I love WordPress. Its ease of use, flexibility, and expandability make it my go-to whenever I’m starting a new site. But just as Voltaire once said (though we’re 80% sure he wasn’t speaking of WordPress):
“With great power comes great responsibility.”
The power of WordPress has made it one of the most popular web apps on the Internet. That popularity has made WordPress a favorite target for hackers. Over the last year we’ve seen WordPress hacks spike aggressively. If you haven’t seriously recognized your WordPress site as a target, it’s likely due to the fact that you haven’t been hacked yet. Without the proper measures in place and regular maintenance, it will only be a matter of time before your site is brought down by a hacker.
To be fair, this isn’t limited to WordPress, though that does appear to be the current target of choice for script kiddies. If you run any popular web app, such as (but not limited to) Joomla, phpBB, osCommerce, Drupal, ZenCart, Gallery, you are vulnerable and you will need to make securing these components a regular part of your site maintenance.
We do our best to remind you, our users, to check for updates to WordPress itself, plug-ins and Themes via our Facebook, Twitter and Google+ accounts. If you haven’t yet included our profiles as part of your social network, we recommend doing so to, among other things, keep up with these reminders.
Below are the recommendations we are making for all WordPress users to keep your WordPress site safe and secure.
1. Keep a recent local backup of your entire site.
This is not only part of our terms of service, but it’s good practice. Backups can turn the entire loss of your site from a disaster into a minor bump in the road. There are some great backup plugins for WordPress. We recommend setting up a free Dropbox account and then installing the WordPress Backup to Dropbox plugin. Set it up on a weekly schedule and (mostly) forget about it. I’d recommend checking your dropbox regularly to ensure that the backup is indeed taking place without issue.
2. Keep your WordPress site, plugins and themes up to date.
This is the single most important thing you can do to protect your WordPress install from hacking. Most of the updates you’ll find in WordPress, themes and plugins are security patches rather than feature upgrades. WordPress makes it very easy to keep all of these components up to date. MacHighway has also created a walkthrough to assist with this. We recommend visiting all of your WordPress installations on a weekly basis to review and apply all updates that may exist.
3. Delete any WordPress installations that you are not using.
The good news is that with MacHighway you can install WordPress with a couple of clicks. The bad news is that you may have created a graveyard of unsused and out of date WordPress installations on your web space that present a massive weakness in your site’s security strategy.
Take a few minutes to login to your cPanel and visit the SimpleScripts, QuickInstall and Fantastico Deluxe modules to review your list of WordPress installs and remove those that are no longer in use. It may also be a good idea to login to your server space via an FTP client like Transmit or Cyberduck and review your files to ensure that there aren’t stray installs hanging out in there.
4. Add the WordFence or Better WP Security plugin to your site.
**Edit 3/14/13: We strongly recommend WordFence as a quicker and easier protection measure than Better WP Security. If you need something more elaborate, we recommend Better WP Security.**
Login to your WordPress Dashboard, hover over Plugins on the left hand rail and select Add New. In the search bar, type Better WP Security. When you’ve found it in the results, install, then activate this plugin. Do this as soon as you can spare 30 minutes to adjust the plugin settings properly. Also, keep in mind that while you’re hoping to find 30 minutes to do this, hackers may be probing your site for vulnerabilities. In other words, try to make this a priority.
As you go through their checklist, note that we don’t recommend you execute every measure. We don’t recommend that you change the wp-content folder name if you have a blog with content, as it will break images and other content within your site. We don’t recommend enabling File Change Detection as it may cause your site to become unresponsive. Also, unless you have purchased a dedicated SSL through MacHighway for your site, we don’t recommend turning on the SSL option.
Take your time working through the settings on the Better WP Security plugin, make sure you read the provided warnings and make sure you understand the steps your being asked to take before confirming them.
If you have questions, concerns, or tips, feel free to post them in the comments below.