Securing WordPress27 Apr 2015
You're likely a WordPress user, admin., or, know someone who is. With it powering roughly 23% of the web, it's both popular with users, developers & hackers alike. Yay, WordPress is great (and powers this blog).
Securing WordPress is difficult, but not impossible. We're not experts on the topic by any stretch, but, given we host a few thousand websites powered by it -- we've got a few ideas on how to keep it secure. Some of these are fairly generic, and, others might give you a few ideas on howto keep your own install hack-free.
Much of this advice is tangible, and, will help with other aspects of WordPress site management as well (like performance). If you prefer to read text, scroll down below the image. There's a few other additional notes below as well.
Link your friends to: https://www.fused.com/blog//uploads/2015/04/securingwordpress.jpg
First, why should you secure your WordPress install? Who cares, right?
For starters, your site could be used to send spam to others. Worse, infect others & their systems with malware. Neither of those are going to make you any friends, and worse, it could impact your reputation.
Secondly, a hacked site will be quickly stopped by google & blocked from being viewed in chrome. You'll lose visitors & revenue, particularly if you operate a business.
Lastly, to be a good netizen. Nobody likes spam, exploits, or DDoS attacks -- and all of these can originate through your WordPress installation. There's many of us that end up having to stay awake sleepless nights to mitigate things like this, and, there's not enough whiskey to go around.
Update, update, update.
It goes without saying, the first step to keeping any piece of software secure is by updating your software as quickly as feasible when an update is released. This applies heavily to WordPress where a potential exploit might reside in a theme, plugin or the core software itself. As of 3.7, WordPress can automatically update itself. Managing these updates is trivial, often using a plugin. To just keep the core WordPress software in check, add this to your wp-config.php file (on it's own line): define( 'WPAUTOUPDATE_CORE', false );
Caveat: Some software within your installation might need updated manually, but, we'll talk about that more shortly.
Everyone loves themes, &, if you're anything like me you change your WordPress theme several times a year. Who doesn't love a fresh pair of clothes, but, let's not make it a hay-day for hackers, bots, & script kiddies alike.
Leaving a WordPress theme installed after you're done with it is akin to building an addition onto your home & forgetting a wall. You're leaving yourself open to attack. Less is more, & that applies more & more each day with WordPress.
Third-party theme websites
Acquiring the latest & greatest theme off of Themeforest & some of those great sites is wonderful, but, it leaves a few things left undone -- and this is frequently the number one source of attack aside from out of date installations.
First, and foremost: Often, anything you install manually will frequently need updated manually. If you install something outside of the WordPress interface, you'll need to update it manually.
You'll want to subscribe to any updates/newsletters the theme developer has. You'll be relying on them for many security updates for software that might be included in the theme, that may not have an easy-update method.
Secondly, despite my note that you'll be relying on them for security updates: Don't rely on them for security updates! Someone who has just a few themes out there might not be around to fix the latest-greatest-exploit in their theme. If murphy's law has anything to do with it, they'll be on a remote island sipping pina colada's while some good friend from afar is sending a few emails on your behalf, to all of your good friends :)
If possible, catalog what 'extra' functionality (3rd party code, besides the theme itself) might be in a theme, if at all possible (or, ask the developer when you acquire the theme) and keep an eye on releases to those pieces of software.
That's an awful lot of work, and, as much as I appreciate 3rd party theme developers -- it's (in my opinion) better choice to use themes available within WordPress itself via Appearance > Themes (Or, https://wordpress.org/themes/commercial/) , rather than venture out on your own. The themes available there will still need to be updated, but, the process is slightly more streamlined.
WordPress Plugins & Security
Avoiding plugins altogether would be great, but, impossible of course. If at all feasible, avoid adding plugins that add minuscule functionality like an image carousel, for example. Far too many exploits originate from plugins. Less is more.
Secondly, removing any unused plugins is quite possibly the best thing you can do. Disabling them isn't sufficient, but deleting them altogether -- like themes -- will keep you a bit more secure.
Backups are by no means a way to prevent exploits, but, they make it easier to revert back to a "good" copy of your website in the event of an exploit. Frequently backup your website & wordpress installation (database & all) via your host's control panel & the 'Tools > Export' section of Wordpress.
The more backups you have, the merrier. Rebuilding a website from scratch is no fun, and, in some cases (like my own blog I started in '03) would be absolutely impossible without backups.
Your web hosting provider should be backing things up, but it never hurts to have a couple of extra copies of your data floating around -- don't trust their backups in a bind.
And, lastly, here's an infographic to link your friends to: Enjoy!
Advanced & misc. cruft
If that article bored you to death, my apologies. We're finding the average-joe/jane is getting their WordPress installed hacked left & right. There's some advanced & more generic tips below, in addition to our lovely image you can share with your friends.
Read only: Disable writes to any folders that won't need it.
We frequently come across someone using something like gravity forms to upload an executable PHP file and exploiting the installation. This, among many other exploits could easily be prevented by disabling writes to any folder by default, and, only allowing the ones that need it (cache folders, for example). We personally disable all writing by default, though, someone keen could still exploit it.
Reenabling writes for updates & such will be necessarily, but, can be automated (a cron. that reenables writes to folders, and, simultaneously updates wordpress, for ex.)
Lock down wp-admin
Disable logins to wp-admin to a certain IP addresses, and no more. Brute forcing installations is less popular for something like WordPress, but, frequently we'll see someone's password leaked through some other hack, and, that password being used on their WordPress installation.
Don't recycle passwords
It's 2015. Use 1password or keepassx. Avoid recycling passwords, however unimportant some of them may seem -- it often takes only a single account being exploited that results in a domino effect of hacks against your accounts.