WordPress - how to secure against hackers

WordPress is still growing in popularity and is now installed on a large number of websites all over the World.  Due to this reason criminals make numerous attempts to gain access to a WordPress website via known exploits, the prize is worth a great deal of time and effort: once you have access to one you can potentially gain access to them all! 


Much of the following also applies to many other popular scripts too.

What can you do to secure your WordPress website?

WordPress offers challenges for both owner and hosting company, due mainly to its popularity as cracks are found and published daily.   The main point of entry for hackers is weak or flawed code;  it does not really matter how secure the server is hosting the WordPress website, if out-of-date code exists on the site it will/can get hacked - and normally via hack-bots (automated code used to trawl for vulnerable sites and inject malware). 

It is good to remember its not just the main WordPress code which gets hacked, it is quite often the poorly written addons/plugins, which means all the code including all addons must be updated and checked regularly. 

To ensure your WORDPRESS is kept secure you should:

  • Ensure WordPress is upgraded as and when required. This includes all installed plugins, failure to do so may mean the scripts become infected then we have no option but to SUSPEND the website! This causes major issues for both you and our support.

    Please take some time to check all your scripts are up-to-date, login to your WordPress admin and along the top it will inform you of any upgrades required to WordPress, and if you then select Plugins on the left you will be able to list and see which of the plugins require updating.  Check your WordPress and plugins are up-to-date regularly and schedule the check in your diary.
  • Passwords - make sure these are NOT simple or too short! 
  • Themes - select ONLY from the official repository, this way it should mean your theme gets updated often.
  • Backup - complete a database backup often, use an automated software such as:  http://dwalker.co.uk/phpmysqlautobackup/
  • Also, if you are not using any of the plugins currently installed, remove them.

  • REMOVING WordPress: If you are removing WordPress then in addition to removing WordPress via the control panel you may need to remove files manually using ftp or the filemanager (from within the control panel) to delete some of the old php files used by WordPress and its plugins.

  • For those that manage WordPress websites you should join the mailing list so you are notified when a new release is available, join the list here:
    http://wordpress.org/download/
    (see Release Notification on the right of the above page)

  • Secure the admin and member login sections of WordPress.  Consider the suggested additional security changes shown here:
    http://codex.wordpress.org/Hardening_WordPress (see Securing wp-admin)
    Also, changes to the member login page as shown here:
    https://wordpress.org/support/topic/rename-wp-loginphp-for-security 
    Also, consider using a scanner - one of the better know is: https://wordpress.org/plugins/sucuri-scanner/
  • Backup - complete a database backup often, use an automated software such as:  http://dwalker.co.uk/phpmysqlautobackup/

Remember:

Addons/Plugins

Research has shown many WordPress addons/plugins to be poorly written and a major security risk:
http://www.theregister.co.uk/2014/07/24/50000_sites_backdoored_through_shoddy_wordpress_plugin/

Select with care and only install plugins where necessary, and select from the official repository, this way it should mean your theme gets updated often.

Each addon/plugin
you install offers the potential to:

 - make your website less secure
 - make your website run slower
 - sniff/monitor your website traffic/data, whenever and how often it likes!

Unless you remove the addon and all files completely (that means ALL THE RELATED FILES) then any of the above is still possible, it does not need to be enabled to cause issues. 
Addons/plugins: Remove if not needed. 

Monitoring your website code

You could use a file change monitor to automatically email you of any files changes to your website, see here for details:
http://seiretto.com/news/How-to-monitor-your-website-for-malware.php
using this also has the benefit of informing of any PHP runtime errors as new error reports will be written to the relevant folder and this then shows as a changed file (this is VERY USEFUL).

 

You can run a WordPress website on any of our Small Business or Premier accounts:
http://www.seiretto.com/web_hosting/php_hosting.php
and these accounts come with an auto install of WordPress via the control panel.

Our reseller accounts also offer WordPress hosting:
http://www.seiretto.com/web_hosting/reseller_hosting.php




Copyright © 1996-2019 Seiretto Ltd. All rights reserved.
Registered in England & Wales no: 4716409. VAT no: GB780 4245 32