WordPress is a fantastic platform to use for any kind of website. Newbies can get started quickly and inexpensively. Sophisticated web developers can do a lot with it as well. Its flexibility and easy user interface is why we recommend it to most of our clients. Not only is it a great tool, the WordPress team are cracker jack at keeping on top of security concerns that arise.
That being said, malicious hackers still break through and infect sites mostly because some simple security measures are not followed.
In order to protect our sites and the sites of our clients, we developed this 14 Step checklist to creating a hacker resistant WordPress site.
NOTE: Although most hosting companies offer automatic WordPress installation, we prefer a manual installation of WordPress, as it gives us more control over the setup. For those of you who use an installations script provided by your hosting company, you may not be able to apply all of these steps.
Step 1: Install the latest version of WordPress into a subdirectory, instead of your root.
Giving your WordPress its own directory will not only keep the clutter out of your root directory, if someone does hack into your site, your root directory is protected.
You can find instructions for a manual installation at http://codex.wordpress.org/Installing_WordPress
Some hackers target WordPress sites specifically, when installing WordPress, consider changing the default table prefix from wp_ as an advanced strategy for protecting your site. If you use the Wp-Security-Scan plugin we mention later, it will also suggest this when evaluating your site for security holes.
Step 2: Change Your Index.php location
Changing your index.php location allows your blog to remain in the root directory, and creates a cleaner url.
Sign in to your wordpress site, and go to Settings, then General and change your “Blog address (URL) to the root url. For example: www.mywebsite.com.
Open your FTP client and copy the index.php file to from the subdirectory (where you installed WordPress), into the root directory.
Edit your index.php file to add in the WordPress subdirectory. For example:
/** Loads the WordPress Environment and Template */
If you have questions about this, there is link right next to this field that will give you all the details you need to do this right.
Step 3: Protect Your wp-includes folder
This step is simple, just copy your .htaccess file in to the wp-includes folder. You may need to set your FTP client to view hidden files in order to see this file.
Step 4: Protect your wp-admin folder
Upload your .htaccess file into the wp-admin folder
Upload .htpasswd into the root directory
Go to http://www.htaccesstools.com/htpassword-generator/ to create a password.
Edit the .htaccess file to have the proper path to your .htpasswd file.
Step 5: Upload and activate security plug-ins
Currently, we use the following security plug-ins to protect our site.
Login-Lockdown: this plugin helps prevent “brute-force password discovery” by disabling the login function if a certain number of login attempts and failures are detected from a given IP address.
WP-Db-Backup: this plugin will backup your core wordpress database and other tables (usually created by the plugins you are using). You can schedule your backup or issue an “on-demand” backup when needed.
WP-Security-Scan: this plugin will scan your wordpress site for security vulnerabilities (most of which should be fixed by following the steps we have posted here.
Wp-MalWatch: This plugin scans your site every night for signs of foul-play and will alert you where to go look if it finds a problem.
We are also evaluating WordPress Backup by Blog Traffic Exchange, as it will backup the upload directory, the plugin directory, and the current theme directory. It is important to note that the database backup plugin we listed only backups databases, and that backing up the theme and images, etc should not be overlooked (see step 11 for more)
In the next post, I'll go over step 6-14, you can see that post HERE.
AJ Yates is a Virtual Assistant providing creative business and web solutions for individuals and small businesses. Fully grounded in traditional and online business needs, AJ helps her clients extend their office resources and get things done so they can focus on what they do best. For more information on AJ and her Virtual Office Team visit VirtualOfficeAce.com