WordPress is an extremely popular web platform with about 7% of all websites running WordPress. That large a population means that attackers have a rich environment to exploit your installation. There have been historical attacks and worms written specifically to target WordPress. Even highly visible bloggers weren’t immune to the attacks. However, there are some simple actions you can take to ensure your WordPress installation is as safe as possible.
I shouldn’t have to say this, but if you are not creating backups of your WordPress site, then you will eventually lose it. This isn’t me being melodramatic. It’s a fact. Something will occur and you’ll find that you cannot recover or repair the damage to your installation and without backups you’ll lose all of your hard work. When looking for a backup solution you need to consider several points:
- Does the solution backup configuration files in addition to your database?
- Does the solution offer the ability to store your backups off site?
- Does the solution allow for backing up non-WordPress database tables? This is important if you’ve installed services beyond WordPress (like Mint)
So, if you are not backing up your WordPress installation here are a few solutions.
- BackupBuddy – I’ve used several backup solutions for WordPress and I believe that BackupBuddy is one of, if not the, best. Other than a small problem where the license always looks invalid when your site is running SSL, it works great. The only drawback is that scheduled backups will only run if someone visits your site. $45 for 2 sites.
- VaultPress – I’ve used this one too, but was not impressed when it came to actually recovering an installation. However, they are new and I’m sure will improve. They almost have to, as this is a service from Automatic the same people that power WordPress.com and wrote Akismet. The most impressive part of VaultPress is that it is running constantly and does incremental backups on files as they change in your installation. $15 / month for the basic backup solution.
- Automatic WordPress Backup – I used this for a period of time, but eventually stopped, don’t really remember why. It requires that you use Amazon S3 for storage, which is actually a good idea (BackupBuddy supports S3 and RackSpace Cloud Storage too) to have offsite backups. This plugin is free.
Now that you have safe, secure, backups, what else can you do?
Basic security principles always apply. Your WordPress installation is primarily secured in one way: a password. The admin password is the gateway to all of your content and capabilities in WordPress. A secure password is paramount to having a secure installation, so be sure to select a strong password.
Upgrades are probably the single most important aspect of running a secure WordPress installation. You need to make sure you are keeping your base WordPress installation up to date and that all of your Plugins are at the most recent level. The main reason that authors post updates is to correct bugs. Bugs are the main way that attackers are able to exploit websites and WordPress is no different. If an attacker is going to be successful at breaching your installation, it will most likely be through the WordPress Core or through a Plugin. Keep everything current.
The configuration of your WordPress installation is probably the next most significant security step you can take. The official WordPress Codex on Hardening WordPress discusses several good security measures you can take. There is lots of good advice in that article, however, that advice is confined to a 7 steps:
- Upgrade when available
- Backup the site and the database
- Verify permissions on key files
- Secure key files (like wp-admin and wp-config) separately from the rest of your site
- Run SSL for Administration
- Obscure your site’s settings
- Logging and Monitoring
I’ll talk about several of these areas and how I apply them to my site in a bit.
Plugins are a double-edged sword. On the one hand, they are easy to install, easy to maintain, and would seem to make maintaining the security of your blog easy; on the other hand, they are written by other people, and thus you are revealing the inner workings of your site to a piece of software, that itself could pose a security threat.
That said, I use several Plugins on my blog to assist me with understanding what are potential areas of improvement I could make. Those are:
- Akismet: Block spam comments.
- Block Bad Queries (BBQ): This is actually now 5G Firewall, but I still have the original loaded.
- Conditional CAPTCHA for WordPress: Another way to help block spam from your site.
- Exploit Scanner: A manual scan process that will determine if there are exploits that have been installed within your site (does give LOTs of false positives).
- Secure WordPress: Takes corrective action for several common issues, user selectable.
- WordPress File Monitor: Monitors and emails you on all changes to files on your blog, this one is HIGHLY recommended.
- WordPress Ultimate Security: Assigns you a “Grade” for various areas of your security (I get 81 of 97).
- WP Security Scan: Checks for several common issues with WordPress security (table prefix, WP version hiding, DB errors off, ID META tag removed, admin user changed, .htaccess file for wp-admin).
What I Do…
My personal blog, the one you’re reading, employs all of the advice in Hardening WordPress.
I secure my wp-admin area using a .htaccess file that locks it down by IP address, that looks like:
|1 2 3 4||order deny,allow allow from 22.214.171.124/24 allow from mydomain.com deny from all|
Finally, I utilize a strong password, unique to only my blog.
There is a great article, I believe, at Smashing Magazine that outlines 10 Useful WordPress Security Tweaks, I took several of these points and put them to use on my site.
35 Security Plugins, of which I use 5, see above.
Securing WordPress effectively may seem like a daunting task. Take things one step at a time and begin layering each of your techniques on top of one another. Make changes slowly, so you can ensure that everything is working properly before taking the next step.
Drop me a line in the Comments if you have any questions.