In the last year I have had two web-sites hacked into, one personal site and one ministry site. Both of them were WordPress web-sites and since then I’ve made some changes with how I secure my WordPress sites.
When securing your site you want to look at a few different things including:
- Content Management System (CMS)
- Limit Login Attempts – Limits the number of login attempts to the administration area of the web-site and blocks by IP or cookies after a certain number of failed attempts.
- Secure WordPress – Performs basic security checks on your WordPress installation and makes suggestions for better securing your site.
- WordPress Firewall 2 – Monitors web requests and blocks obvious attacks.
- WP Security Scan – Performs security scan of your WordPress installation.
In addition to security of your site you also need to make sure that you have up to date backups.
In addition to the security plugins I also make sure that I have automated backups set-up of my site. When backing up you need to make sure that you back up all important files including:
- Uploaded Content
I explain how to set this up in another article that I wrote, WordPress Backup in Only 8-Minutes.
Keeping your WordPress installation up to date is also very important. Although WordPress hasn’t had any major security holes since versions 2.7 you should still update it regularly.
One of the things that I really like about WordPress is how easy it is to apply the updates. It’s one of the reasons why it is my CMS of choice.
Deciding when to update WordPress can be challenging. I find that as you use more plugins or heavily customise your theme you increase the chances of something breaking when you do an update.
Usually the “smaller” updates (0.0.x) can be installed without problems. The larger updates though (0.x.0) have a higher chance of breaking things, so I usually wait a few weeks and take the time to check for plugin updates before moving ahead with those upgrades. Having a beta or test site is very beneficial and I do that with the main ministry sites that I am responsible for.
A lot of your security also depends on your web host server. There are many quality web hosts out there but my personal choice is HostGator. All of my dealings with them have been good and I have not had any server related security problems since I started hosting with them.
One challenge with the shared hosting that I use through HostGator is that there are other people using the shared server. To really boost security you can go with a Virtual Private Server (VPS) or a Dedicated Server. Both of those involve higher cost than a standard shared hosting account but come with a more secure set-up. You can get both of these services also through HostGator.
Lock image by kchbrown