Are You Insecure?
WordPress is one of the most easy to use, versatile, and customizable CMS options out there. Unfortunately, that combined with its popularity also makes it a constant target for both MySQL and brute force attacks.
With security remaining such a large issue, we were recently contacted by an outside agency to help act as hosting support for one of their large clients that ran a WordPress site. Our hosting capabilities and expertise were a great match for the client’s strict needs and requirements, and we quickly got down to business, addressing some of the known measures that we should take. Once we located the problem areas and tightened up the code, we were able to make the necessary adjustments to keep the site problem-free in the future.
What can you do to keep yourself from being vulnerable? I’ll lay out some of the best practices to keep your WordPress installation safe and secure.
Out of the box, there are some basic changes you can make to improve WP’s security, and—if needed—jump it up to another level. The first step you should take with your WordPress site is to install a security plugin like (we recommend Better WP Security) and follow the steps to remove/update the following:
Remove the Admin user
Remove user id #1
Your table prefix should never be wp_
There are a host of other options available within this plugin (such as site lockout and file change notifications) that I suggest looking into and deciding what is best for your site/situation specifically.
It’s also a good idea to install a “known IP blocker.” I HIGHLY recommend IPVenger by NorseCorp. They evaluate each IP and provide options for blacklisting by both IP and Country as well as keeping a database of known bad IP’s. Whitelisting options and analytics are also provided.
Locking down your WordPress Admin can create an added level of security for yourself and your users as well. Lockdown WP Admin provides you the ability to mask the main admin section if a user isn’t logged in, and also give you the ability to rename the login URL if you so desire.
The measures above can put you in pretty good shape, but if you’re still having concerns about the security of your site, you can always decide to lockdown file/directory access, as well as change/modify permissions on files, but be forewarned…this could create functionality issues with your site and may not be a viable option.
What are your favorite WordPress security measures? What’s worked/not worked for you in the past? Let us know in the comments!
I also wanted to add as a follow-up that TimThumb has been a known security hole that can allow hackers to gain access to your site. To find out if your theme uses TimThumb and to make sure you’re up to date it can’t hurt to download a simple plugin that scans your theme and allows you to update if needed, this is especially important for older blogs and sites.