If you havenât done anything to improve WordPress security then you have never had to learn the hard way.
I learnt the hard way a couple of years ago when I woke up to find one of my authority sites had tanked out of the SERPS losing out on 10,000 visitors a day.
That equated to nearly a $12,000 / £8,000 loss in affiliate commissionâ¦
After a bit of investigation it turned out someone had hacked the blog and created thousands of spam pages hidden from normal view and turned it into a cloaked link network.
That was enough for Google to slam the site even though it looked perfectly fine to the naked eye, even when logged in as admin!
It took me a few days to undo the damage due to my lack of backups (they injected C99MadShell code into every file) and a further 3-4 weeks for the recovery in Google.
All of this could have being avoided if I had just spent 10 minutes improving the security of the blog.
The irony is I had read and ignored plenty of articles just like this one ^^
WordPress it is a prime target for hackers no matter how big or small your site is. Check out the latest threats here and youâll see what I mean.
What You Will Learn
- How to improve WordPress security
- How to protect against hackers
- How to automate backups free of charge
- How to scan your site for malware
- How to automatically monitor your site
Automatically Backing Up Your Site
First things first – make a backup of your site right now!
Having regular backups makes it easy to recover from hacks – in fact you can restore your entire site in just 1 click.
It is also handy to make a backup before making any significant changes to your site such as installing a new plugin or upgrading WordPress.
My host does this automatically for me and provides a great control panel but if your host doesnât then donât worry.
There are many paid backup plugins available but all you need is the free BackWPup plugin.
This will back up your site, the database and all of the files including everything in WP-Content into a single zip file.
It will then automatically upload the file to an FTP server, Amazon S3, Dropbox, SugarSync or a bunch of other services.
You can even setup a dedicated free Gmail account and get the plugin to email the backups to you! Gmail is great for storing your site backups!
Install the plugin and ensure you are doing daily backups!
Want more great tutorials like this? Just enter your email and click âSign Me Up!â
Remove WordPress Version
By default WordPress will tell you which version of the software it is running in the source code.
The problem with this is when hackers discover a vulnerability it makes it very easy for them to get a list of blogs running the vulnerable version to attack.
To remove it, just login as admin and go to Appearance > Editor > Functions.php and add this line of code at the end before the closing ?> tag-
remove_action(‘wp_head’, ‘wp_generator’);
Block Directory Browsing
Usually if you browse to a specific directory you can view all of the files in that folder, just like when your browsing through files and folders on your computer.
To stop the server from listing the files in a directory you need to add 1 line to .htaccess
Open up the .htaccess file in the root of your site (where the wp-config.php file is) and add this line-
Options -Indexes
Update WordPress & Plugins
New hacks and vulnerabilities are discovered all the time which is why it is important to keep up to date with both WordPress and plugin updates.
Make sure you keep both updated regularly!
It is also a good idea to make a backup of your files and database before updating anything just in case it breaks!
Delete Unused Themes / Plugins
While unused themes and plugins donât interfere with your blog directly, if the plugin or theme is hacked (there are thousands of these in the official directory) then hackers can still access it.
So if you have any unused plugins and themes, delete them! This will not only improve security but help to speed up your site as well.
TimThumb Vulnerability Scanner
TimThumb is a popular script that is used by a lot of themes to resize images for thumbnails and so forth.
The only problem is this script had a huge bug which left the door wide open for any hacker.
The other problem is this is used by a lot of themes & plugins, meaning they come with a built in hacker friendly back door.
This is the back door that was used to hack my authority site.
To check if your theme is at risk, install the TimThumb Vulnerabiltiy Scanner.
That will scan your blog for any old versions of TimThumb and allow you to update them in one click if you need to!
You can uninstall the plugin once you have done that.
CloudFlare
CloudFlare offers a free service that helps to protect and speed up any website.
This actually works on the DNS level and helps stop hackers in their tracks before they even reach or see your site.
Here is how it works-
It only takes a few minutes to setup and will offer decent protection. There are paid options available but you wonât need those for the most part.
Install A Security Plugin
As well as the tips above you can improve WordPress security and protect from hackers by installing a plugin.
The Better WP Security plugin helps to protect your site in a number of ways-
- Removes the WordPress version
- Changes the URLs of the login and dashboard pages
- Renames the default admit account
- Changes the WordPress database table prefix
- Removes login error messages
- Protects your sites from hacks
- Scans your site for vulnerabilities
- Automatically bans bots and hackers
- Improves server security
And a whole bunch of other stuff! It does also have an automatic backup option but this only backs up your database and not your files, so please see the separate backup section for that!
Install A Firewall
Alongside a security plugin you also want to install a firewall that will block any attacks from SQL/Java injection.
The OSE Firewall plugin has you covered!
The combination of the firewall and the Better WP security plugin is a great setup!
How To Monitor Your Sites Security
There are a number of free services we can use to monitor our site for hacks and downtime.
Sucuri Sitecheck
The first one is the Sucuri Sitecheck scanner which will check lots of URLâs across your site for a range of threats.
This covers everything from malware to checking if your site is blacklisted anywhere.
Pingdom
The free account at Pingdom will check your site every minute from a range of locations.
You can get notifications of downtime via email, sms, Twitter, iOS or Android which is very handy indeed!
In fact if you manage a bunch of site the Pingdom mobile app is fantastic – I highly recommend it!
Change Detection
The Change Detection service is simple in function but amazingly handy!
All it does is monitor pages for changes and if a change is detected it sends you an email!
You can use it to make sure your alerted of any changes to your site. Itâs also great for checking when popular items are back in stock on websites ^^
Have You Improved Your Blogs Security Yet?
For your own sake please do not ignore the advice in this article.
You do not want to learn the hard way like I did – heck I didnât have the basics of regular backups in place when I was hacked!
If you donât take this issue seriously you will have problems in the future.
It doesnât take long to seriously beef up the security of your site, so what are you waiting for?
Donât regret ignoring articles like this like I did! Take action NOW!
Want more great tutorials like this? Just enter your email and click âSign Me Up!â
