WordPress is an Open Source CMS driven and extended by an incredibly large community. This has a lot of advantages:
– Free or affordable access to a large variety of plugins, themes and tools to add “super powers” to your site.
– Bugs are found and fixed fast.
– Being as simple to use as it is, anybody can learn to update their own site without relying on developers.
The down-side of this has to do with security. When a vulnerability is found on WordPress or one of it’s plugins, the whole Internet literally knows about it right away. Which means bad guys, girls and robots can crawl the Internet trying known hacks in outdated sites.
There are a few simple things you can do to incredibly enhance the security of your site.
1. Only install the necessary themes and plugins
Remove any plugin or theme that you are not using. The more modules you have, the more likely one of them could have a vulnerability.
2. Keep WordPress, themes and plugins updated
Updates that fix security issues are released often, but users forget to keep their sites updated. You can either do this manually or using command line thanks to the wp tool.
Our preferred option at ZENVA is to setup a cron job using the wp tool to keep our sites up to date.
3. Install a firewall or security plugin
There are comprehensive security plugins that take care of different types of attacks:
– Brute force attacks (people trying to guess your password)
– Directory traversals (people trying different URL’s finding known security holes)
– Injecting SQL or PHP code via request parameters
– Uploading executable files instead of images
If you want very comprehensive ones you can try iThemes or Wordfence. Keep in mind that they might cause issues with existing plugins or themes, also those plugins will be writing files (see 4.). For a simpler minimalistic solution try Simple Firewall which doesn’t need write permissions and takes care of all the main issued indicated.
4. Don’t let the web server user write files
This one can be a bit more controversial. WordPress allows you to upgrade itself, install themes and plugins within the WordPress admin area. This basically means, the “web server user” (Apache or Nginx) usually called www-data is allowed to write files on the server.
If your admin account was to be compromised (or a new admin account was somehow injected in your database), the hacker could modify files in your WordPress install (like inject malicious code on the PHP files – something very common in these attacks).
The definitive solution for this type of attacks is to disable the www-data user from writing files altogether (except for the upload folder).
This means, if you want to update WordPress or it’s plugins and themes you’ll have to enter FTP or SSH credentials, as it will tell you it doesn’t have permissions.
Otherwise you can make a cron job for the wp command line tool which will update it for you.
5. Force SSL access for the admin area
This can be done either by purchasing an SSL certificate, or by using a self-issued one (which will bring a browser security warning that you can safely ignore). Since this is just for the admin area, your visitors will not be getting the security warning unless they try to go to the admin area (which they shouldn’t).
After you’ve installed and configured your SSL certificate (if you buy one, instructions will come along. To self-issue one there are plenty of good tuts depending on your OS), you can force it on the WP admin by adding this code to your wp-config.php file:
define(‘FORCE_SSL_ADMIN’, true);