3

Are there some simple ways to beef up the security on a WordPress site?

Improve this question
3
  • 2
    only install plugins & themes that you need, and you fully trust, and always keep them up to date (including wp). Or are you asking this from the programmer point of view?
    – onetrickpony
    Commented Jan 13, 2011 at 22:17
  • 3
    Cannot believe you picked the "here's a couple of plugins" answer.
    – editor
    Commented Jan 19, 2011 at 0:45
  • 1
    all right, I changed it.
    – redconservatory
    Commented Jul 18, 2011 at 17:30

6 Answers 6

Reset to default
10

I'd tackle this problem on three layers: plugins, core and filesystem.

Most security problems arise via 3rd party plugins and themes, so as Ambitious Amoeba notes the best thing you can do is choose those wisely.

You should also be sure to update to the latest version of WordPress, because they always patch the big issues but older versions are quite vulnerable. Since WordPress blogs are so commonly used (Google "inurl:wp-login.php") you are really asking for it when you don't update your core to the latest version.

Finally, there's a lot of user error that causes problems -- you can't get your FTP to update so you chown 777 or something, thinking it'll be fine, then some remote nerdowell figures it out and your toast. Best thing to do is make sure you lock down your permissions as much as you can on the filesystem -- I believe chmod 755 is the preferred level.

Improve this answer
2
  • I don't think chmod 777 is a security risk. Even if you make a file writable by anyone, they would still need to get inside your server to be able to do that. And if they do, than the problem wasn't the chmod/own :)
    – onetrickpony
    Commented Jan 14, 2011 at 0:18
  • Here's a link describing what's probably the single largest WordPress hack in history, courtesy of exactly the attack vector you say is not a security risk: theregister.co.uk/2010/04/12/network_solutions_wordpress_hack
    – editor
    Commented Jan 17, 2011 at 19:59
5

Use a non-dirt-cheap hosting who has a clue about what they are doing.

Security plugins, complex passwords, etc are cute and needed, but they won't matter a bit if hosting has poorly configured disorderly stack without proper management.

Improve this answer
4
  • Do you have examples of such hosting companies?
    – redconservatory
    Commented Jan 15, 2011 at 14:46
  • @redconservatory for the record I am not an expert on hosting security, just been bitten by crappy hosting in the past despite doing everything usually suggested for secure WP. My blog is currently and happily hosted with LiquidWeb. On security site they have suphp, mod_security (with strict enough rules so I had to open tickets to relax it a bit for some WordPress parts) and provide SSH for all accounts (even shared, which is somewhat rare).
    – Rarst
    Commented Jan 15, 2011 at 14:55
  • I have a good example of a crappy host (although I realize this is VERY late). A client of mine had a website running on LiquidWeb. I'm not sure what their security vulnerability was (they obviously can't divulge that information), however his website was crawling with links and ads that he didn't put there. It was only a few minutes to restore an old database backup, however, and get things working again.
    – stevendesu
    Commented Jul 29, 2011 at 13:54
  • @steven_desu as above I am quite content with LiquidWeb security setup myself. Had they confirmed that your friend getting hacked was their fault or it's only your guess?
    – Rarst
    Commented Jul 29, 2011 at 15:09
4

Start with the Codex article called Hardening Wordpress.

The most important things are keeping WP up to date, using string passwords, and having a secure server setup.

You'd also do well to use some kind of monitoring. If you're not comfortable doing this yourself, there are some services that do it. I've been using Vaultpress for a couple months now and am pretty happy with it. But the package that comes with security scanning is a bit pricey for personal use ($40/mo!), so I'm thinking of moving back to securi, which has a $10/mo plan (but which doesn't include backups...just monitoring).

Improve this answer
2

There are a couple of plugins you can use to boost your site's security. They are:

They do different things, but cover a number of potential problem points.

Improve this answer
1

The way you secure a WordPress install is the same way you secure any other box. Figure out who needs access, only give them access, enforce a strong password policy, and limit the number of brute force connections.

The part about only installing plugins you need/trust is absolutely critical, but it's not just for security, it's also for performance.

Improve this answer
0

Use a security scanner like wpscan or WPScans.com and check for security vulnerabilities.

WPScans.com can also monitor your WordPress-site over time. wpscan is opensource and can be downloaded from Github. There is also another version written in Python named WPSeku.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.