All-in-all WordPress is a fairly secure platform, especially if it’s hosted with a reliable hosting provider like AHosting, but it’s also hugely popular, and that means it’s in the interest of hackers and data thieves to focus a lot of their energies on finding ways to hack it. There are a number of things a WordPress user can do to secure their installation which will significantly hamper anyone who attempts to break in.
Practice Password Hygiene
This should come as second nature to anyone remotely familiar with security, but, unfortunately, many people who should know better fail to enforce good password practices. WordPress is pretty good with regard to passwords. They are hashed, so, should you suffer a database breach, it is theoretically impossible for hackers to retrieve the password. Unless you choose a password like ‘pa55word’ or ‘jim’. Simple dictionary-based passwords can be retrieved, even if they are hashed. In fact, because of the large numbers of password database thefts recently, hackers have a huge sample of the sort of passwords people choose. However fiendishly convoluted your password is, if you thought it up yourself, it’s probably too weak, so the best solution is to use a password manager like Lastpass to create a sufficiently long and random one for you. This is particularly important if you have multiple WordPress sites, because then you’ll need multiple long random passwords (because, of course, you aren’t using the same password on all your sites, are you?).
Use HTTPS to Secure Your Logins
Once you have a secure password, it’s better not to send it over WiFi networks and the Internet without encrypting it. Setting up HTTPS on your logins means that all login sessions are going to be encrypted, so the shady looking guy sat on the next table over in Starbucks can’t steal it while you’re logging in. There are two ways to do this depending on whether you have an SSL certificate or not.
With an SSL Certificate
This is the easiest option. You need to add a line in your wp-config.php file that reads:
You can also choose to force encryption on all admin sessions, check out this guide for more details.
Without an SSL Certificate
This is slightly more tricky,and it’s probably better if you buy an SSL certificate. But if you’re happy without, then you’ll need the Https SSL free plugin. WPMU.org have recently published a great guide to setting the plugin up and how it works, so head on over there for more details.
Get Your Plugins From the Official Repositories
Hackers love to get their malicious code into the pristine innards of other people’s applications. They love it particularly when site owners do it for them by installing plugins that they found at ‘Bob’s Legit Plugin Parlour’. If you have the expertise, read the code of all the plugins you install to find out what they will be doing. If you aren’t a programmer then make sure you get your plugins from verified sources like the WordPress.org repositories.
Change File Permissions
This is one of those occasions where you have to balance security and convenience. Some of the ease of use of WordPress -- uploading files, for example -- depends on having various files and folders writable. But that can introduce some security vulnerabilities, especially if you are using shared hosting, where other users have access to the drives your files are on. Take a look at this guide to hardening WordPress to see one way you can organize file permissions more securely. That guide also contains many other useful pieces of advice.
Keep Your Software Stack Updated
All complex software has vulnerabilities; it’s just a matter of whether anyone knows about them yet. Hackers are very intelligent, and given sufficient time they will figure out those vulnerabilities and use them to gain access. Developers and security researchers are also extremely smart, and when they find vulnerabilities, they report them and the software is fixed. If you fail to keep the software on your server up-to-date, the hackers will have found the vulnerabilities but you won’t have installed the fixes. It’s crucial that you keep your software as up-to-date as possible.
If you follow the above advice, your WordPress installation should remain secure. If you’ve any WordPress security tips you’d like to share, feel free to contribute to the comments.