How Secure is your WordPress.org installation?
WordPress.org Security Part 1 talked about WordPress.org architecture and popularity among users, both of which make it a big target for hackers. Hackers like the predictable standardized architecture that is common for all sites using WordPress.org and love the huge user base that makes their evil doing very powerful. Why waste time with few users, when WordPress.org has millions of them?
The list below specifies the few basic steps that should be implemented to secure your WordPress.org websites. If you haven’t done any of these items, your website is in huge risk of getting attacked. The more items that you can address from the below list, the more secure your website will be.
1) Change the default admin username to something else. Leaving the admin username significantly increases the chances of being hacked.
2) Choose a very strong password for your user specified in number 1. The password should contain letters, numbers and special characters and try to make it at least 10-12 characters long.
3) Change the database prefix of your tables from wp_ to something else
4) Setup backups for both application and database. These are extremely important in case your site gets hacked and you need to restore it back to the state it was prior to the attack.
5) Always update WordPress installations to the latest version as the new security features are only added to the latest version. You should see a notification on your dashboard when the new version is available.
6) Always update your plugins to the latest version. You should see a notification on your dashboard when the new version of the plugin is available.
7) De-activate and delete all the unused themes and plugins. Outdated themes and plugins are considered backdoors for hackers.
8) Hide the wp-admin area. This is very powerful as hackers or automated botnets will always try to first access the wp-admin area and login as an admin user.
9) When FTP (File Transfer Protocol) connection is required, please always use SFTP rather than the simple FTP. When using simple FTP connection, the password is shown as a simple text during the transfer while for SFTP connection, the password is encrypted. This is an important item to prevent from attacks. Once someone has a back-end access to your website, they can control everything.
10) Change the permissions of the files to 664 and directories to 775
There are probably 10 more important items to address but starting with the above mentioned list will definitely be a great beginning of a journey to a secure WordPress.org website. All this information is great, but you might wonder, how to actually implement the above changes? Some of them are straight forward such as updating the WordPress.org version and plugins, deleting the old plugins and themes, but others require a bit more work.
Luckily, I have a simple answer for you. There is a security plugin called Better WP Security which addresses most of the above items. Please make sure to backup your current installations before configuring this plugin as some of the configuration changes can mess up your website. This plugin is best to install with fresh WordPress.org installations. Once installed and configured, this plugin works great.
Stay tuned for Part 3. It will give you the results of a survey done on around 20 people (mainly UMD students) detailing how much they know about WordPress.org security and how much they have done to actually secure their websites.
For more information about this topic, please check the below links: