WordPress on it’s own has a relatively high level of security when left on it’s own, however, a persistent hacker can easily gain access to the site and once in, can have full control over the site. This is where WordPress Security falls down.
This has become more and more frequent over the past few years with thousands of WordPress Sites and blogs being attacked by hackers. Simply because their WordPress Security was not up to the mark.
Some common hackers are:
- Turkish Hacker ET-06
- Dark Knight Sparda
- and more…
These hackers usually do nothing more than configure WordPress sites to display images on the landing page showing the site has been attacked and hacked.
This said, it doesn’t please any administrator to have to go and undo the changes or modifications the hackers have put in-place.
WordPress Security Measures
Before we even consider installing plugins to help protect our sites, we must first of all understand how the hacker may have found our site in the first place.
Hackers are usually very lazy and use search engines to find potential WordPress sites to attack.
Using search terms specifically to identify potential sites to attack is actually very easy and straight forward, however, I am not going to post these terms in this article as I am not here to help promote hacking.
As I said using a search term will show the hacker those sites that are sitting on the WordPress platform, so we need away to hide tell-tail giveaways search engines can find on our sites.
Remove unnecessary files to improve WordPress Security
By default, WordPress leaves some easy to find indications from the installation. Let’s remove those now.
Using “cPanel” or “FTP” go to your site and remove the “readme.html” file. It tells everyone the version of WordPress currently installed.
We can also remove the file “wp-config-sample.php” file as this is only an example of how the sites actual configuration file should look like.
We can also navigate to the “wp-admin” folder and remove the “install.php” file as this is also no needed.
So to recap. We delete:
- install.php (in the wp-admin folder)
We have now made it difficult for hackers using search engines to identify our site is on the WordPress platform.
Now we need to do some maintenance inside WordPress itself.
WordPress Control Panel
Log in to your WordPress control panel (http://www.yoursite.com/wp-admin)
Go to the “Setting” section found in the left hand side menu and then click on the “Permalinks” link.
I hope you are not using the Default setting as this is just plain nasty.
Personally, I set this to use the “Custom Structure” and in the text box fill out “/%postname%/”. Hackers can search for pages/posts that end in “?p=123″ and again this is a big giveaway that the site is using WordPress. Change it!!
Plugins can affect WordPress Security in a major way.
Plugin can be a sites safer but at the same time can open your site up for attacks.
Be fore we go any further make a note. ONLY USE APPROVED PLUGINS.
I only download and install plugins via the WordPress control panel. Doing it this way allows be to browser plugins and see if other website owners recommend them.
As you can see from the image above, just by looking at the “Rating” tells me if the plugin is recommended or not.
Also, do press the “Details” link for the plugins to get more information about them, the history and any known problems. 5 minutes investigation could save you hours of recovery if a plugin is poor or has security loopholes.