Search This Blog

Tuesday, January 06, 2015

How to make your Wordpress site secure


•  Beware cheap ($5-$10/month) shared hosting accounts.
•  Look for hosts with experience hosting WordPress sites.
•  Look for hosts with solid support.
•  Look for hosts that are transparent: who communicate quickly and post issues online.
•  Make sure your host does regular backups that you can access.
•  Call your potential host to find out which versions of Apache web server, MySQL, and PHP they’re running. Check the version release dates with a Google search.
•  Ask your host for written documents containing their server data backup, failover, and update or maintenance policy. If they don’t have them, find another host.
•  Recommended hosts: WP Engine and ZippyKid


•  To harden your WordPress install, follow these steps.
•  Keep WordPress, themes, and plugins up to date. Always. Period.
•  If you’re unsure about how to update WordPress, themes, and plugins, hire someone to do it for you.
•  Backup your site before you update WordPress, themes, and/or plugins.
•  Disable unused user accounts.
•  Never use “Admin” as your username. Ever.
•  Grant users the minimum privilege they need to do their jobs.
•  Require strong passwords.
•  Use 1Password or KeePass to create strong passwords.
•  Use a different, strong password for every site log in.
•  Lock down the WordPress admin dashboard (/wp-admin) using an .htaccess file.
•  Use SFTP to access your web host.
•  Enable SSL on your WP install.
•  Change your passwords once a month. Set a reminder in your calendar if you have to.
•  Do backups. Recommended: BackupBuddy, VaultPress
•  Set file permissions at 644 and 755 for folders.
•  Ensure that the permissions on wp-config.php are not world readable especially in a shared hosting environment.
•  Consider adding HTTP authentication to your /wp-admin/ area.
•  Read’s blog.
•  Read Google’s security blog


•  Look for WordPress Plugin API hooks, actions, and filters.
•  Look for properly sanitized data and MySQL statements, unique namespace items, use of the Settings API for any plugin settings or options. 
•  Look for plugins that use nonces instead of browser cookies.
•  Check out how quickly the developer responds to support requests.
•  Check out forum threads to see how well the plugin is supported.
•  Is the developer a known and respected member of the community?
•  Look for a plugin that does one or two tasks really well.
•  If two plugins do similar things, choose the one with the higher download count.


•  Take the site offline. Now. That way you avoid getting a bad rap from search engines and antivirus programs.
•  Let your web host know what happened.
•  Make a full backup of the infected site. It’s helpful for reviewing what happened and in case you mess up something during the repair.
•  Change all of your passwords and the authentication keys in the wp-config.php.
•  Remove any old themes, plugins, and unused code from your server.
•  Update all code on your server. Re-install WordPress so all of the WordPress files are overwritten with fresh copies.
•  Reinstall themes or plugins with fresh copies to make sure no malicious code was inserted. 
•  Check that the file permissions on your files are correct, especially wp-config.php and uploads.
•  Remove the rogue code and make sure you check all sites on your hosting account. There are tools that can help scan and clean the infection such as VaultPress. Exploit  Scanner also scans for certain exploits.
•  If you don’t have the ability to fix the infected files the best thing to do is restore from a recent clean backup.
•  Check your server access logs. Search for any bad file names that you found on your server, patterns passed as query strings, or dates/times that may clue you in to when the attack happened. 


Please visit my other blogs too: for information and for internet marketing. Thanks !!

No comments: