WordPress and Security – an Important Guide

 
 
 

Posted On 13 Mon 2015 by AryanIct.com Blog

 


WordPress powers approximately 50% of all the websites online around the world. This means that it is a very attractive platform for hackers to try and compromise as it gives them the ability to take down many websites in just one go.

We’ve prepared this guide to help you understand the risks and threats as well as explaining how you can defend against them.

Choose a custom username and strong password

The default WordPress login is “admin” and all WordPress hackers know this. Usernames can only be changed using phpMyAdmin after WordPress is installed so it is important to choose an un-common username when installing WordPress.

Assuming you are using Softaculous for installing WordPress, you may specify the username on the installation setup screen.

Good strong passwords are equally important for basic security of your WordPress. Choose a selection of letters and numbers not based on a dictionary word. Worried about how you might remember it? We suggest using RoboForm or LastPass tools in order to securely store all your passwords.

Do not use the same username and password as your hosting account or any other installed web application.

Perform updates on a constant basis

Update your WordPress installation regularly. We suggest that you check for updates at least once a week as WordPress developers frequently release new updates/patches to secure any security holes that hackers have exposed.

You can update WordPress from the admin area or you can update WordPress directly from within Softaculous.

Back up regularly

Back up your WordPress blog regularly. This means that if you are faced with a hacking attack, you can quickly and easily roll back at any time. At AryanIct, we have two backup options available for you.

Alternative method – Softaculous backup

Softaculous also has a backup option. Check “Backup or Delete WordPress with Softaculous” part of our How to Install WordPress using Softaculous article to learn how to use it.
Use themes and plugins developed by officially recommended suppliers

Many themes and plugins are available for WordPress offering a variety of options and opportunities for your website. Here are our recommendations on which themes and plugins you should choose.

Free Themes – important note

If you wish to use free themes, we suggest you install only free themes that you can search for through your WordPress Admin area at Appearance >> Install Themes tab. These have all been vetted and approved by the official WordPress developers and are safe for use.

We do not recommend you download free themes from third party non-verified websites unless you are 100% sure the theme you are about to download is “clean”.

Free Plugins – important note

We strongly recommend you only use free plugins that are rated highly and have been recently released or updated. WordPress shows you the star rating and the latest updates for any particular plugin through the WP Admin area once you request for more details of a plugin you liked. A high number of downloads and excellent star ratings mean the plugin is used and liked by many other WordPress users and recent updates show that the developers are committed to keeping it secure.

Paid Themes and Plugins

The following sites offer paid themes and plugins and are reputable:
  •     www.themeforest.com
  •     www.themefuse.com

Security Plugins

We recommend you download and enable the following security plugins. These help keeping your WordPress website secure:

1. WordPress Firewall 2

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks.

Main settings:

1. You can choose options and actions that will be blocked by firewall.

2. Here, an email address can be specified to receive warnings and notifications from the plugin.

3. With this option, you can whitelist trusted IP addresses.

2. BulletProof Security

BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.

There are many options available with the BulletProof Security plugin, and you can find details using “Read Me” option. But the main one we are going to use is .htaccess protection that can be enabled with “BulletProof Mode” radio button for each .htaccess.

3. Better WP secrurity.

As most WordPress attacks are results of plugin vulnerabilities, weak passwords, and obsolete software, Better WP Security will hide the places where those vulnerabilities live, preventing an attacker from learning too much about your site and keeping him away from sensitive areas like login and admin areas, etc.

Many different security options are available with this plugin, but you can simply enable basic security mode using “Secure My Site From Basic Attacks” (1.)

Or enable each separate option you need (2.)

Optimization Plugins

Also we recommend the following top rated cache plugins to optimize the performance of your blog.

W3 Total Cache

W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration.

WP Super Cache

This plugin generates static html files from your dynamic WordPress blog. After a html file is generated, your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.

General Security Tips

Always connect securely to your website. When using your web browser, use a https:// connection. You can easily install one of our SSL certificates to secure and encrypt data between your PC/Mac and your website.

Use FTP securely too. Use FTPS instead of FTP when uploading. This encrypts your FTP connection and any data you upload to your website.

Enable CloudFlare. CloudFlare is a CDN (Content Delivery Network) that improves performance of your blog by serving it from CDN nodes around the world. CloudFlare also has security scanning built in as part of the service offered.

AryanIct.com customers can use CloudFlare’s entry level service free of charge. Paid upgrades are available for CloudFlare’s larger service plans. Click the CloudFlare icon in cPanel for more details.

Change your passwords regularly and keep them secure. Never used a dictionary word and always use a combination of capital letters, lower case characters, numbers, and symbols.

The tips provided above do not guarantee 100% security of your WordPress website. However, they drastically decrease chances of getting your WordPress installation defaced, hacked, or abused.