WordPress is actually a very secure and stable web framework, it’s users that tend to make a hash of things by sharing logins, adding plugins with security holes and generally making a mess of things. Having said that, there are a number of standard things that you should be aware of and carry out to keep WordPress secure.
First Rule: There is no such thing as a 100% secure web-site.
Knowing that, means you should be expecting a problem and try to cover off the standard areas of weakness … the site administrators (probably that means you).
The following is what we recommend and, importantly, what we insist on to provide support coverage for WordPress installations. For some it seems draconian, until they get hacked and the problem quickly falls into our lap – typically that would be out of working hours, on a Saturday night and falls outside of contract due to a mistake made by the client. The cost to fix can run into thousands of pounds and tens of man hours of downtime.
- Keep WordPress up to date. Automatic and WordPress.org react very quickly to security issues and roll-out patches frequently. If you are running the latest version (3.8) then these will get loaded automatically, unless you are switch off the option – take care doing this.
- Back your site up. Nightly and on-demand, use a rollback process so when you add a new plugin or feature you can rollback quickly and easily if it fails.
- No obvious admin users. Don’t use admin, manager, test, root or any of the highly guessable usernames. Ever.
- Use complex passwords. WordPress has got better recently, now insisting on much stronger passwords when you create new users. It doesn’t do the same for existing users so flush all the passwords when you upgrade WordPress so that all new passwords are of the same standard.
- 2 part authentication. Consider adding token-based security to ensure users are who they say they are. It’s also a good trick to stop folks sharing logins as this effectively makes the sharer very complicit in the act.
- File system security. No point having a secure WordPress site on top of an open server with easy access to MySQL or the file system. Lock the server logins and cPanel, MySQL Admin down tighter than a tight thing. That includes setting file permission correctly – don’t be lazy and use 777 for everything, 755 for content that needs editing and 644 for WordPress core files.
- Never download themes and plugins you don’t trust. And don’t take a web-page at face value that suggest you download X or Y. You should use experience, a trusted theme/plugin portal and a trusted WordPress development partner to validate the security of the plugin.
- Watch for leaky plugins. There is a big list of leaky plugins that, whilst trusted, care should be taken to make sure you are using the latest versions and that they are secure. This list includes TimThumb, most Backup plugins (give remote access to content), Uploadify, Adminer and many others. A good rule of thumb is to ask a WordPress professional before adding any plugin.
This covers the needs of most security scenarios, if you are a little more paranoid there is a lot more than you can do include disabling access to the WP Editor, changing database table names and locations of login scripts.
Have you updated your WordPress recently, or changed your password? Stay safe.