28 Nov Stay Safe: 5 Steps for Securing your WordPress site
WordPress comes with a lot of great features, and a very robust code base, but one of the problems with open source (free) software is that everyone has access to the code. Thus, it’s easier to “hack.” There are a number of steps you can take to secure your site, although nothing is ever 100% secure. The best thing you can do is to keep revisiting these principles and stay up to date.
For the record, I don’t do all of these: my site simply doesn’t see enough traffic for me to really worry about getting hacked. Some of them involve an extra cost, which in some cases just isn’t worth it. I have, however, implemented these on other sites which do see a lot of traffic, where the additional cost is worth the peace of mind.
- Upgrade everything, always – WordPress is constantly changing. So are the plugins, themes and environment that surrounds it. The more changes that are made to these things, the harder it is for hackers to adapt. A huge majority of hacks come from old WordPress installs. The WordPress team fixes bugs and other security flaws with each update. Not to mention everything runs faster. See how to upgrade.
- Login via a different directory – You’ll notice in your settings panel, under General, there are two URLs (WordPress address and Site Address). You can change the WordPress address to a different directory to login via that directory. You must also move your WordPress files over to that directory as well (note: DON’T do this if you’ve never worked with FTP… if you don’t know what FTP is then don’t do it either). Thus instead of logging in at keganquimby.com/wp-admin you can login at keganquimby.com/login/wp-admin
- Plugins ftw – There are a number of security plugins you can install. I recommend BulletProof Security. This protects from just about every code injection you can think of, as well as allowing you to configure files such as your .htaccess (who can access your site and where they go) file. If there’s a specific security feature you’re looking for, leave a comment below. BulletProof Security should get you about 98% of the way there, though.
- Dedicated hosting – This can be a big one. If you notice your site starting to really slow down, and a big spike in traffic, it’s time for dedicated hosting. A lot of people run sites on a shared host (including myself) which can run about $50-$60 per year. This means there are a bunch of other sites running on the same server. This gives potential hackers information about your server without having to look very hard. Dedicated hosting means your site is the only one on that server (thus no one else can see any details). This can run from $50/mo. all the way up to $200/mo. It lets you custom configure your server for optimal security and speed, and is definitely a must for high volume sites.
- Back everything up – Worst case: you get hacked. Your site gets flooded and crashes. All your info is erased. You should back up your site on a somewhat regular basis. I back mine up every month. I don’t have enough information to back everything up on a daily basis, but if you run a blog or anything you add content to daily you can and should backup your site on a daily basis.
There you have it! The top 5 security enhancements you can make, right now. These are relatively quick changes, with a low cost. A good solution for most small businesses. Drop a comment below if there are any concerns/suggestions.