Build A WordPress Website

Using WordPress as a Content Management System and Blog

You are here: Home / Archives for Security

Security

Keeping WordPress Up To Date and Secure

Filed Under: WordPress CMS, WordPress Plugins

After you installed your new WordPress website you need to make sure you keep it up-to-date and optimized. An up-to-date WordPress website is better protected against hacking attempts and runs better with fewer errors.

Optimizing your WordPress website goes beyond keeping it up-to-date with the most recent version of the core files and plugins. You need to optimize your database as well and make sure your site loads fast.

Keeping WordPress Up to Date

– updates for core files: WordPress will inform you if there is a new version update once you log in to your dashboard. This can be an upgrade or, very important, a security update. Note: some minor security upgrades are now installed automatically.

– updates for plugins: WordPress plugin updates can add new functionality or bug fixes and sometimes also have security updates.

– update themes (aff): WordPress theme update is mostly focused on new layout options, getting responsive or extra layout functionality. Sometimes bug fixes and security patching.

– remove no longer used plugins and themes (aff): Don't leave possible security problems and clean up all plugins and themes you tried once and decided not to use any longer. WordPress will check these plugins and themes as well so save yourself some time and clean up!

Keeping WordPress Secure

Lock Your Site to Block WordPress Spam Comments

Keeping your WordPress site up-to-date is the first step.

Next step is to use a plugin that will shield your site from people who want to hack your site or fill it with spam comments.

One of the fastest ways to block those people is with the Shield security plugin.

Shield has an easy to use Dashboard that will show you which option you have configured for use.

Shield Security Dashboard - Build a Website with WordPress

Just follow the icons in Orange once you have installed and activated the plugin.

One of the most important options if the Firewall. The firewall will block a lot of hacking attempts.

In the configuration, I have the Firewall Blocking options all set to active except for the last two.

Firewall Options in Shield WordPress Plugin

And to be able to work in your Dashboard without any problems, you should use these options in the Whitelist part.

Firewall Whitelist in Shield for WordPress

The rest of the options in Shield are pretty easy to configure, so go ahead and run through them.

Have a special look at the Login protection where you can easily rename your login option to redirect wp-login.php! This one is a no-brainer as Shield makes it very easy without you needing to create special rules in your .htaccess file.

There are so many other nice options in this plugin that I will create a separate post for it to go through the complete plugin settings. But for now, make sure you block out the basics and see what other options you might want to use.

Affiliate Link Disclosures

Secure Your WordPress Website with Wordfence

Filed Under: WordPress Plugins

Even though some people will tell you that WordPress is insecure, you should know that the core of WordPress is one of the most secure open source content management systems there is today.

Even the latest hack attempts were not targeted to the software itself. It was an attack by sending brute-force password hack attempts for default users names and weak passwords. So make sure you don't use admin as your administrator username and have a good strong password. If you want to learn more about those attacks, read WordPress Security Attacks and Solutions.

To secure your site there is one plugin that I highly recommend. It will check and monitor your WordPress website, it's called Wordfence.

Wordfence Security Plugin

Wordfence is free and you can get it for your WordPress security by following these steps:

  • Sign in to your WordPress website.
  • Go to your “Plugins” menu and click “Add New”.
  • Enter “Wordfence” in the search box.
  • Install Wordfence and set your options.

To set the Options, go to the Wordfence plugin options choice.

WordPress Security Options from Wordfence

In the settings screen you get large screen with a lot of options!

Start with the basics and set your email address and the option on How does Wordfence get IP's. Save the changes.

Wordfence Basic Options

Now lets see what else you need to set, most of the options can remain as offered by the standard installation.

There are only a few things that I change:

  • Disable the Life Traffic View options
  • Set Scan theme files and plugins files against repository to enabled
  • Enable the Firewall rules and set the block fake crawlers option to active
  • Under Other Options put in your own IP address to the Whitelist
  • I choose not to set the option to Participate in the Wordfence Security Network, but that is just my personal choice

Save all the options you have set, and run a first scan.

Working with WordPress Security Alerts

After the scan is complete you will get some WordPress security notifications, especially if you have the option active to scan plugin files against the repository.

Wordfence security alert notification

You have several options on how to proceed with this notification.

It depends on the severity of the problem and on what kind of file it is.

In this case I only check to See how the file has changed to make sure it is just a minor change, if that is the case I choose to Restore the original version of the file. Wordfence will then get the file from the repository and overwrite your current file.

Most of these kind of notifications will be around readme files, so no problem there. After the check, do the restore to prevent a new notification next time the scan runs.

Since I do run Dutch websites I also get errors on language settings, in that case I will choose to Ignore until the file changes.

Check out the options and see if you want to use by the options mentioned before and run a scan on your own site. You will see that Wordfence will monitor your site and scan it once a day (free version) and send you an notification if somethings changes.

I even got a Warning: * Your DNS records have changed notification today after my hosting (aff) company replaced some servers and had to change the IP addresses…

Wordfence Drawbacks

So this Wordfence plugin sounds great, but is there a down side to it?

Yes there is, but its minor. It has to do with the database tables it uses. As you can see they can grow pretty large.

wordfence database tables

Here are the same tables after optimization with the WP-Optimize Plugin.

Wordfence database tables optimized

Still pretty large right? I did not see any performance problems though and I do think that these tables will improve over time.

Nothing to worry about directly, but certainly something to look out for and do preventive maintenance on your database. You can also choose to not back-up these tables if you run into trouble with your back-up files.

Despite this drawback I do recommend your install, configure and use Wordfence to secure your WordPress website!

Affiliate Link Disclosures

How to Secure Your WordPress Website – The Basics

Filed Under: WordPress Setup

In my book review WordPress 3 for Business Bloggers I told you that I missed one piece of content, which was options to secure your WordPress website, and that I would give you some tips on how to secure your WordPress website.

WordPress is a very popular Content Management System and as such is always under attack by hackers and crackers.

Most of the hack attempts are not focused on WordPress core security holes but rather plugin or theme security weaknesses.

Basics on how to Secure Your WordPress Website

WordPress security starts with the installation of your website and these steps can help:

  • choose a good web host
  • create a cryptic database and database username for your MySql database
  • create a highly secure password
  • don't use the standard wp_ prefix for ou tables
  • don't use the standard Admin user name but create a more difficult username and matching secure password

After installation use the permalinks option to create a .htaccess file in the root of your website.

Once the installation is done you can remove the following files:

  • wp-config-sample.php
  • readme.html (contains information on what version of WordPress you are running)
  • wp-admin/install.php
  • wp-admin/install-helper.php

Secure your files by changing the permissions on:

.htaccess to 404 (or 604)

wp-header.php tot 400 (or 600)

if possible move your wp-config.php file one folder up and set the security to 400 or 600 if your hosting (aff) company won't allow 400.

Secure Your WordPress Website Plugin Options

There are four plugins I always install on my WordPress websites:

WordPress Firewall 2 monitors web request to your website and blocks obvious attacks.

File Monitor Plus this plugin will send you an email if a file has changed on your website and which file(s) are changed.

WP Security Scan will let you know if you already are under attack and will give you extra tips and aids to block some standard attacks.

Login Lockdown looks at login attempts that fail from a certain IP address and shuts down login functionality for a certain amount of time for that address preventing further brute force attacks.

All of the above measures have helped me to secure my WordPress websites from attacks on several occasions.

Secure Your WordPress Website

WordPress 3 Cookbook

I also got a chance to read WordPress 3 Cookbook, a fun concept that gives you “recipes” that you can use on your own WordPress website.

Here is a short overview of the chapters in this fine book:

Chapter 1: The WordPress Cook's Tools
Chapter 2: Installing and Customizing Themes (aff)
Chapter 3: Working with Plugins and Widgets
Chapter 4: Customizing Content Display
Chapter 5: Building Interactivity and Community
Chapter 6: Implementing Online Sales and Advertising
Chapter 7: Making an SEO Friendly Site
Chapter 8: Enhancing Usability and Accessibility
Chapter 9: Managing Maintenance and Improving Security

And yes this one has a chapter on security :-) but the rest of the book is also a very good read and gives you over 100 short practical articles that you can use.

I really enjoyed reading and implementing several of the recipes on my own WordPress websites and I really suggest you take a look at the WordPress 3 Cookbook
as it has some nice pearls in it … but that said you need to be aware that you should have a code editor and FTP program. I recommend PSpad and FileZilla

Affiliate Link Disclosures