Posted by: Ken Harthun
Security, Security best practice, WordPress
WordPress is pretty secure out of the box. Nevertheless, there are always going to be individuals who want to crack into accounts for nefarious purpose or inject hidden spam links. Just as with any other application software, it’s important to make sure that your WordPress installation is as secure as you can possibly make it.
While these tips may seem like the same old over-used advice I give to everyone, they are still relevant. They are even more relevant to many of my marketing friends, business clients and colleagues who base their businesses in whole or in part on their blogs.
I’m not going to recommend a bunch of WordPress add-ons and plugins in this post (I’m still researching), but I am going to give some general advice on how to secure your installation. Here is how to secure WordPress in five easy steps:
- Update regularly – As with any other application, hackers find vulnerabilities and attempt to exploit them. WordPress developers are very conscientious when it comes to fixing security holes and WordPress is regularly upgraded. If you are in your administration panel and see a notice about a new version, upgrade immediately. As of the date of this post, the current version is 3.1.2.
- Use strong passwords – It goes without saying that if you use your pet’s name or some other simple, easy to guess password, you’re inviting hackers to hack you. I recommend no fewer than 8 characters that include both upper and lower case letters, numerals and punctuation. Example (don’t use this!): Th3Qu&(!
- Use Secret Keys – The WordPress config.php file that contains the name, address and password of the MySQL database for your blog allows you to use secret keys. In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. You don’t have to remember these. You can generate them at this link: https://api.wordpress.org/secret-key/1.1/salt/.
- Use .htaccess file properly – This can get complex, so I won’t go into details here, but you must be aware of what your .htaccess file contains and make sure it doesn’t allow access to files and directories you don’t want people to see. WordPress won’t do anything insecure to it, but it never hurts to be sure. A good tutorial is The Ultimate Htaccess. Warning: if you are not a techie, skip this and as a friendly Geek!
- Set proper file permissions – This is the first line of attack for a hacker, and the biggest problem is when you have file permissions set so that anyone can list a directory’s contents. Just go to WordPress Codex and do what it says. Again, if you’re not a techie, find a friendly Geek (like me) to help you.
Good luck, and if you need help, just ask!