No doubt, WordPress has proven its worth as a content management system, offering all the features and capabilities that enables a user (not to mention, even a non-tech savvy user) to create and manage their website.
But, despite the myriad of benefits this CMS provides, there is one issue with WordPress that can give you a hard time in handling your site.
But that doesn’t mean that WordPress comes bundled with security holes. It is just as secure as any other CMS out there, and it depends on you as to how secure your WordPress install will be. Moreover, the irony is that its popularity is what makes it a favorite target of hackers around the world. In fact, around 73.2 percent out of the 40,000 popular websites that use WordPress platform are more likely to be attacked by malicious users.
So, if you want to grow as a WordPress developer, then it is very important that you are familiar with the best practices that can help in keeping your WordPress installation secure against hackers. The post is written with the purpose to help you learn about the ways that will enable you to harden the security of your WP installation.
1. Create a Backup
Before taking up any security measures, it is advised that you must create backups of your website database, as well as, filesystem. Often when working on a WordPress install, you might choose a wrong setting or miss a step that can bring your website down. But, keeping a backup can help you restore your original site.
2. Make Login Credentials Hard-to-guess for Your Server, Database, and WordPress Admin
As you may know that a website data is kept in the database that is stored on the server. And so, the best way to secure your website requires having a secure server. Further, it is important that the login credentials that are being used to access on your server, database and WordPress install should be hard to guess.
Below are a few do’s and dont’s that will help in keeping your server and database protected:
The Do’s
- Restrict users to SFTP/SSH into your server.
- Install a firewall that helps in filtering SSH connections on the server.
- Make use of SSH or SFTP for connecting to your filesystem
- Use strong passwords containing lowercase letters, uppercase letters, and non alphanumeric characters (e.g. _-@#).
- Make sure to replace the WordPress default username “admin” to something else.
The Do-Not’s
- Avoid connecting to your server using the standard ports (e.g. 21 [FTP] and 22 [SFTP/SSH]).
- Do not forget to leave your root access on for your server.
- Avoid having the root with the name MySQL user.
- You should not use only “admin” as the WordPress admin’s username.
3. Use Correct Filesystem Permissions
Setting up correct filesystem permissions can make a WordPress install highly secure, as it helps limit “who can see what”. It is recommended that your WP files and directories should be set up in a way that ensures that your user is not the root, and change the group to most the restrictive one, i.e. Apache as shown in the following lines of code:
# start in your WordPress document root
cd ~/public_html
# change the user and group to the most restrictive one
chown -R YOUR_USER:apache
What’s more? The user and group should not have access to “755” permission for directories and “644” for files. To begin with, setting the directories to 755 will enable the owner of the file to read, write as well as execute the directory. However, the directory’s group and others will be allowed to only read and execute it. This means that unauthorized users won’t have permission to write to the directory, which reduces the risk of an attacker executing malicious code.
find . -type d -exec chmod 755 {} \;
Next, changing the file permission to 644 will allow the file owner to read and write the files. However, the file’s group and other users will only be able to read the file.
find . -type f -name '*.php' -exec chmod 644 {} \;
Final Words
There are several ways that can help in keeping a WordPress installation secure, however, through this post I’ve tried to explain the three most important and crucial ways that developers must be familiar with to keep their WP installation secure. Apart from the aforementioned ways, you must look up to community suggestions for keeping your installation protected and secure against vulnerabilities. Also, you should consider adding .htaccess rules in your site’s document root.
Author Bio:
Sophia is a trained WordPress developer working with WordPrax Ltd.- A leading HTML to WordPress conversion company. If you’re planning to convert HTML website to WordPress for a brilliant online presence, she can help you. Some stunning articles related to website markup conversions can be found under her name.