Wordpress Security and Information
In my job doing technical support for web hosting I have assisted many people in getting their WordPress websites going. There tend to be people with two sets of issues that call.
People who do not know where to begin with using WordPress People who have security issues I want to discuss these problems with some information to aid in getting your WordPress site started, and to help you secure it.
WordPress is a great “Personal Publishing” platform. It started life a just another blogging platform, but has evolved into a very powerful CMS (Content Management System) capable of being used by sites that do not have a blog.
One of the advantages of WordPress are the resources in themes, plugins, and documentation.
Recommended Themes
- Weaver II
- Yoko
Recommended Plugins
These are the plugins I use in all of my sites. I believe they give the best bang for the resources.
- Akismet
- All in one Favicon
- Better WP Security
- Blog Copyright (by BTE)
- Google XML Sitemaps
- Jetpack
- Page Comments Off Please
- Send From
- Strictly Auto Tags
- Sucuri Security - SiteCheck Malware Scanner
- TentBlogger 404 Repair
- Theme My Login
- WordPress SEO by Yoast
- WP Smush.it
Increase Speed and Efficiency of WordPress
Occasionally when your site gets a large number of simultaneous visitors the site could appear down due to the overwhelming number of php processes running on the server. There are a couple of ways that you can combat this. You can install a caching plugin, like W3 Total Cache, or Super Cache. I have found these to sometimes slow a WordPress Site down even more, and when I have gone to remove them I have found that I had to rebuild my websites. Another option is to make use of a service like CloudFlare. My sites have access to CloudFlare through my hosting at HostMonster. CloudFlare provides the same type of caching as the caching plugins.
Securing WordPress
Securing a WordPress site can be complicated, but there are two items which can help dramatically each day:
- Change the Admin Username away from admin
- Change the database table prefix to something other than wp_ This is one of the first things I do when I make a brand new site, but if you have an established WordPress site you can make use of Better WP Security to do this.
WordPress like all database driven websites is vulnerable to attack through vulnerabilities in the code. Since WordPress will always have vulnerabilities it is important to keep WordPress, the plugins you use, and themes updated, and your passwords secure. One part of securing a password is to use a strong password (8-12 characters long with at least 1 uppercase letter, lowercase letter, number, and symbol).
Steps to Secure a Site
- Remove files you are not familiar with.
- Keep code updated
- Remove unused scripts
- Monitor file permissions
- Hide configuration files
- In the php.ini file make the following changes:
- Set ‘register_globals to Off.
- Set ‘display_error’ to 0 or Off.
Remember to confirm all user inputs. Items on Forms, in URLS and so on. Remember to make use of access Control. Keep users away from admin areas, and other places they do not need to be.
Make use of .htaccess to block known bad users, or the IP ranges of countries that you do not want accessing your website. Better WP Security is able to add some black list ips to your .htaccess. You can also make use of some free services to block access to certain countries. This may be useful if you see attacks coming mostly from certain countries and you do not need traffic from those countries this can be a useful tool to protect your site.