Locking Down your WordPress Site – Protecting yourself from hackers, bots, and scammers
With recent, high-profile security issues like Heartbleed and the long-time-coming Internet Explorer Day One Bug, security should be at the forefront of any web developer’s mind. How do I keep my site secure? How do I stop hacking attempts? HOW DO I PROTECT MY INTERWEBS?!
The long story short – you can’t protect against every vulnerability out there. Eventually, you will have a security issue. Eventually, you’ll have to deal with bots. Eventually, you’ll have to educate your staff in best practices. That doesn’t mean you should give up, though! Some very basic techniques in security will go a long way to lessening the blow, to the point where a hacking attempt would mean a ten-second annoyance instead of a week-long panic.
Where do vulnerabilities come from?
WordPress is one of the biggest site frameworks out there, and despite what some old-style developers would tell you it alone is extremely secure. With frequent updates and a dedicated community, anyone who has access to the internet can develop their own site, but therein lies the complication… With so many open source developers, hobbyist webmasters, and plugin-based code, there are a million and a half ways your site can be compromised. Let’s go over this very site you see now and talk about the levels of software we’re dealing with.
- The webhost’s servers
- Your WordPress installation
- Your Theme
- Your Plugins (take one risk point per plugin, too!)
That’s a lot that could go wrong, so let’s lock them down one-by-one.
This is the first level of code – typically, you won’t ever have to play with your server-side code or worry about security. If you have any concerns you should contact your host directly – they often have a long list of security measures they take I’m sure they’d be willing to share.
Your WordPress installation
A little higher in risk, WordPress on its own is usually very well guarded. Be sure you keep it up-to-date and follow The Golden Rule of Security (below) and you should be in the clear.
Your WordPress Theme
Now we’re getting somewhere – your WordPress Theme is an extremely variable piece of code. Good theme developers keep their themes as flexible and lightweight as possible, reducing the amount of external code to a minimum. Some general tips when it comes to finding a theme you can trust:
- Avoid purchasing a one-shot theme from an aggregate site. While ThemeForest has a great selection and absolutely has its place, anyone can post code there and it doesn’t go through any sort of verification.
- Check the Theme Developer’s reputation before buying. Do they have a site of their own? Do they offer regular updates? Do they have a development blog? How many people have bought the theme beforehand? Do they offer good support? All of these are extremely important questions to ask – if you don’t want to spend the time researching, then you can find some great themes from WooThemes – they’ve got some great themes, great developers, and great support.
- Keep your theme updated. For the love of god, do it. It’s annoying, sure, but this is a huge, HUGE component.
Probably the most troublesome component of any WordPress install, there’s a lot that can go wrong with plugins. Aside from irregular updates, they can contain poor code or long-term vulnerabilities. Here’s some general guidelines for picking Plugins regarding to security:
- Only use reputable plugins. Are there two plugins that do the same thing, but one with way more users? Go with that one. It’s easy for someone to clone an existing plugin and insert some malicious code, so play it safe.
- Do you really need this plugin? The fewer the better.
- Do I know what this plugin actually does? Read.the.f*cking.manual.
OK, Great! Now what do I do?
On every site I use, I install a security plugin. I’ve got nothing but good things to say about the recently rebranded iThemes Security, install it, read it, set it up. It will secure you against a ton of issues you could come across, and it’s relatively easy to get going. Be sure you follow a setup guide – if you don’t know what something is, then don’t use it.
The Golden Rule of Web Security
Here it is – the real key to keeping your site secure, and the main motivation of this blog post. Day-to-day, I could log into up to a few dozen WordPress installs for sites all around the world, and the common issue keeps making me want to put my head through the wall.
That’s right. Your password. Make it original, make it memorable, make it anything but
abc1234. Across the internet, here are some of the most common passwords – if you use any of these, then change them now.
I shouldn’t have to add if your password is the same as your URL or your username, it’s going to spell trouble. I came across an ecommerce site (you know, the ones with your credit cards) that was running off of “admin | admin”… It was a sad day.
Have any questions or comments about this article, or ways you think it can be improved?
Join the conversation in the comments below, or sign up for my newsletter to recieve periodic updates!