Red Chip | June 4, 2013

WordPress Security : Covering the basics

  • Home
  • Blog
  • WordPress Security : Covering the basics

WordPress is one of the most used cross-platform content management system. As many as 17% of Web sites are now powered by WordPress, and the number continues to grow day by day. Although WordPress is pretty much a secure platform, that does not mean you should leave all the security for WordPress to handle on its own.

Recently hackers exploited some vulnerability in WordPress which compromised thousands of WordPress websites. A quick search for all vulnerabilities reported on the National Vulnerability Database shows that there are 505 vulnerabilities related to WordPress. Close to 30 of these vulnerabilities were listed in the past three months.

1. WordPress Best Practices

Some of the most important things for hardening WordPress include:

  • Making sure your WordPress installation has the latest updates
  • Minimizing the number of plugins you use (and deleting the ones you don’t)
  • Choosing passwords that are difficult to crack
  • Performing regular data backups
  • Protecting your WordPress using .htaccess

Once you apply these, you can then install a plugin which will monitor your WordPress core files and traffic.

2. WordPress Security Plugins

Wordfence is a great plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.

Better WP Security is another great plugin that will allow you to sleep a little better at night. It’s really a full package, but you should read the FAQ section first before activating it, as it makes some significant changes to your database that you should be aware of.

BackWPUp is a free plugin that backs up both your WordPress files and database. I can recommend this plugin because I use it on many websites and I’ve never had any issues with it. There are, of course, a lot of other free and paid backup plugins out there and you are welcome to try them all until you find the one which suits you, but please put one to use.

3. Free CDNs

There has been a lot of talk whether free content delivery networks actually do any good or do they exist only to lure you into one of their paid services. Well, I’ve tested the two most popular free CDNs and I can honestly recommend both, even without the paid add-ons.

CloudFlare is a free content delivery network that filters all your traffic and minimizes the risk of your WordPress website from becoming a target.

PageSpeed Service by Google does something similar and we can all presume that Google takes online security seriously.

4. Configure .htaccess

.htaccess stands for Hypertext Access. It’s a configuration file which controls the directory in which it is placed and all sub-directories. We’re going to talk about configuring .htaccess for Apache webservers and Linux.

Editing .htaccess file is a serious business and you should not play with it unless you have at least basic coding knowledge. If you don’t feel comfortable editing .htaccess, you can download and install a plugin from WordPress.org repository called WP htaccess Control. It provides an easy interface for editing the file, but also for configuring WordPress permalinks, categories, archives, pagination and custom taxonomies.

You can easily become overwhelmed by the number of options this plugin offers, so just go straight to “htaccess Suggestions” tab once you get to the plugin configuration page. You can then check all the options and your .htaccess will become configured for security.