Please note: This information was taken from my old site: hostingtavern.com. This is why some images may show that title.
If you have not taken any steps to improve the security of your WordPress site, then you have not had to learn your lesson the hard way.
It has only happened once to me. However, that single time when I had a WordPress site hacked and spammed, it meant thousands of dollars in loss revenue by the time I realized what had happened. If I had spent ten to fifteen minutes improving the WordPress security of my site, I could have avoided the entire ordeal.
The best part is I regularly have read articles such as this one and ignored them. Do not make this mistake!
In the following article you will learn the following:
- How to protect your site from malicious people
- How to automate all your backups
- Improve your WordPress security
- How to scan your entire site for malware
- How to monitor your site
Back Up Your Site Automatically
The first step is to make a backup of your site. Do not do it tomorrow, do it right this minute!
Having a backup of your site that is up to date is the best way to recover a hacked site. You will be able to restore your site to its previous non malicious form with a single click.
It is furthermore a smart idea to make backups before making any large changes to your site such as upgrading your database or trying out a new plugin.
HostGator hosts my site and does not automatically make a backup of my site. Some sites will, but most will not.
To make the process easy, you do not need any paid plugins to get the job done. I have found using BackWPup is all you need.
This plugin will back up your entire site which will include the database and all your files in one zip file.
After it has made the backup, the plugin will upload the zip file via FTP to services such as Dropbox automatically.
If you do not have any such services, setting up a Gmail account to store your backups is a smart choice since they provide you with so much space.
Make sure to install the plugin and do daily backups of your site! This can save you a huge headache down the road.
Remove the WordPress Version
In the source code of your WordPress installation, it will tell you which version of WordPress it is currently running.
If malicious people such as hackers discover a vulnerability, then it is very simple for them to get together a list of sites that run the vulnerable installtion of WordPress.
In order to remove the version, log into your admin control panel. Go to Appearance > Editor > Functions.php. Add the following code right before the ?> tag:
remove_action('wp_head', 'wp_generator');
Block Directory Browsing
Some sites will allow you to view all the files in the folder if you navigate yourself to a specific directory. This is much like the process of viewing files on your personal computer.
To block this from happening, you must add a single line to your .htaccess.
Locate your .htaccess file, open it up, and add this line of code:
Options -Indexes
Update Your WordPress and Plugins
Vulnerabilities are being found out all the time. This is why you must make sure to keep your WordPress installation and all plugins up to date to combat new vulnerabilities being found out.
Keep everything up to date whenever a new update rolls out. It is the best practice to make a backup before updating anything in case your plugins decide to break or something does not work properly.
Delete Unused Plugins and Themes
If there are themes or plugins that are not used, then they are not going to affect your blog directly. However, if that plugin or theme has been hacked, any malicious hacker will have access.
Get rid of all unused plugins you may have and themes too! It will give you a nice boost in speed to your site as well as improve your WordPress security.
TimThumb Vulnerability Scanner
This is a script that has become popular for its use to re-size images for different themes.
The biggest problem? The script had a large bug that could be taken advantage of by hackers.
To check out your theme and see if it is at risk or having a backdoor, you can go ahead and check out the TimThumb Vulnerability Scanner.
What this will do is scan your site and if there are older versions of Timthumb, it will let you updated them all with a single click. Once you have done this, you may uninstall the plugin.
Using CloudFlare
Using CloudFlare is a great way to protect your site as well as help speed it up.
What this does is stop hackers from even reaching your site in the first place. It will work at the DNs level.
Setting up your account will only take a couple of minutes and will offer some protection. Paid options are available but you do not really need those.
Security Plugins
By installing a plugin, you can take some further steps to protect your site. I have chosen to use the Better WP Security plugin. The following are what this plugin can do:
- WordPress version removed
- Changes login and dashboard URLs
- Default admin account renamed
- Changes WordPress database table prefix
- Will remove messages related to login errors
- Scan for vulnerabilities
- Bans hackers and bots
- Improve the security of your server
- Help protect your site from malicious activity
It also does so much more! The one thing it seems to be missing is an automatic backup, but there are other tools to do that with.
Make Sure to Install a Firewall
After you have taken the step to install a plugin for your security, you will want to install a good firewall. This will help protect your site from injections of SQL or Java.
A good option is the OSE Firewall. This will give you great WordPress security.
Monitor the Security of Your Site
I like to make use of free services to check how my site is doing.
Pingdom
If you get an account from Pingdom, it will be free and will make sure to check your site every minute of the day from different locations.
You will get a notification if there is downtime to your email.
Sucuri Sitecheck
One of my favorite options is Sucuri Sitecheck. It will check and scan your site to check URLs for different threats. It will see if your site is blacklist and will make sure to check for malware.
Change Detection
A simple service I also like to use is Change Detection. This tool monitors your pages for different changes. If it sees a change, you will get a notification through your email.
Have you Taken the Steps Above?
It is very important that you take the few minutes to improve your blog security. Do not ignore the information I have laid out for you, it is for your own good!
If you choose to ignore this post, sooner or later, you are going to have a problem. You may even lose money! Take action, improve your site, and happy blogging.