WordPress and Security

Are there some simple ways to beef up the security on a WordPress site?

Solutions Collecting From Web of "WordPress and Security"

I’d tackle this problem on three layers: plugins, core and filesystem.

Most security problems arise via 3rd party plugins and themes, so as Ambitious Amoeba notes the best thing you can do is choose those wisely.

You should also be sure to update to the latest version of WordPress, because they always patch the big issues but older versions are quite vulnerable. Since WordPress blogs are so commonly used (Google “inurl:wp-login.php”) you are really asking for it when you don’t update your core to the latest version.

Finally, there’s a lot of user error that causes problems — you can’t get your FTP to update so you chown 777 or something, thinking it’ll be fine, then some remote nerdowell figures it out and your toast. Best thing to do is make sure you lock down your permissions as much as you can on the filesystem — I believe chmod 755 is the preferred level.

Use a non-dirt-cheap hosting who has a clue about what they are doing.

Security plugins, complex passwords, etc are cute and needed, but they won’t matter a bit if hosting has poorly configured disorderly stack without proper management.

Start with the Codex article called Hardening WordPress.

The most important things are keeping WP up to date, using string passwords, and having a secure server setup.

You’d also do well to use some kind of monitoring. If you’re not comfortable doing this yourself, there are some services that do it. I’ve been using Vaultpress for a couple months now and am pretty happy with it. But the package that comes with security scanning is a bit pricey for personal use ($40/mo!), so I’m thinking of moving back to securi, which has a $10/mo plan (but which doesn’t include backups…just monitoring).

There are a couple of plugins you can use to boost your site’s security. They are:

  • Secure WordPress
  • WP Security Scan

They do different things, but cover a number of potential problem points.

The way you secure a WordPress install is the same way you secure any other box. Figure out who needs access, only give them access, enforce a strong password policy, and limit the number of brute force connections.

The part about only installing plugins you need/trust is absolutely critical, but it’s not just for security, it’s also for performance.

Use a security scanner like wpscan or WPScans.com and check for security vulnerabilities.

WPScans.com can also monitor your WordPress-site over time. wpscan is opensource and can be downloaded from Github. There is also another version written in Python named WPSeku.