I just finished helping a fellow photographer clean his hacked website, a problem you yourself may have encountered before if you are a WordPress user. There are various ways these jerks can get into your websites. Some of it is security holes in WordPress, some of it are holes in the many user created plugins that are out there. But likely if your website has been hacked and you are on a shared server (which most of us are) your hosting provider should be made aware because there are things they’ll need to do to tighten security on their end. The bottom line is, there is no sure fire way to keep them out forever, but putting up as many road blocks as you can to prevent and recover is your best line of defense. Here are 5 Tips for hardening your WordPress Security.
Like right now. I know, you don’t want to. I don’t want to, but it must be done. And it’s 2016, so stop using your first cat’s name and the year you were born exclamation mark. That’s not enough. If you need help coming up with one, try using a Password Generator
It’s also a good idea to create a new user for yourself with Administrator as a role and remove the default admin user name once you have done so. This will help protect you from Password Guessing Brute Force Attacks.
This is a pretty simple step nowadays. When you log into your WordPress dashboard, there’s an update button on all out of date plugins, themes, and WordPress installations. Most of the latest versions of WP are now auto updating so you don’t even have to think about it.
I really hate this term, but I looked, and it really is the term used to tighten up the security on your website. Go ahead, look it up. Try not to laugh. And then go and install the Sucuri “Security – Auditing, Malware Scanner and Hardening” plugin. Once that’s installed use the tab marked “Hardening” (see??) and enable all the options you’d like to lock down EXCEPT Website Firewall Protection (paid service from Sucuri), and Database Table Prefix. Now double check your site and make sure your plugins you’ve installed are still working. Some theme functionality requires direct access to certain files in them in order to run, in my case the piece that is running my gallery, so in the case of my own site, I wasn’t able to lock down the wp-content folder without breaking my gallery. As a rule, if something breaks right after you install it something, you should uninstall the thing that broke it. Seems simple, I know, but you’d be surprised how often someone installs a plugin or a feature of a plugin without checking to see if their website is still working. Always, always do this.
You can also install a plugin called WordFence that does a pretty bare bones scan for security risks, reminding you to update plugins and catching any security red flags as it can. I believe the Sucuri plugin can also do this but it might be a part of the paid service and WordFence is free. Doesn’t hurt to have them both as far as I can tell.
The bigger your website, the harder the fall. WordPress is composed of 3 things: The core files that simply make WordPress run, a database file that fills in all your content you’ve actually written, plus tells WordPress where you’d like everything to go, and then your actual content files like your images, plugins, themes, etc that you’ve uploaded to make your WordPress website go from a plain old blog to the beautifully skinned website you’ve created. WordPress doesn’t perform back ups on it’s own, so I recommend installing a good back up plugin that will not only back up your database file, but do a full back up of your website. This plugin needs to be able to do a database back up AND a full back up occasionally. The latter is going to take longer, depending on how large your website is. If you only back up your database and your site gets blown away, you’ll have everything you’ve ever written, customized and organized still, but you won’t have any of the visual items, like say, the last 3 years of images you’ve uploaded to your blog and galleries. So be sure you do both. How often is up to you, but I would go with at least a weekly back up of your database file and a monthly back up of your full site. My current free favorite plugin for this is called BackUpWordPress. There are paid plugins that offer more functionality.
WordPress is Open Source and free to the world. Most plugins out there are completely third party user created. Whenever searching for a new plugin, check the reviews and star ratings, check that it is compatible with the version of WordPress you are running, and see how well it is supported. A plugin that is updated often with patches means someone out there is paying attention and trying to help us all keep our sites secure and functioning.
Like everything on the internet, WordPress is constantly evolving. Keep an eye out for new tips and tricks.
I’ll be teaching a WordPress for Photographers course this summer with Florida Photography Workshops.