Web Developer Class: Security and the WordPress CMS
As I stated in our previous article, WordPress is a great CMS (content managment system). Unfortunately, the flexibility it offers comes with a down side--a vulnerability to hacker attacks, (sometimes known as exploits) that can seriously damage your installation.
Several years ago I had four WordPress blogs. Due to lack of security, all of them were damaged by a hacker. The result was that three of them had to be shut down and I lost all of my work. The fourth I was able to save though I had to pay a technician to fix it, since I was unable to do so myself.
In this article you'll learn several methods which you can use to secure your WordPress blog so this won't happen to you.
Update WordPress Regularly
Perform regular updates of WordPress. From time to time you'll see announcements of new versions of WordPress. One simple way to protect your content is to install the upgrade--it contains fixes and patches to solve just that problem.
Back Up Your Database Once Per Week
Another simple way of protecting your installation is to do a weekly database backup. If you have GoDaddy as your host, here's how it's done (other hosts have very similar backup processes):
First, log into the Account Manager. When you're there, go to the My Account tab on the right and in the drop down list, click on My Products.
On the next page, click on Hosting.
This brings up another page. Look for the green Launch button and click on it.
On the Hosting Control Center page, click on the Databases tab and choose MySQL.
On the MySQL Databases page, click on the pencil icon to the right of the database that you wish to back up.
On this page you see the details of the database. You also have several options in the toolbar above. Click on the Backup icon.
This brings up some information about the database. Note that it might take up to two hours to back up the database. Click on OK to finish the process. The next page will show you that the backup is in process.
Database Backups with cPanel
If you use a hosting service that uses cPanel (such as Hostgator or Turnkey Internet), here's a short tutorial on backing up the database (using Hostgator):
First off, you'l need to log into cPanel in Hostgator.
Once there, scroll down to the Files section on the main page and click on the Backup Wizard icon.
On the Backup Wizard page, click on the Backup -> link at the lower left.
On the next page, click on the My SQL Databases button under the Full or Partial Backup tab.
This brings you the last page. Click on the database that you want to download and you'll see a download dialog box. Make sure that the Save File radio box is enabled and click on OK to save the file to your hard drive, which will only take a few seconds.
Use Secure FTP (SFTP)
If your account has FTP, upgrade your service to Secure FTP. You'll also need to get an SFTP program. The one I use is WinSCP, which you can download here.
Change Your Passwords Weekly
Change your passwords once per week. As stated in the previous article, make sure you use alphanumeric passwords with special characters. These are harder to break.
As in the previous article, if you're setting up WordPress for the first time, change the default "admin" to a strong password. You can change it after the fact, though the process can be quite technical.
Don't Use Shared Hosting
For more security don't use shared hosting. Use a hosting service with a dedicated server or a server with few users. This will improve the security of your blog. An example is Turnkey Internet. Also, the provider will be able to provide more security features, as well.
Limit Your Plugins
Limit the number of plugins and templates you use and make sure you get all your plugins and templates from reputable sources. If you're not using a plugin, delete it. When updates to those plugins you are using have updates available, download and install them.
Make Sure Your Computer is Secure
Make sure you have the latest virus and spyware protection programs on your computer. This is a major source of infection. Some popular (free) programs you can use are: Microsoft Security Essentials, AVG Free and Spybot Search and Destroy. Another great program to keep your computer humming is: CCleaner. This does a great job of cleaning your registry and the best part is that it's free.
For More Information
One great source of WordPress security is a book called: Blog Lock Down, by Craig Desorcy. One word of warning, the book can be quite technical. If you're not comfortable with some of the steps, I recommend that you hire a technician or Craig himself to secure your blog. Craig was the technician who fixed my travel blog.