Wordpress Security

9:08 AM Mahder Alemayehu 5 Comments

Here is a post which i have found very important and a must to read. The post was made by one of my dear friend Fasil Girma. I hope you will enjoy his advise about wordpress site security.


In this post I am basically going to focus on securing a WordPress website and what to do if you get hacked. But the tips included are also useful for any non WordPress website. So I encourage you to keep on reading even if you don't know anything about WordPress <http://www.wordpress.org/> .

WordPress isn't to blame!

In my very early days of web designing one of my client's website got hacked and I had to explain to my client that it was due to WordPress' weak security. I now feel very ashamed of that incident. But I am not alone when it comes to such generalizations on WordPress' security. Most beginning developers don't go further down the road securing their website after setting it up and uploading it onto the "world wild web". They just expect WordPress to be an angel and magically guard their site against all evil on the web. Yes, they don't even pray. But WordPress isn't to blame.

Below I will show you five simple tips how you can lock your WordPress website against most possible threats on the web.

1.      Look for hosts with experience hosting WordPress website.


This can be your first step towards securing your website. All the coming security measures that we're going to discuss below won't do you good if you don't have a reliable hosting company. It's like ordering the best meal of the poorest restaurant in town. You worry about the food after choosing the restaurant. Some good qualities you should look in a potential hosting company are: solid support, transparency and communication, regular backups and runs the latest technology.

I recommend Dreamhost <http://dreamhost.com/>  for the above reasons and from my own experience.

2.      Update WordPress, themes, and plugins. 

Most hackers use the advantage of security flaws in different themes and plugins so make sure you don't include these in your site before checking how widely they are used and their reputation. Also make sure they are continuously updated by their authors. WordPress gets updated regularly; hence, your website should as well. But always backup before you update anything. In case anything goes wrong you can restore your old website till you figure out what went wrong.

always backup before you update anything!

3.      Grant users the minimum privilege they need to do their job.

Take care when you give your website's users the "Administrator" privilege because that will make them access every part of the website. You might think a well-trained user wouldn't do much damage. That might be true but
what if that user's password has been compromised? So if you decide to give an Administrator privilege make sure you use a different username other than the default "Admin" username. When you use the "Admin"
username, hackers are half way through to break your site. Now they only have to guess your password. Also make sure you use a strong password that includes alphabets (both lower and uppercase), numbers and characters. Use different and strong password for every site login. And you're encouraged to change your password once a month.

4.      Lock down the WordPress admin dashboard (/wp-admin) using an .htaccess.


This will make your admin dashboard invisible to the whole world. You can make you dashboard accessible from a certain IP address, say for example, your office computer. And all other devices trying to access this admin
area won't be able to access it, since they'll have a different IP address. Just create an .htaccess file in your /wp-admin folder and add the following lines to it:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 149.149.149.149

This will make http://your-site.com/wp-admin only accessible from the IP address 149.149.149.149 and other requests to access this page from other IP addresses will not be served by the web server.

5.      Ensure that the permissins on wp-config.php are not world readable especially in a shared hosting environment.


WordPress' wp-config.php file contains key configuration information about your website, like: database connection, authentication, and path to WordPress. And you don't want to tempt hackers by giving them everything they need to have to hack into your website in just one file, wp-config.php. So changing the file permission of this special file, wp-config.php, is not an option. Each server configuration requires
different file permissions but most of the time 600 should work for the wp-config.php. You can use your ftp client to change the file permission of any file on your server.


What to do when you get hacked?


*       Take the site offline. Now. That way you avoid getting a bad rap from search engines and antivirus programs.
*       Let your web host know what happened. 
*       Make a full backup of the infected site. It's helpful for reviewing what happened and in case you mess up something during the repair.
*       Change all of your passwords and the authentication keys in the wp-config.php.
*       Remove any old themes, plugins, and unused code from your server.
*       Update all code on your server. Re-install WordPress so all of the
Word-Press files are overwritten with fresh copies. 
*       Reinstall themes or plugins with fresh copies to make sure no malicious code was inserted.
*       Check that the file permissions on your files are correct, especially wp-config.php and uploads.
*       Remove the rogue code and make sure you check all sites on your hosting account. There are tools that can help scan and clean the infection such as VaultPress <http://vaultpress.com/> . Exploit Scanner
also scans for certain exploits.

*       If you don't have the ability to fix the infected files the best thing to do is restore from a recent clean backup.
*       Check your server access logs. Search for any bad file names that you found on your server, patterns passed as query strings, or dates/times that may clue you in to when the attack happened.


Conclusion


To Secure your WordPress website:

*       Look for hosts with experience hosting WordPress website.
*       Update WordPress, themes, and plugins.
*       Grant users the minimum privilege they need to do their job.
*       Lock down the WordPress admin dashboard (/wp-admin) using an .htaccess.
*       Ensure that the permissins on wp-config.php are not world readable especially in a shared hosting environment.

Thank you fasil for such a wonderful read! Hope for so many more to come soon!

If you would like further information, may be ask the author or read other similar posts by this author, you could visit this blog http://rasfasil.com/wordpress-website-security/

5 comments: