A Basic Guide for Securing Your First WordPress Site
Securing Your First Site can be Scary
Starting a site can be confusing, and a bit intimidating for novices, not in the least because it brings with it a host of new potential risks that most of us do not have the knowledge to counteract or the context to recognize.
The simple truth is that the easiest method to secure a site is hire someone who really knows what they’re doing to get to work on it. Barring that, there are a few key problems you’ll need to consider, especially if your self-hosting. If you’re relying on a service to handle that end of your site, all of this is far less of a concern. Barring that, a good guide will help you avoid most mistakes.
This article isn’t going to tell you how to do any of this securing, because that would be a very long post, but it will help you understand what risks you should be ready for. It would be best to take this as a place to start, and not an exhaustive guide to what you need to consider.
The Front End, the Back End
When we talk about security for WordPress sites, we’re looking at basically three layers. The first is the public-facing page. While you don’t want this defaced (particularly in the form of spam containing malicious links) since it’s right out there, it is in many ways the most vulnerable part of the site. However, the stakes are relatively low, compared to the other tiers of access.
The main target of brute force and similar clumsy attempts at breaching your site will likely be through the admin panel, which you might think of as the second layer of site access. On basic installs, it’s usually located at site.com/wp-admin and bots will hit it dozens or hundreds of times a day, trying to guess your username and password. Many plugins are available to prevent this by banning IPs which repeatedly try and fail to access your admin panel.
The final aspect of concern is the actual server your site resides on. If this is breached, you’ve got real trouble. It is oversimplified to speak of these as three layers of security, but it’s good enough for someone trying to evaluate the problem of site security for the first time.
The Truly Basic Checklist
Securing Your WordPress Install
Many site owners, particularly novices, use the WordPress platform. For that reason, there are extensive official notes on how to harden your install available, outlining the basic strategies. If you’re using WordPress, you should read them. Many web designers are not completely versed in hardening WordPress sites, so it’s not a bad idea to check it out even if you hired a professional developer.
Read, Write, Execute
One particularly good (and easy) place to start, though, is to change the file permissions so that read/write/execute (rwx) privileges are more limited than they are in the basic setup. There’s a good official guide for that, too.
Unique Usernames and Passwords
As general good practice, everyone (of your employees/coworkers) using your site should have their own username and password. If you’re sharing passwords, you don’t know who’s doing what, and who they’re sharing the password with.
Update, Update, Update!
WordPress updates their core code often, and most updates between major version changes are aimed at shoring up security. For that reason, it’s a good idea to keep updated to the most recent version. The same is true for whichever theme you’re using.
Plugins as Friends
The final major step for WordPress installs is to make use of a security plugin like WordFence. The truth is, these plugins aren’t perfect, but among the many simple tasks they perform, they limit login attempts, reducing your risk of brute force attacks.
Plugins as Enemies
One of the biggest potential security risks on a WordPress site actually comes from attackers exploiting weaknesses in plugins installed on the site. For this reason, it’s best to use plugins with high ratings, available on the codex, which are updated regularly. If you have automatic updates turned off, be sure to stay on top of this.
A Note on Admin vs. SSH/SSL/FTP
Here’s an important note: Your username and password to enter the admin area of your site (the middle level of security) should not, under any circumstances, be the same one used to communicate with your server directly through SSH, SSL or FTP access programs.
It’s a Start
It should go without saying that security is an ongoing battle, and every site owner has a responsible to either stay abreast of it, or hire someone who will. This list will only get you so far, but it’s a good start.
If this guide seemed too basic for you, that’s great! If you’re disappointed, the good news is that cyber security is a very deep rabbit hole, and getting deeper by the day, so there’s lots, lots, more to learn.
Guest post by Marco Mijatovic of First Site Guide