WordPress is one of the most popular platforms for self-hosted blogs and websites. It’s what we use here at Mashable, and it’s a terrific tool. While WordPress is pretty secure out of the box, there are always going to be individuals who want to make trouble by finding a way to crack into accounts or sites to cause damage or inject hidden spammy links. That’s why it’s important to make sure that your WordPress installation is as secure as possible.
Here are some of our tips for keeping your WordPress website or blog more secure and less susceptible to malicious attacks.
1. Update, Update, Update
No software system is immune to bugs and vulnerabilities. Security holes will be discovered and bad guys will do their best to exploit them. Keeping your software up-to-date is a good way to stave off attacks, because reliable software vendors will fix their products once security holes are found.
For web-based software, staying on top of updates is a must. Lots and lots of WordPress users learned that the hard way last September when a wave of attacks spread across sites not running the latest version of the software.
Fortunately, keeping your WordPress site up-to-date is one of the easiest things you can do. For the last few versions, WordPress has included the ability to install automatic updates. Not only that, but sites are notified every time a new upgrade becomes available.
If you aren’t running the latest version of WordPress, upgrade now. Leaving your site on an old version is like keeping your door unlocked when you leave for vacation.
2. Use Strong WordPress Account Passwords
In addition to adding a secret key to your wp-config.php file, also consider changing your user password to something that is strong and unique. WordPress will tell you the strength of your password, but a good tip is to avoid common phrases, use upper and lowercase letters, and include numbers. It’s also a good idea to change your password regularly — say once every six months.
If you use a program like 1Password for Mac or Windows, you can store your password in your browser securely and also generate complex and secure passwords on the fly, which makes changing your passwords less of a chore.
3. Use Secret Keys in your WP-Config File
In WordPress, the wp-config.php file is the file that stores the database information that WordPress needs to connect its circuit, so-to-speak. This file contains the name, address and password of the MySQL database that stores all of your user info, blog posts and other important content.
Using a secret key, you can make it even more difficult for someone to gain access to your account.
Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.
4. Keep Your Htaccess File in Check
Using a .htaccess file, you can set access limits to certain directories. You can tie those limits to a specific IP address, which means that only people from that location can access your information.
.Htaccess stuff gets pretty complex, but AskApache has the Ultimate Tutorial for all things .htaccess. This post from WPTavern also has some good tips (see tip #5).
5. Know Your File Permissions
Often, hackers are able to gain access to your site because you’ve left files or folders with permissions that are simply too liberal.
Depending on how you have installed WordPress, or the default practices from your webhost, the permissions for files and folders on your WordPress install may not be appropriate.
The WordPress Codex has an outline of what permissions are acceptable. File and directory permissions can be changed either via an FTP client or within the administrative page from your web host.