How to Secure WordPress

In the last year I have had two web-sites hacked into, one personal site and one ministry site. Both of them were WordPress web-sites and since then I’ve made some changes with how I secure my WordPress sites.

When securing your site you want to look at a few different things including:

  • Content Management System (CMS)
  • Database
  • Passwords
  • Server

Security Plugins

Security LockHere are the security plugins that I use to secure my sites:

  • Limit Login Attempts – Limits the number of login attempts to the administration area of the web-site and blocks by IP or cookies after a certain number of failed attempts.
  • Secure WordPress – Performs basic security checks on your WordPress installation and makes suggestions for better securing your site.
  • WordPress Firewall 2 – Monitors web requests and blocks obvious attacks.
  • WP Security Scan – Performs security scan of your WordPress installation.

In addition to security of your site you also need to make sure that you have up to date backups.

WordPress Backups

In addition to the security plugins I also make sure that I have automated backups set-up of my site. When backing up you need to make sure that you back up all important files including:

  • Database
  • Uploaded Content
  • Themes
  • Plugins

I explain how to set this up in another article that I wrote, WordPress Backup in Only 8-Minutes.

WordPress Updates

Keeping your WordPress installation up to date is also very important. Although WordPress hasn’t had any major security holes since versions 2.7 you should still update it regularly.

One of the things that I really like about WordPress is how easy it is to apply the updates. It’s one of the reasons why it is my CMS of choice.

Deciding when to update WordPress can be challenging. I find that as you use more plugins or heavily customise your theme you increase the chances of something breaking when you do an update.

Usually the “smaller” updates (0.0.x) can be installed without problems. The larger updates though (0.x.0) have a higher chance of breaking things, so I usually wait a few weeks and take the time to check for plugin updates before moving ahead with those upgrades. Having a beta or test site is very beneficial and I do that with the main ministry sites that I am responsible for.

Secure Servers

A lot of your security also depends on your web host server. There are many quality web hosts out there but my personal choice is HostGator. All of my dealings with them have been good and I have not had any server related security problems since I started hosting with them.

One challenge with the shared hosting that I use through HostGator is that there are other people using the shared server. To really boost security you can go with a Virtual Private Server (VPS) or a Dedicated Server. Both of those involve higher cost than a standard shared hosting account but come with a more secure set-up. You can get both of these services also through HostGator.

Lock image by kchbrown

Bookmark and Share
This entry was posted in General. Bookmark the permalink.
6 comments
billhutchison
billhutchison moderator

Thanks @mattnnat photographers I'm glad you found it useful. I was actually surprised at how many attacks the plugins picked up that I was completely unaware of...

Bill Hutchison
Bill Hutchison

I have heard good things about Bluehost.com.

The other host that I had bad experience with is 1 & 1 Internet. I would not recommend them to anyone...

Jon
Jon

Just curious, do you know anything about Bluehost.com and security? Have you used any besides hostgator?

Jon
Jon

Thanks for this post!

I am experimenting with those plugins now. I haven't been a target yet, but I run a bunch of wordpress sites and have been thinking about security lately.

Blessings,

Jon

JonDavisJr
JonDavisJr

I've been using these plugins for a while now.  It turns out that WebsiteDefender has replaced two of the plugins that you mentioned here (Secure Wordpress and WP Security Scan) with one plugin that does both of those things and more.  It is called Website Defender Wordpress Security.  You can read my questions to them about this here:  http://www.websitedefender.com/forums/websitedefender-general/websitedefender-wordpress-security-secure-wordpress

 

The other two plugins are still available, probably because they are supporting their former users, but the new one covers it all.

 

:-)

 

Here is the new plugin link:  http://wordpress.org/extend/plugins/websitedefender-wordpress-security/

 

Blessings!

 

Jon