In this article I will explain how to keep your WordPress site secure so that it is not vulnerable to an attack. WordPress is a popular target since many WordPress sites become outdated and hackers are aware of vulnerabilities in older WordPress versions.
Keeping WordPress secure is especially important on shared hosting (such as GoDaddy or HostGator), since a compromise can affect all of the sites on that server. The following are my recommendations for keeping WordPress secure so that your site is not a target for attack.
- Update WordPress, plugins, and themes to the most current version. For instructions on updating WordPress see http://codex.wordpress.org/Updating_WordPress
- Locate wp-config.php on your server and update the security keys. This makes your site harder to hack by adding random elements to the password. For instructions on updating the security keys see http://codex.wordpress.org/Editing_wp-config.php#Security_Keys
- Make wp-config.php readable by only you (chmod 600 wp-config.php). This file contains database information and security keys that would allow a hacker to gain control of your site.
- Don’t have plugins that you don’t need. Review your plugins and remove any that are not used.
- Backup your database often. There are WordPress plugins that can backup your database automatically. I recommend WP-DB-Backup
- Backup all of your site files before doing an update (especially wp-content/ since that contains your site themes and plugins).
- NEVER have world writable files or folders.
- Remove unused WordPress users and update passwords regularly.
- If you are setting up WordPress, consider using a different table prefix (other than wp_). This makes it harder to hackers to guess the table name.
- All of the suggestions made above are irrelevant if your computer has a keylogger installed. Be sure to keep your OS and antivirus up-to-date.
Feel free to contact me if you have any questions about these suggestions or if you’d like me to take a quick look at your site.