If you haven’t installed WordPress security plugins on your blog, then you have never had to learn the hard way.
I learnt the hard way a couple of years ago when I woke up to find one of my authority sites had tanked out of the SERPS losing out on 10,000 visitors a day.
That equated to nearly a $12,000 / £8,000 loss in affiliate commission…
After a bit of investigation it turned out someone had hacked the blog and created thousands of spam pages hidden from normal view and turned it into a cloaked link network.
That was enough for Google to slam the site even though it looked perfectly fine to the naked eye, even when logged in as admin!
It took me a few days to undo the damage due to my lack of backups (they injected C99MadShell code into every file) and a further 3-4 weeks for the recovery in Google.
All of this could have being avoided if I had just spent 10 minutes integrating the WordPress security tips I am going to share with you in this tutorial.
The irony is I had read and ignored plenty of articles just like this one ^^
WordPress it is a prime target for hackers no matter how big or small your site is. Check out the latest threats here and you’ll see what I mean.
What You Will Learn
- How to improve WordPress security to protect against hackers
- How to automate WordPress backups free of charge
- How to scan your site for malware
- How to do a complete WordPress security check
- How to use free WordPress security plugins to protect your blog
- All of my personal WordPress security tips
Automatically Backing Up Your Site
First things first – one of the best WordPress security tips I can give you is to make sure you have regular backups of your site.
Having regular backups makes it easy to recover from hacks – in fact you can restore your entire site in just 1 click.
It is also handy to make a backup before making any significant changes to your site such as installing a new plugin or upgrading WordPress.
My host does this automatically for me and provides a great control panel but if your host doesn’t then don’t worry.
There are many paid backup plugins available but all you need is the free BackWPup plugin.
This will back up your site, the database and all of the files including everything in WP-Content into a single zip file.
It will then automatically upload the file to an FTP server, Amazon S3, Dropbox, SugarSync or a bunch of other services.
You can even setup a dedicated free Gmail account and get the plugin to email the backups to you! Gmail is great for storing your site backups!
Install the plugin and ensure you are doing daily backups!
Remove WordPress Version
By default WordPress will tell you which version of the software it is running in the source code.
The problem with this is when hackers discover a vulnerability it makes it very easy for them to use a WordPress vulnerability scanner to get a list of blogs that they can attack easily.
To remove it, just login as admin and go to Appearance > Editor > Functions.php and add this line of code at the end before the closing ?> tag-
Block Directory Browsing
Usually if you browse to a specific directory you can view all of the files in that folder, just like when your browsing through files and folders on your computer.
To stop the server from listing the files in a directory you need to add 1 line to .htaccess
Open up the .htaccess file in the root of your site (where the wp-config.php file is) and add this line-
Update WordPress & Plugins
New hacks and WordPress security vulnerabilities are discovered all the time which is why it is important to keep up to date with both WordPress and plugin updates.
Make sure you keep both updated regularly in order to secure your WordPress site!
It is also a good idea to make a backup of your files and database before updating anything just in case it breaks!
Delete Unused Themes / Plugins
While unused themes and plugins don’t interfere with your blog directly, if the plugin or theme is hacked (there are thousands of these in the official directory) then hackers can still access it.
So if you have any unused plugins and themes, delete them!
This will not only improve WordPress security but help to speed up your website as well.
TimThumb Vulnerability Scanner
TimThumb is a popular script that is used by a lot of themes to resize images for thumbnails and so forth.
The only problem is this script had a huge bug which left the door wide open for any hacker.
The other problem is this is used by a lot of themes & plugins, meaning they come with a built in hacker friendly back door.
This is the back door that was used to hack my authority site.
To check if your theme is at risk, install the TimThumb Vulnerabiltiy Scanner.
That will scan your blog for any old versions of TimThumb and allow you to update them in one click if you need to!
You can uninstall the plugin once you have done that.
CloudFlare offers a free service that helps to protect and speed up any website.
This actually works on the DNS level and helps stop hackers in their tracks before they even reach or see your site.
Here is how it works-
It only takes a few minutes to setup and will offer decent protection. There are paid options available but you won’t need those for the most part.
Install One Of The WordPress Security Plugins
One of the quickest ways to identify WordPress security issues is to install one of the many free WordPress security plugins that are available.
Personally I use Better WP Security which will help to protect your site in a number of ways-
- Removes the WordPress version
- Changes the URLs of the login and dashboard pages
- Renames the default admit account
- Changes the WordPress database table prefix
- Removes login error messages
- Protects your sites from hacks
- Monitors WordPress security issues
- Has a built in WordPress security scanner
- Automatically bans bots and hackers
- Improves server security
And a whole bunch of other stuff! It does also have an automatic backup option but this only backs up your database and not your files, so please see the separate backup section for that!
Install A Firewall
Alongside one of the WordPress security plugins you also want to install a WordPress firewall that will block any attacks from SQL/Java injection.
The OSE Firewall plugin has you covered!
The combination of the firewall and the Better WP security plugin is a great setup!
How To Monitor Your Sites Security
There are a number of free WordPress security checker services we can use to monitor our site for hacks and downtime.
The first one is the Sucuri Sitecheck scanner which will check lots of URL’s across your site for a range of threats.
This covers everything from malware to checking if your site is blacklisted anywhere.
The free account at Pingdom will check your site every minute from a range of locations.
You can get notifications of downtime via email, sms, Twitter, iOS or Android which is very handy indeed!
In fact if you manage a bunch of site the Pingdom mobile app is fantastic – I highly recommend it!
The Change Detection service is simple in function but amazingly handy!
All it does is monitor pages for changes and if a change is detected it sends you an email!
You can use it to make sure your alerted of any changes to your site. It’s also great for checking when popular items are back in stock on websites ^^
Have You Integrated My WordPress Security Tips Yet?
For your own sake please do not ignore the advice in this article.
You do not want to learn the hard way like I did – heck I didn’t have the basics of regular backups in place when I was hacked!
If you don’t take this issue seriously you will have problems in the future.
It doesn’t take long to seriously beef up the security of your site, so what are you waiting for?
Don’t regret ignoring articles like this like I did! Take action NOW & integrate all of the WordPress security tips I have shared with you today.
At the very least you must install one of the WordPress security plugins & start making regular backups of your site!