The blog portion of this website is currently being powered by WordPress. WordPress is an open source blog publishing application powered by PHP and MySQL which can also be used for content management. It has many features including a workflow, a plugin architecture and a templating system. Because WordPress is such a popular blogging platform it is often targeted by hackers. Thus, I thought it would be a good idea to share a few ideas to help keep your WordPress blog as secure as possible.
1. Stay up to date: If newer versions exist for WordPress, your themes, and plugins then you should definitely take advantage of those and install the updates as they become available. Make sure you have backups of everything before you update including your database. There are plugins to help backup your database if you can’t or don’t know how to do it manually. How will you know when a new version becomes available? Usually WordPress will notify you with an on-screen tip. So, make sure you’re aware of those.
2. Make regular backups of your database and site: If a hacker corrupts your WordPress blog then at least you’ll have a clean backup that you can easily restore. I recommend making daily or weekly backups even if you are not frequently updating your site because you will still be getting user comments and trackbacks. However, manual backups are tedious and you’ll likely forget to do it regularly. Therefore, you should automate this process. You can use a plugin called WordPress Database Backup to automate your backups. Backups can be made as often as you like and the plugin provides options such as hourly, daily, weekly, and monthly intervals. There are other tools you can use for database backup automation, so explore your options and choose a method that works for you.
3. Don’t use the default admin username: The default user account that is created with every installation of WordPress is the admin account. Unfortunately, the entire world knows this, including hackers, and they can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.
4. Protect your blog with a solid password: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checkers that you can use.
5. Keep WordPress visitor registration turned off: By default, WordPress installations don’t allow visitors to register for a guest account on your site. Although there are advantages to having visitor registration turned on if you’re building a community site, it’s best to keep registration turned off since some of the latest exploits use it to hack WordPress. To check that you’ve got registration turned off, log in to your admin area, click “Settings” and be sure that “anyone can register” is unchecked next to the “Membership” option.
6. Activate the Akismet security plugin: Akismet is a security plugin that comes packaged with all WordPress installations. Akismet stops comment and trackback spam and can significantly filter the amount of unwanted comments to your blog. You’ll need to sign up for an Akismet API Key and activate that as necessary. The sign-up and activation process is fairly simple and self-explanatory.
7. Use Secret Keys: A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.
8. Manage your network and server: The first seven steps in my security checklist can be managed within WordPress. Yet, it should be mentioned that to ultimately secure your site you need to look outside the WordPress application and make sure your network and server are secure. Be sure to ask your web host what security precautions they take.
For further information be sure to read the Hardening WordPress entry in the WordPress docs.
What are your thoughts on WordPress security? Do you have any extra tips?