Every day, some scary report about a major site being hacked or a sensitive database being compromised hits the web … and freaks everyone out.
Last week, in preparation for an interview about my work at Copyblogger’s managed WordPress hosting division, I chicken-scratched a top 10 list of tips for keeping your WordPress website(s) secure.
We’ve been discussing WordPress security a lot over at the Synthesis blog, here, here, and most especially here), but these days, you can’t be secure enough, right?
It’s worth your time to look over this list of security tips, and to take the few simple actions to implement them. How secure is your website?
Let’s go over the basics right now …
Why take WordPress security so seriously?
Why all the security talk? Because staying vigilant about security is an ongoing responsibility for any WordPress site owner.
In fact, it’s an ongoing responsibility for everyone online, whether you’re using WordPress or not.
So we’ll continue to discuss it here as much, if not more so, than performance. Hey, sub-second load times are great, but not if you’re hosting hidden links to Viagra sites or Google is flagging your site as malware-infected.
I know that security can sometimes be a nebulous, obtuse topic. If you don’t have a technical background, the risks and the necessary safeguards can be difficult to comprehend.
You’re not alone.
When I first launched Midwest Sports Fans some four years ago, I couldn’t have told you the difference between DDOS and Mike Doss. I was among the ranks of those who used the same password for my MSF admin login as for my Gmail account … and my bank account … and, you get the idea.
Over time, I learned the importance of taking security seriously. Some of the lessons weren’t pleasant. But they provided me with the knowledge to be able to educate you on simple steps you can take right now to make your site safer.
As you read this list, consider it less a “top 10 list” and more of a checklist. If you come across one, two, or ten of these that you cannot mentally check off as being part of your current security arsenal, stop reading and go implement it.
Let this motivate you: we see between 50,000-180,000 unauthorized login attempts every single day at the sites we host. The vast majority of these are hackers using brute force techniques to get into websites and wreak havoc. It is possible, perhaps even probable, that a hacker halfway across the globe is trying to hack into your site at this very moment …
… I hope your password isn’t password123.
And now, on to the most important top 10 list you’ll read all week:
1. Maintain strong passwords
Let’s kick off the list with the easiest step you can implement immediately. Hopefully you already have.
If not, do not procrastinate on this one.
I’ve linked to this post before, and I’ll link to it again: “Password Protection: How to Create Strong Passwords” from PCMag. I used a number of the tips listed in that post to completely overhaul my personal password strategy.
Take this seriously.
Excuses like, “But I want one password for all of my sites so that I won’t forget!” or “My (generic) password is good enough, and what are the odds that someone is really going to try to hack me?” are not acceptable.
If you aren’t using a password that’s at least ten characters, with numbers and letters, capitals and lowercase … you’re doing it wrong. Do it right. Especially this one.
2. Always keep up with updates
WordPress updates are not just released for the Google News search results. They are released to fix bugs, introduce new features, or, most importantly, to patch security holes.
Will WordPress (or any software program, for that matter) always be one step ahead of the hackers? Of course not. Quite the contrary. For the most part, as with performance-enhancing drug testing in sports, software is always going to be one step behind the hackers. That’s just how it goes, it’s the world we live in.
But when major security holes are known — and patches are available — there is no excuse not to implement them. Thus, there is no excuse not to keep up with WordPress updates. The same goes for plugins and themes.
I know that many of you feel trepidation when it comes to updating WordPress, afraid that it might break your theme or disrupt a plugin’s functionality. My response to this is simple: if you’re afraid of it, then you need to re-evaluate your theme and plugin strategy. Your theme will certainly get disrupted when a hacker injects half a page of a nasty encrypted code into it.
One of the benefits of investing in a WordPress theme framework like Genesis is that our StudioPress division will have the Genesis Framework updated damn near instantaneously when a WordPress update is released. In fact, there’s a good chance they had input in the WordPress update itself! So, you never have to worry about your theme breaking.
As for plugins, this is why vetting plugins is so important. If a plugin isn’t updated regularly, or you’re not paying for support, then you should be afraid of it possibly breaking with a WordPress updates. Thus, you might want to rethink using it at all.
3. Protect your WordPress admin access
Should you change the name of the default “admin” user that every WordPress installation starts out with? Sure, you can. It certainly isn’t going to hurt.
Just know that it isn’t the pinnacle of security measures. Hackers can find usernames fairly easily from blog posts or elsewhere.
More important than disguising the specific admin username is to make sure that every username of your site with administrator access is protected by a strong password. (Yes, I’m referring you back to #1 in this list.)
And, if you really want to protect your site, go the extra step of requiring a Yubikey to login. That way, even if someone does have the password to a username with administrator access, he or she cannot login without physically possessing the Yubikey (which is easily used via simple USB insertion when it’s login time).
And no, it’s not a hassle. It’s peace of mind.
4. Guard against brute force attacks
Remember the stat I cited above? It’s worth citing again: we see between 50K and 180K failed login attempts a day on the sites we host. The site you’re reading right now (Copyblogger in case you’re somehow reading a scraper site) sees 275 unauthorized login attempts … every hour.
Before you pass out at the magnitude of that number, know that you’re far from powerless against these nameless, faceless hack attempts.
First, your web host should be helping to protect you from brute force attacks. We do. We regularly monitor where failed login attempts are coming from and then lock out the offending IP addresses.
Second, make sure you’ve checked off tips 1, 2, and 3 above.
Third, there are programs that can be installed (such as Limit Login Attempts) that will make it much more difficult for brute force techniques to work.
5. Monitor for malware …
It’s imperative that you have some kind of system in place to constantly monitor your site for malware.
The folks at Sucuri do this as well as anyone, which is why we’ve partnered with them for the server-side scanning that we do for all of our customers.
How you monitor is vitally important. Choose a method that can actually dive into your file structure and detect deep breaches, rather than one that just shows you where you’re vulnerable.
6. … Then do something about malware!
Monitoring for malware is not a solution in and of itself. The solution is what happens once malware is detected.
If you are not a Synthesis customer, the Sucuri team is a great one for you to partner with because they’ll not only scan for malware, they’ll help you clean it up once it’s detected.
And if you are a Synthesis customer, you already know that we’ll take on the job of cleaning and repairing your site should anything bad happen to it.
A couple of the oft-overlooked “true costs” of WordPress ownership are those associated with downtime due to security issues and cleaning up those issues. This is part of the value proposition that should be rolled into your managed hosting provider’s offering.
7. Choose the right web host
I’ve already told you about the server-side scanning and malware cleanup guarantee that we give all of our customers. And that’s far from the only reason why our WordPress hosting is a great choice for the security-conscious WordPress user. Just saying.
One major security risk is being on a shared server. Think of it this way: take the security risks inherent in your own WordPress installation, then multiply it by the number of sites on the server. And if you go with generic hosting, chances are you’re going to be lumped in with hundreds and hundreds of other websites.
Don’t.
Your own VPS may not the right option for you. It may be too expensive, or your traffic may not necessitate it. That’s fine. But if you’re going to be on a shared server, make sure it’s shared with just a small number of sites (our shared servers have no more than 10 sites) on a hosting stack that has proven safeguards in place to protect it.
Also, find a host that doesn’t get complacent about security.
Anyone who would claim to “have security figured out” has no clue. Online security is constantly changing. Web hosting companies need to constantly evolve with that changing landscape, and the threats the come with it. Make sure whoever you trust your website to operates with this mentality.
8. Clean your site like you clean your kitchen
Did you know that your WordPress installation could easily have ticking time bombs sitting on it that you’re not aware of?
If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach. A messy site also makes it much more difficult for security professionals to operate should your site be compromised.
You wouldn’t leave dirty dishes and silverwear sitting in stale water for three days in your sink would you? Of course not. It would be a breeding ground for filth and muck.
So clean up and organize your file structure like you would your kitchen. It will keep you safe in more ways than one.
If you’re asking, ‘Where do I begin?’ Start at the root. Compare your file list to that of the default WordPress core. A few extra files, like your favicon? OK. Two times as many files including Power Point presentations for work? Time to do some dishes …
9. Control sensitive information
And when you are doing that cleanup of your file structure, check to make sure you are not leaving bits of valuable information available for all the world to see.
For example, the readme.html file by default will say what version of WordPress you’re running. If you’re running an older version of WordPress with a known security hole, hackers will find you.
Similarly, look into your phpinfo.php or i.php files. They’ll tell a hacker everything about your setup and serve as a “road map to the house” before they even break in.
And leaving .sql database backups files is a big no-no. If a hacker can download your entire database they’ll have every username and encrypted password you’ve ever used at their disposal.
While your website host should be scanning for items like this, why leave anything to chance? You wouldn’t walk out your front door without pants on (at least I’d hope not!) … so don’t run your website that way.
10. Stay vigilant
This is one is pretty easy to explain. Just stay on top of what’s going on out there.
You don’t need to understand the intricacies of a DDOS attack or churn out a blog post about GoDaddy getting taken down. But when an issue like the TimThumb fiasco rears its ugly head, are you aware of it? Early detection is the best prevention.
You should be with a managed WordPress host who has your back, but it never hurts to have your own too.
Follow Twitter accounts like Sucuri’s or ours, where we’ll update you when we hear of relevant security issues affecting the web. And just keep your eyes peeled. Don’t think that security issues are only affecting those other sites. They could just as easily be affecting yours.
Respect thine enemy, as they say.
Over to you …
Most importantly, we need to respect the critical nature of taking website security seriously.
The ten steps above are not the only security safeguards you should be considering, but they are a well-rounded start, especially for those who may have trouble implementing the basics.
Take action on these tips and you’ll have the essential WordPress security measures in place.
Any other WordPress security tips out there? Drop them in the comments below …
Reader Comments (137)
Your strong password policy is outdated.
http://lifehacker.com/5796816/why-multiword-phrases-make-more-secure-passwords-than-incomprehensible-gibberish
It’s not a matter of being outdated — the math doesn’t actually change. Multiword phrases have always been even better than code strings. If you read the article, a random 6-character string will still take 219 years to break with a brute force attack. I do like multiword phrases because they’re extremely secure and they’re something a human can remember.
Sonia, agreed. The key is making the transition from simple to some level of complexity. Combining these password recommendations with software solutions that “put delays” in the process can easily push those math out by 20X. These solutions include the Limit Login plugin for WordPress and “Faile2Ban” on the server side for FTP/SFTP.
Ben, thanks for sharing as the math chart helps to clarify.
The best is if the host uses FTPS not SFTP
Ben, great link. I’m not necessarily sure I’d say that the password policy described in the article is “outdated,” as even the article you link to states that “gibberish” passwords are essentially secure; but, it does make the great point about spaces in passwords, which add an extra layer of security…plus provide the additional benefit of allowing you to use real words that can be more easily remembered. I’m all for any policy/strategy that increases security. Thanks for providing the link.
Yes. A good idea. Just be sure not to log into lifehacker with any password that you care about. When lifehacker was hacked, my email and password were posted in plaintext for the world to see. When LinkedIn was hacked many encrypted passwords were discovered by brute-force guessing. No matter how fancy a password is, it had better be unique to each site. I recommend 1Password, or a similar tool, to generate and store long unique passphrases.
I think that’s best as well. Then come up with a great (long, somewhat complex) pass phrase password for that account, and forget the rest.
Agree with you on this Tony, Different passwords for different sites (of the next step up to 1Password) is absolutely critical.
1Password is the best works on Mac, PC, iPhone might be on other mobile OS Android or Win
Excellent information that EVERY WordPress user should implement ASAP. Nice job Jerod!
Using a password manager like LastPass will not only generate secure passwords for you, but it helps to organize and remember them as well. I recommend LastPass to all of our clients.
Also, in addition to Jerod’s recommendation of the Limit Login Attempts plugin, I’ve found Better WP Security
https://wordpress.org/extend/plugins/better-wp-security/ to be very good as well.
Best Regards,
TJ Greene
I use one password for almost all my sites and no one has ever hacked any information. should I start worrying?
Sherrell, yes you should start worrying. The hackers are out in force doing everything from sniffing wireless access points to simply brute force bombing sites to the tune of 5K tries per hour. If they don’t get it one way, they’ll try another. Get a good secure password manager and mix it up. You don’t have to go overboard. Just don’t make it easy for them.
And think about how many large sites have been broken into in the last year. If a hacker gets your password & login from one site, you’ve opened up every site you belong to.
Thanks for the insight my Facebook account got hacked a few weeks ago and I thought I had a good password then.So I am going beef up my security as from today.
I don’t believe it’s outdated. There are just some more tips out there that we could add to it like this link you have here. This is one of the reasons I like to read blog posts. I find more tips on the comments.
But still Strong passwords with Lower case, Upper case, alpha numeric passwords, protect the websites from many attacks.
Note to self: Change password later today and consider diversifying passwords across all major social media networks.
Great to hear! It will make you safer. And you can never be too safe online.
You can use Roboform to generate #%$#&#$^ passwords and stored them securely on the cloud 🙂
I am one of the advocates which tries to educate people on why it is so important to prevent getting malware for their websites and the tips you shared are the first must do steps for anyone with a WordPress blog and not only.
Then they should look into securing the admin section with a security certificate and deny access to specific files and directories on the server, such as wp-confg.php or wp-admin.
Eugen, great insight. We actually do a decent number of hard denies at Synthesis (e.g. readme.html) and custom denies for those who want them. I agree on the cert approach. Not always affordable for all but as a site grows it is worthy of consideration. Thanks for the input.
Some great tips. One thing I’d like to add on teh password issue. If your system supports it, use a passphrase. There is a great visual that demostrates the passwords we are trained to use are actually a mess.
http://xkcd.com/936/
If you don’t want to click through it basically says that complex passwords like “Xa3th3r#” look secure but are shockingly easy for a computer to crack using a brute force hack and are crazy hard to remember, especially if you are taking the time to protect each site with a different password. A passphrase is much easier to remember and much harder to crack. For example, I might use this on my design blog (might but don’t) “Wh!te spac3 is the right place to start your design!” Since it is my design blog it should be easy to associate with that and be different from the ministry blog that might be (but isn’t) “For G0d so loved the whole world that H3 gave H!s only son”
In other words, make your site secure and your life easier by using pass phrases when possible.
Nick, thanks for sharing. Combined with Ben’s comment above, there are some quantifiable rules readers can use.
Personally, I’ve found password peace in utilizing a pass phrase and combining it with a Yubikey which generates a key based on a physical device. The device is smaller than any other key on my keychain and tough as nails.
The was mentioned in that Lifehacker article above — a six string random number takes more than 200 years to attack using brute force, which doesn’t seem too bad to me. 🙂 Note that Jerod recommends a password that is at least 10 characters.
One problem with pass phrases (I’ve seen it) is they become hackable when you use a guessable phrase. Since many of us have such publicly visible personas, you want to be careful about using quotes, etc., even if you put some “Leet” character substitutions in.
a six string random number is very hard to memorize which leads to putting it somewhere it can be found. Sad but true. What is worse, it might have once been something that can take over 200 years to guess, but with computer calculations increasing that is no longer true. It can be cracked in just a couple of days now.
As for the guessable passphrase. Yes. that can be a huge issue. The same ideas that apply to passwords also apply to passphrases. Random is best, but if you pick a phrase that has meaning to improve the memorable nature of the passphrase, avoid things you say regularly. Try to use one non-dictionary word and avoid common phrases that might be included in a list of “top 1000 quotes” or something. See my examples (which are not pass phrases I use or even remotely close to the ones I use)
I use a secure password manager for that. And even a couple of days is fine for me — your host should be shutting down brute force long before that.
My main concern is I don’t want anyone changing 9E1jS!0i,&d to “I love [my kid’s name].”
I still think pass phrases are excellent, mind you. For any system that allows spaces, I’ve used them for a lot of years.
Plus 100 billionty for that. That is right up there with using your birthday or anything else that a tiny bit of research could supply. Personal information does not belong in a password in any way shape or form.
Thanks for sharing these great steps to making sure your WordPress website is secure.
Another point is to make sure you know when your hosting will renew. I didn’t choose to automatically renew my hosting and received the message, “This website has been temporarily suspended.” It was worse than receiving a rejection letter from a publisher! I immediately renewed my hosting and my writer website is up and running.
I also think it’s important to use a ‘secure’ theme. The free WP themes are okay, but it’s better to buy a theme from a reputable company that updates its themes to be compatible with the latest WordPress installation and plugins.
Amandah, yes! It can be easy to overlook something like hosting/domain renewal, but those are fundamentals that simply need to be in place. Excellent tip. And I could not agree more on themes. It is so important for the theme you are using to be responsive, especially to WordPress updates. That is one huge reason why investing in a premium theme is worth it many times over.
Super point, Amandah. And yeah, I’ve been there too. 🙂
Jerod, This is very helpful and something I have been thinking a lot about lately. I like Nick’s idea of passphrases too that have to do with the blog’s theme. I am wondering now about cookies that remember our password on our computers. Are those a no-no?
If your site is on a network, obviously your risk increases, as this article explains (somewhat frighteningly): http://lifehacker.com/5853483/a-guide-to-sniffing-out-passwords-and-cookies-and-how-to-protect-yourself-against-it
the cookie issue depends on a few things. Is your computer used by others or could it theoretically be used by others. If so don’t … just don’t. Are you accessing a system that actually stores the password in the cookie? Most systems don’t. WordPress certainly doesn’t. If you are then contact the developer and slap them with a fish.
WordPress generates a key with those fancy randomly generated strings that are in the wp-config.php file then stores that key in the cookie. They key says “this device logged in and said to be remembered so we can trust them for a while.” It is very long and very random so it should be pretty secure.
There are some nice WordPress plugins that make your site more secure, I believe I use WP-Secure on all my sites. I also run the sites using Cloudflare which keeps a lot of bad traffic from reaching the sites.
I use managed hosting which focuses on speed and security.
My site loads in under seconds and most of time in under 1 second.
I also install an all in one security plugin which covers the 7 most common methods hackers use to get into your site.
I wrote an article for my blog on this very topic. Firstly, not every site allows a password phrase to be used so the mixture of uppercase, lowercase letters, numbers and symbols continues to be your best bet. I use Lastpass to generate and remember new passwords, then I just need one master password to get to my Lastpass account.
If you have trouble creating a password, use some of the serial number of your phone, laptop, tablet, etc. These devices are always with you so remembering the password is a snap.
http://www.writingsofamidlifeman.com/money/password-protection-made-kinda-easy/
Thanks for posting the link. Some good tips in there, especially for those who do want to stick with a long, random string. What you mention is a good way to keep it random AND memorable, which is such a big challenge.
Thanx for this very useful reminder!
Indeed when working online you can easily forget that you can get hacked…
Not putting in place some security measures is like leaving the door to your brick and mortar business open at night….
I need to review this part seriously!
What about password managing softwares?
Are there secured enough? Would you recommend to use them?
Thanx a lot
We use them at Copyblogger, fwiw. 🙂
I like GD Press Tools (review) if only to change the default “admin” login to something else. There are a few other plugins that say they’ll do this, but GD Press Tools makes it easy–not to mention it has a bunch of other powerful features.
Checked it out and the lite version of that plugin does appear to make it pretty easy to change the admin user. Pretty robust plugin there that does A LOT. Worth a look.
This post is really exceptional, thumbs up! Morris…
Thank you kind sir!
I agree, excellent (if somewhat terrifying) post. A real kick up the backside. Some great tips here that I’ll work my way through. The wobbly eyed Shining Jack Nicholson will give me nightmares tonight. I’ll probably have nightmares about Jack hacking my website!
Amanda, that was the idea! I tried to find the creepiest animated GIF I could. Didn’t take long once I saw that one! Security is worth getting a bit terrified about, so long as the terror drives useful action to make sites more secure.
Great information! Some I knew, much I didn’t. I gots some cleaning up to do!
Celene, thanks! Most of us have lots of cleaning up to do if we look hard enough. I find new ways to make my sites and passwords more secure almost every day.
Great post. Passwords, admin users, etc. Those are all pretty standard but I like that you bring in the hosting aspect because this is incredibly important. Not only for your domain but if you’re on a shared server, every other domain as well. A hacked site that is sitting next to yours is going to impact your site in much the same way.
Mike: A thousand times…yes! So many people do not realize this as a risk of shared servers. Emphasis on the SHARED. This is why we put strict limits on our shared servers at Synthesis in terms of number of sites and what sites we’ll allow. It’s simply a must, and it is definitely a factor people need to consider when thinking about their hosting.
Heh, I was about to say LastPass, but J.Delancy beat me to it. Anyway, thanks for this post. I’m fairly confident about my “skills” in protecting my own computer from unwanted entities, but protecting a WordPress website seems to be another matter.
Earl, WordPress definitely has some unique challenges when it comes to security. It’s just a matter of knowledge and follow through. This is also why so many serious WordPress users are shifting to WordPress-focused managed hosting, because that way you know that your site is being taken care of by people who really understand WordPress’ security issues and are proactive about them.
Thank you so much for this article. I especially appreciate the numbers you shared – about failed log-in attempts. We see those on our site but weren’t sure if that was typical or not or we were being singled out.
I sent the article to my IT guy (my son) to be sure we’re doing everything right.
Patty, you’re welcome! Thanks for reading and comment. Unfortunately many sites see numbers like that. A bit disconcerting, huh?
Thanks for writing about this, also. Just maybe a question and/or concern for #2.
Although I haven’t seen any issues in the past few months, there have been few times where updating WordPress to the latest version caused problems. In those few times, WordPress eventually came out with “emergency” patches for those updated versions.
I guess you still recommend upgrading right away, or wait for a while before? How long or short, if ever?
And re: vetting plugins. Another “tip” for other readers is to actively delete those no longer used as well: makes them less things to worry about.
Again, thanks for writing about this. Cheers.
Dave, it is usually okay to upgrade right away, but you’re right, occasionally it can have a hiccup. I would say if you have any trepidation wait until you get the go ahead from us at Synthesis and the folks at StudioPress (or whoever else you follow that are top of these updates and will test them on their sites immediately).
And great tip on plugins! I concur.
I’d like to suggest using Google’s Two-Factor Authentication. There’s a WordPress plugin for using two-factor authentication, so setting it up is trivial.
It is particularly good for securing blogs with multiple writers where you can’t always enforce good passwords.
The main drawback is that everyone needs to download the Google Authenticator app which means all writers need to have smartphones. But if you’re blogging, you probably have a smartphone too.
Damon, I hadn’t heard of this before. It sounds intriguing. Thanks for sharing.
And I issue this challenge…to anyone: find a blogger who does NOT have a smartphone. Can such a person actually exist in this day and age? Surely not… 😉
Great advice – these things can be the difference between generating business on your website or losing it due to downtime. Love the tip on passwords – it’s tough to keep up with a lot of the, but at least if one account gets hacked, you’re not completely vulnerable.
Kristi, exactly! One of the *true* costs of using WordPress, or doing anything online, is the potential cost of downtime and the price to fix/clean up whatever caused it. Being proactive and preventative can help keep those costs down.
Thanks Sonia for such a great inspiring advice about securing our WordPress website. I really think it isn’t health to wait till your password account is hacked to make necessary changes. We ought to renew them at least every time and use tricks that you believe nobody would install unwanted plugins! It is not that easy but we have to find our own ways to protect our documents. Really amazing and helpful information; look forward to seeing your next!
Indeed, being proactive with security is ALWAYS the right decision.
If I wrote about security, it would be much less useful than this — all props go to Jerod. 🙂
Nice hacker info here. I love the details. I’ll take into account the advice.
I totally agree with you we need to have a strong password for our sites, this will assure us of maximum security.
The part about updating is VERY important! A friend of mine was hacked recently and when I sorted it out (he hosts with my web-hosting site so I was able to go in) I discovered he was using 2.5 still when the latest update was 3.2! :O
Dean, great point. The recent 3.4.2 release has some security fixes that are pretty important. The community and core devs have done a fantastic job of making upgrades easy and not breaking things. No reason not to keep up. If you are modifying core or your theme falls apart on upgrade, now is time to go mainstream. If not, the hacker’s will sure “upgrade” your site for you. Their upgrades, however, aren’t the code you want! 🙂
I do #1 and might have done #3. The other 8 I don’t understand or don’t know how to do or both. Perhaps the answer is in your title – a WordPress Website. Is that different from a WordPress blog, which is what I have?
Good question Don. WordPress has evolved so much from its beginnings that whatever the qualifier – website, blog, etc, – it’s still all WordPress. Because WordPress is really a content management system. It is used to build websites – all the way from complicated ecommerce websites to simple blogs. They are all WordPress and all will share similar security strengths and potential weaknesses. So there really is no difference between a WordPress “website” or a “blog” in this sense. If you run WordPress, all of the above tips are worth keeping in mind to keep your site safe.
Thanks for the article. We all need to be more proactive about our personal account security. One thing I am glad you mentioned is taking advantage of the 2FA (2-Factor Authentication). Although it’s been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication for banking wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering my sites enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
I agree. I will gladly trade a slight inconvenience for more security. Any day.
Jerod, thanks for the article. I am shooting it around the office to make sure we are all updated. Other than the first three, number eight really resonated with me. As soon as I read it I pictured the 5 to 8 unused plugins just sitting in our blog. Again thanks for the article, it is very easy to fall into a false sense of security.
Indeed it is. And it’s something to be constantly vigilant about. As closely as I try to monitor this stuff myself, I just realized the other day that a blog I setup but haven’t used in a while had a few inactive plugins on it. Got them out of there immediately. No sense leaving any potential holes, even if the possibility is remote, especially when no value is being provided.
An incredibly useful post from the guy who answers my emails whenever I need help…..Thank you Jerod.
Synthesis actually helps me sleep at night. The support and peace of mind is worth the monthly cost alone.
That’s why we are often referred to as the “Ambien of Managed Hosting Providers.” Okay, so that’s not really true at all, but we certainly do take pride in helping our clients sleep at night. That’s what we’re here for!
A very helpful insights. Thank you for this. Keep on blogging guys…
Hi Jerod,
I’ve had a couple of WordPress installations hacked and it’s not fun at all !!!
… really annoying.
I thought I already had a secure WP configuration by now but there’s always something more to learn.
Thanks.
/Daniel @ForgetMeNutz
No, it is absolutely no fun. Glad you were able to find some additional info to make your WP sites even more secure. Indeed, with security, there is always learning to be done because the landscape constantly changes.
Thanks for the great tips. 🙂
Beefing up security via htaccess is also a good idea. Here’s a good starting point.
http://perishablepress.com/wordpress-5g-blacklist/
Being a website/blog developer myself, I want to take all of these steps, wrap them up in a pretty box promptly beat them over the head of several of my customers who still think that using the login “admin” and the password “changeme” is safe enough 🙁
I’ve changed my thinking about my customers (and my own) WordPress installations as a two fold process. The first being the initial install and then, before any themes or plugins, get that puppy secured. I’m also backing up my sites regularly to 2 alternate sites as a CYA measure in case one gets hacked or jacked.
In regards to password management programs, I’m using DataVault Password Manager (http://www.ascendo-inc.com/DataVault.html.) The database is secured by a master password and can be synced to my iPhone. If I’m ever at a customer’s site and they lost the sticky note that had their password on it, I can securely access DataVault and retrieve it.
P.S. The animated graphic brought the phrase “Don’t let your site get hiJACKed” to mind.
Useful tips, there’s nothing worse then logging on one day and finding out someones destroyed a blog with months of your hard to work. Now I always backup.
Resemblance of the password123 to Shining is GREAT man 😀
Thank for the article! I’ve been always concerned about wordpress security. Any recommendation for backup plugin / software / service?
Luis,
I use Backup Buddy on all my sites and it has worked seamlessly for me and my clients. It has a malware scan built in that is powered by Sucuri. As a WordPress developer, Backup Buddy is especially awesome at migrating a site from a test site to the end host or in the case of a total restore of your site. (The only thing I wonder about is that it doesn’t encourage you to put in those Secret keys in the config file during the process so I am less inclined to do that than during a fresh install of WordPress.)
I’d be happy to hear if there are any other recommendations for backup software.
Thanks Beth for the recommendation! I’ll take a look on it.
You forgot a HUGE one!
Automated WordPress hacks take advantage of being able to run code against the /wp-admin/ directory. So protect that directory. Use a .htaccess to require that they authenticate to Apache before they even get a chance to try to talk to WordPress. Chances are, their scripts aren’t written to even be able to handle the case that they need to authenticate twice.
(The reason to do this, is that good passwords don’t mean squat diddly doo when the problem is an actual WordPress vulnerability, nothing to do with having logged in legitimately. The way there are new WordPress vulnerabilities released weekly means you simply can’t trust any of the “security” WordPress has put in place.)
You cannot take this post seriously enough if you run WordPress websites and especially if you make your living from them. I learned the hard way from hackers who exploited an inactive plugin and gained access to our FTP directory. Once inside, they setup a bank phishing scam (posting a fake Wells Fargo login page on our server and site), spam relay that sent 3.2 TB of data in 4 days, changed Google AdSense accounts so that our clicks were registered to their account and they got the money and defaced one of the sites completely.
Since then, we’ve implemented the steps above and more.
Here’s an example of what a brute force attack looks like that was thankfully prevented by Limit Login Attempts:
http://cloud.vincentpolisi.com/Sparrow-20121027-115915.jpg
As you can see, they are automated and relentless.
Do not wait until it is too late to implement these steps.
DO IT NOW!
It cost me over $2k to eradicate the numerous issues, rebuild the server that had to be nuked, scan each file in every directory manually prior to migration, obtain the requisite software and code and pay for data transmitted via the spam relays, not to mention the lost revenue from AdSense.
Great List. My thought is to be sure to modify the Admin to another name and then make sure it shows up as a different name when you make comments or write articles.
Rick
Great data on wordpress security problems and suggesting ways in which to handle them furthermore , several new things to be think about if we want to guard our WordPress blog from hackers.
Good tips, but I think that you always can find a guy with the right skills and enough time to break into anything. I also think that is a good idea to make things difficult for that guy, if he is trying to break into your system. Thank you for the tips. 🙂
A great reminder of the importance of security. I’m beginning to get resistance from a few clients on the security of WordPress. It helps to see some well penned and thought out articles to refer them to and work from.
I really appreciate this article, it’s given me some great ideas, and also prodded me into not putting off my change of Passwords on my To Do List any longer.
I went to your link to PCMag and then to their How Secure is Your Password link. I typed in my best passwords – 6 thousand years to hack them but….now I’ve added them to that site’s database, and they are probably linked to my IP number as well.
Do I now have to think up some new ones that I didn’t check with the How Secure is Your Password software?
I feel as it I’ve been half way around the world, only to end up where I started! But now I’m much better informed, thanks to you.:) Thank you.
Great List. My thought is to be sure to modify the Admin to another name and then make sure it shows up as a different name when you make comments or write articles.
rahul
I just experienced my website being hacked for the first time. Not pleasant. As someone who isn’t technical in the least, it isn’t easy to know where your site might be weak so I found these tips very useful. I have had some expert help in sorting it all out and putting in new measure to tighten security up. I think the big learning is to ensure that procedures are checked and actioned regularly just like any other area of my business.
Bad luck All. Did you find out how and where the hacker broke in? I’m sure there are others here that would like to know.
And glad you were able to sort it out.
I’m afraid I don’t know Carol. But after the mess had been put right by my technical support we did start on a clean up and I realised I had old themes and plugins that had been there an age. Suffice to say all cleaned up and secure now and new procedures in place. A real eye opener and a steep learning curve for a non technical person.
Thank you guys for these great tips, especially the plugin “Limit Login Attempts”. I am running a blog for almost 6 years, but haven’t heard about this kind of threat yet. After installing the plugin I have seen 60 login attempts. That resulted in 15 blocked IPs so far. And it all happened in less than 24 hours!
If you have a blog then this (or similar) plugi is a no-brainer. My password was only 8 characters long. Sooner or later one of these login attempts would have been successful. I don’t want to imagine what they would do to my website…
Muah! Thank you! Using this for the upcoming blog section on http://www.loginto.org and your tip helped my 3 day rut of paranoidness. lol Thanks Jerod!
I just started using wordpress over another CMS and these were great tips. I have had sites hacked in the past and it is a nightmare.
Thanks, really nice tips. love to read this. So far from all that i know, WordPress is the best choice of CMS on building website/blog. so easy to use, comes with complete features.
Great post! Any thoughts from the pros on the Bad Behavior and Block Bad Queries plugins?
Thanks! As a new person to blogging, but not to the web development it’s great to see a summary of the issues we need to be aware of, and some solutions to go with it. This will save us all not only from hackers, but time as well.
Keep up the great work
Hey Jerod, Thanks for a great article. You know it is so easy to just neglect important things like updating plugins, theme, etc. I know personally I see the little icon to update yet I don’t. I’ve had problems in the past updating without having a backup and so when I think about doing it I feel overwhelmed and don’t bother.
But the past few weeks have had me freaking out a little with this botnet scare. 90,000 IPs grabbed…wow? In the past few days I have been reading tons of articles trying to find a solution that is fast and tech friendly. Unfortunately, I’m a real non-techie and need simply solutions.
I came across this article and wanted to share. Here’s the link http://www.securescanpro.com/wordpress-tops-headline-news-in-the-past-week/. I think this company is trying to address this immediate concern, but is also looking at the long term. Who knows what’s to come next and that scares me as well. I’m gonna try this option for myself and maybe it is something that can help others as well. Thanks
Christina, thanks for the link. Changing your default user from admin is a good idea and easy to do. I would also suggest aligning with a hosting company that has perpetual processes in place to deal with issues like this botnet scare. For example: http://websynthesis.com/wp-bruce-force-protection/
Cristina, thanks for sharing the link. One caution I have on changing user names is BACKUP your database before you do it. If posts are re-assigned properly, they’ll all go into “draft” mode and you can get yourself in a pickle very quickly.
The brute force issue has been brewing for some time. Though there are several ways to approach, we’ve seen some really reactionary policies implemented across hosts and sites that are a) creating lots of false positives and b) not really working out for the writers that make the site work. We are pretty proud of the smart approach we took at Synthesis over a year ago as we’ve really eliminated false positives and let the writers do their thing. I also encourage site owners to consider two-factor. Personally, I like physical authentication and have a YubiKey on my key chain. Krebs covers some good digital alternatives in this really well written article on the WP brute force situation. http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/ .
Hey Jerod, loved all the 10 steps. It’s really frustrating feeling when a rookie hacker hones his skills with our WordPress blog.
Yep, one must clean their WordPress blog like they clean their kitchen. Loved that point.
Well, there are a lot of useful WordPress security plugins as well that can help to secure a WordPress blog.
Never knew my WordPress website was not secure, i have not done 3 of the things enlisted in this post never cared about malware, had a very insecure password (changed it, thanks to you).
Do you still recommend Synthesis for website hosting? I noticed that Yoast also recommended them as well. I’m about to give them a try since my old shared server with Hostgator had some issues with the other sites hosted on the same IP 🙁
>>>Do you still recommend Synthesis for website hosting?
Them is us. 😉 Synthesis is a division of Copyblogger Media, so we still recommend it (and host our own sites with it).
I recently had a few sites of mine hacked, so these tips are great advice. I am using wordfence as well and that is great for stopping hackers try to get in also.
I have invested in an Australian hosting company too, and their security is impeccable.
Hey Jerod,
All the steps you mentioned are required for protecting a blog from various attacks. The first step to protect a blog would be strong passwords – a combination of symbols, capital letter and numbers are the best thing to make it almost impossible to hack.
There are many plugins as well that can help bloggers in protecting their blogs but if you know how to do it manually there is no need of any security plugins.
Great tips, but, IMO, security actually starts at home, i.e., the local machine, 127.0.0.1, whatever you wish to call it. So I would add:
* Make certain your PC is clear of malware. If the PC has a bug on it that phones home your login credentials to its command-&-control server, consider your website toast.
* Make certain your network is secure. If you use wireless, change the default username & password for your router, (tip #1) choose the highest level of wireless encryption your devices will support (WPA 2 is best). Since WEP has been broken long ago, & WPA has also been cracked, if there are devices on the network that don’t support WPA 2, consider replacing them. Put antimalware software on mobile devices that access the network, &, if not using wireless, turn it off at the router.
* Closely related to #2, logging onto your website from an unsecured wireless connection at the airport, your hotel, or the nearest internet cafe is always a bad idea. & lastly, use secure FTP rather than FTP when transferring files to & from the website.
In summary, both charity & security begin at home.
I have done all points you have written in this article. But one point which is Monitor changes made to files is not understandable by me. So can you explain this topic for me. And please don’t say to install plugin as i am already using 10 plugins and I do not want to install more plugin.
Thanks regards
This article's comments are closed.