many vulnerable sites out there. If you have not yet taken steps to secure your site, now would be a good time as ever. Read below all of my recommendations and apply them. Better safe than sorry.[/note]
What I want to share with you today are some of those “counter-measures” and WordPress security plugins that can help you “make the job” of an attacker a bit more difficult. Hopefully, if they try to attack your site and find it too difficult to break-in, they will leave and find another that is more vulnerable.
Here we go.. simple steps that you can do now to increase your WordPress site’s security, in case you still don’t have anything in place.
Backup Your WordPress Site Regularly
For so many reasons, backing up your WordPress files should be done on a regular basis, and even more so, before making any changes, such as upgrading WordPress software, your theme, a plugin, etc..
– btw, you should always keep your software and plugins updated.
This is the best “security” that you can have, period. There are many ways you can do this and for the sake of keeping this short, just do a research and see what suits you best. In my case, I do a manual backup every 15 days. Yes, it is tedious, but it gives me a peace of mind. Just use an FTP program and copy the “entire” folder. If it is too big, perhaps, backup only the most important sections of your WordPress site (e.g. database, etc).
On a side note, find out if your hosting provider has some sort of “backup” facility. Most of them do and as an example, my web hosting company, among other things, provides me with a “full” backup and restore service for a mere $12 a year. They work well and I have used the service already to restore some sites that were hacked. Very valuable service if you ask me.
Create Strong Passwords
Oh yes, passwords. Make them as strong as possible. Combine letters (upper and lower cases), numbers, symbols and try to go over at least 12 characters. WordPress allows you to create a password up to 64 characters long (did you know that?). Anyway, here is an article I wrote sometime ago, but it is totally applicable up to today – How To Create Strong Passwords?
Scan Your Site For Malware, Out-Of-Date Software and More
Scanning for malware presence on your website among other things should be first on your list. Knowing upfront if your site has already bugs in them, would certainly make your job easier to fix the issues and protect yourself. One of the best web-based and free malware scan checks I know of is Sucuri SiteCheck. All you need to do is enter your URL and the Sucuri SiteCheck scanner will check your site for malware, blacklisting status, and out-of-date software.
Checked for iBlogZone and woohoo.. for now I am on the clear 🙂
As you can see, Sucuri SiteChecker verifies your site for a lot of possible problems and know that it is clean and not blacklisted gives your site a boost in trust for your visitors. Sucuri has premium services where you can sit back and relax, if your site is hacked. They will do all the “hard stuff” (the cleaning) for you, and it is a good way to go if you are not comfortable with “messing” with your codes, htaccess, and all that tech stuff.
VirusTotal – is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware. Recently acquired by Google, this free tool can help you detect (if any), suspicious files may be affecting your site.
Are You Using Free WordPress Themes and Plugins?
Yep, free WordPress Themes and plugins are great, but some may contain possible malicious codes and provide backdoors for potential exploits. WordPress plugins even if they are on the WP repository, may contain problems. This is particularly true for those that are not updated for a long time, so among other things, it is a good indication for you to avoid them. Look at the ratings, users feedback for possible problems.
In addition, many Themes and plugins (including premium) rely on the TimThumb script and this has been known to seriously hamper your WordPress security. Please read this article from JustAskKim to find out about the TimThumb vulnerability and how to fix it (very important).
You can also install the Ultimate Security Checker Plugin that will help you identify security problems with your WordPress installation. This plugin scans your WordPress site and gives a security grade based on passed tests.
OK, then. Now that you have some security stuff already in place, here are just three WordPress security plugins that I strongly recommend you to install. If you have one, good, if not, install it now.
Note: You may want to install only one of them. Choose which one works better for you.
Login Lock is lightweight and does not hamper performance, while Better WP Security may be a bit advanced for some users. Powerful though, if you are really security conscious.
WordPress Security Plugins
Better WP Security – Almost an “all-in-one” security plugin for WordPress. This plugin takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
Some Features (so many).
- Scan your site to instantly tell where vulnerabilities are and fix them in seconds
- Remove the meta “Generator” tag
- Removes login error messages
- Change the urls for backend functions including login, admin, and more
- Create and email database backups on a schedule using wp-cron
- Ban troublesome bots and other hosts
- Completely turn off the ability to login for a given time period (away mode)
- Prevent brute force attacks by banning hosts and users with too many invalid login attempts
- Display a random version number to non administrative users anywhere version is used (often attached to plugin resources such as scripts and style sheets)
- Remove theme, plugin, and core update notifications from users who do not have permission to update them (useful on multisite installations)
- Remove Windows Live Write header information
- Enforce strong passwords for all accounts of a configurable minimum role
- Detect attempts to attack your site
- and, as I said, many more
- SQL Injection
- Cross-Site Scripting (XSS)
- Directory traversal
- Remote file inclusion
- Several DoS conditions
- And many more, including all of the OWASP Top Ten security vulnerabilities.
[note]Update March 2013: Google has just released their “Help For Hacked Sites” section and it is really worth checking out, in case you need it (hopefully not). [/note]
Help for hacked sites: Overview
Login Lock (update 25/10/2012 – Plugin removed from WP repository) – Enforces strong password policies; provides emergency lockdown features; monitors login attempts; blocks hacker IP addresses; and logs out idle users. This plugin is very good and more so if you have multiple registered users on your site.
Main features include:
- Enforces strong password selection policies.
- Monitors login attempts.
- Blocks IP addresses for too many failed login attempts.
- Lets you manually unblock IP addresses at any time.
- Lets you forcibly log out all users immediately and require that they all change their passwords before logging back in.
- Lets you forcibly log out idle users after a configurable number of minutes.
- and more…
One of the things I like best about this plugin is the “emergency lock down” feature. Login Lock provides an emergency “panic button” that, when used, immediately logs out all users, resets all user passwords to a random value, and sends each user an email message informing them that they must change their password before logging back in to your site. Cool and its 100% free via the WP repository (must have).
[note]Update June 2012: Login Lock is a great plugin, but under certain conditions it may cause a redirection loop, so if you are experiencing this problem, delete the plugin and install either Better WP Security or 6Scansecurity[/note]
That’s it! How well do you have your site secured? Do you even have something in place? Anything you feel that I missed? Please let me know.
Image credit: mashable.com