WordPress powered sites are getting hacked all the time.
30,000 sites where hacked earlier this year and 4,800 websites deleted without any chance of recovery last year.
Even the backups where deleted from the web hosts server in this case.
Shows you how risky cheap shared hosting can be even if you have a backup.
If you haven’t copied all your files & databases and stored them in a secure location away from your server, you’re taking a risk.
Shared Server Risk
Web hosts which offer cheap hosting for less than $100 a year, are cheap for a reason.
They stack between 6,000 – 10,000 websites on each server.
The problem with this is your site becomes more vunerable.
If one of the sites on the same server as yours is hacked and injected with malware, you risk suffering the same fate.
That’s one of the reasons you need to be extra careful and secure your installation on top of regular full backups in this situation.
You’ll find managed hosting providers do a lot of the security work for you.
WP Engine offer a more secure server environment than basic shared hosting providers.
Web Synthesis is another managed host which offers more security than what you normally get from a shared host as well.
Insecure File Permissions
Rather than allow your files to be writable, its best practice to change the permissions to:
- 644 for files and
- 755 for folders
Whenever you update WordPress, (excluding the wp-config file) these are the settings your files and directories will be automatically configured too.
If you have any problems with using WordPress after changing these permissions, you may need to change some of the permissions back so they are writable on your server.
Some web hosts take care of this for you and configure the permissions automatically for added security, however some don’t.
Protect Admin Folder
I’ve already written about how to protect your wp-admin folder.
If you’re not using cPanel and want to password protect your wp-admin folder manually, you’ll need to create .htaccess files which can conflict with plugins using Ajax on the front end of your site.
Note: Any code which is placed between the opening and closing WordPress tags in .htaccess, can be overwritten by WordPress.
Example: In this screenshot you can see the opening # BEGIN WordPress and closing # END WordPress tags.
There’s a few plugins which make it easy to protect your site without needing to play around with code.
- Wordfence – This is an all in one plugin which covers many of the vunerabilities hackers try and exploit to damage your installation.
- Limit Login Attempts – Wordfence already covers this feature along with many others.
There’s several others i have tried and written about in previous posts filed under the security category.
Login Username & Password
There’s many free online tools you can use to create the strongest usernames and passwords for maximum security.
If you haven’t already used strong login details, here’s a tutorial on how to change your username and password.
Protect wp-config File
All you need to do to secure your configuration file is move it above your public_html root directory.
- By default your wp-config sits here: home/user/public_html/wp-config.php
- Move it to here: home/user/wp-config/public_html/
Don’t move it to to another folder located in your public_html root or it won’t be secure.
You can also place this code into the file to prevent the public from viewing it if you decide to leave it in your public_html root directory.
<files wp-config.php> order allow,deny deny from all </files>
Here’s where it should go in your .htaccess file. At the very top of the file.
Change WP Database Table Prefix
By default, you’ll find your database table prefix starts withwp_.
Hackers know this so it make your database vunerable to SQL injections.
Not something you want to try and clean up. The Tim Thumb vulnerability is a prime example.
Best to change this prefix before or during installation.
Read more about how to change the default WordPress database prefix.
Updating Themes & Plugins
Another way hackers get into your site is by exploiting out of date themes, plugins and core WordPress files.
Update your files as as soon as you see the Updates link highlighted in your Dashboard.
If your host allows this option, its safer using SFTP rather than FTP.
SFTP encrypte’s the data being transferred while FTP does not.
Here’s a few different ways to backup your files & databases.
Don’t forget to store your backup in a secure location.
Online Security Scanning
You can scan your WordPress installation using several free online services like Sucuri’s SiteCheck Tool and check for for different types of security issues.
Based on my experience using Sucuri immediately after finding out my site had been hacked, Sucuri’s SiteCheck Tool failed to detect malware & malicious redirects and therefore cannot be relied upon.
The tools is a web based service and cannot access your server however it should detect navigation menu and footer links which have been injected with malicious code redirects to a pirate site, which it didn’t.
Security Plugins for Scanning
I recommend Wordfence and Website Defender which i have tested and both detected the malware hacked into my core WordPress files.
These plugins will alert you to security threats and changes in files via email.
Cooper Dukes says
The other side of the ‘move wp-config’ argument: http://wordpress.stackexchange.com/questions/58391/is-moving-wp-config-outside-the-web-root-really-benefitial
I’d be curious if you have any particular reason to move the file beyond the usual argument?
Brad Dalton says
There’s many ways to protect your config file which contains your db username and password. Moving it out your public_html root is one.
The others Christopher Davis discusses are also options. By default, WordPress will find and read your wp-config regardless of where it is.
Creating a full backup and storing it way from your server is essential and i think using usernames and passwords of 20 digits or more using a strong generator is another way to secure your installation.