If you’ve installed WordPress and you think you’re finished with your work… think again! As WordPress rises in popularity, so will the number of malware scripts and hacking attempts toward WordPress websites. It’s important to be prepared for attack attempts so that you don’t load your site one day, only to find Viagra and Cialis ads littering your space on the web.
Start with a Plugin
The first line of defense for your WordPress website is a good security plugin. My favorite security plugin for WordPress is the iThemes Security plugin. The great thing about this plugin is that once you install it, you can go view your ‘Dashboard’ and get a full run-down of what you’re doing right and what still needs work on your website.
iThemes Security allows you to change the user with ID 1 to another ID, rename the login section of your site, and prevent access to WordPress configuration files like wp-config.php and .htaccess (server configuration file). You can also schedule database backups and have them emailed to you on a daily basis. iThemes Security also makes it possible to easily change the database prefix for your WordPress install.
There are too many security options to list here, but suffice it to say that iThemes Security is an excellent first step towards the security of your site.
Use SFTP. Please, use SFTP
When you’re accessing your site files from an FTP client, it is so important that you NOT USE THE FTP PROTOCOL! At a minimum, you should be using FTP-SSL. However, if you have enough control over your server, you need to set up SFTP access. This is the SSH File Transfer Protocol. Here is documentation on how to set up SSH keys with cpanel. If you’re using a Linux server for your web server, here’s a Linode document on setting up Public Key Authentication.
Regardless of who your web host is, you need to be using a secure version of FTP – not the standard FTP.
Use a VPN
If you’re on a public WiFi network at your local coffee shop, anyone who has spent a couple hours reading up on hacking can easily intercept your web traffic. This means they can see what websites you’re visiting, any of your unencrypted email traffic, and possibly even the instant messages you’re sending. An easy way to avoid this is to create a secure tunnel for all of your web traffic, by using a VPN.
If you already have an always-on Linux server like Linode, you can simply install the OpenVPN Access Server, and connect with the OpenVPN Connect Client. You can also install the OpenVPN Access Server on a home server, if you have a Linux machine always running in your home.
Don’t Turn Everything On
This one seems like a no-brainer, but it’s worth mentioning nonetheless. Don’t go around your hosting control panel enabling extra FTP users, remote MySQL access, and other ways to get into your server. The more services you turn on, the more doors you’re opening for potential hackers. Simply keeping things you’re not using turned off is a great line of defense from hacking.
What other ways have you managed to keep your WordPress site(s) secure? Sound off in the comments below.