Securing Your WordPress Website

security lockWebsite security isn’t a light matter.  There are hackers, bots, malware, buggy scripts, and other things to defend your hard work against.  Just recently I discovered how one out of date WordPress plug-in can easily put you on high alert.  

The first lesson I learned was the value of a great hosting provider, I use SiteGround to host all the sites I administer.  I’ve tried several providers before using SiteGround.  I was sold on their extremely speedy shared hosting plans.  In this situation they pulled one of my accounts offline while it was under attack, this saved the site.  They were easy to work with and quick to respond to my requests, even providing me a list of the evil files that had gotten uploaded in various places on the site.  I could have paid for them to clean up the mess, but I enjoy learning while tackling such a challenge.

The second lesson I was schooled on was a huge fact I had missed in several years of working with WordPress.  The default installation options are not as secure as they could be.  The wp-config.php file which holds sensitive information should be locked down better.  After some digging I found one of the easiest ways to strengthen the security of WordPress.  Simply installing the iThemes Security plug-in and enabling a few settings will go a long way to secure a site.  The free version of plug-in has tons of features and I now consider it an essential part of a WordPress install.

Finally, it seems that it’s quite important to keep WordPress core up to date.  This also means keeping the plug-ins up to date as well.  I know this seems obvious.  In this case an annual subscription was required to install new versions of a plug-in.  I felt that I didn’t need the new features because the version I was running worked just fine.  Of course I forgot about one of the biggest reasons to keep current, security patching.  A bot found the hole in the upload feature and began sending scripts to my site.

In case you ever find yourself in a similar situation, here is a small checklist to follow after a hack:

  • Find your prior backups of the site. Consider a restore.
  • Remove all rogue scripts.
  • Scan all the files for viruses, malware, and exploit scripts.
  • Reset passwords (administrator, database, WordPress secret keys, hosting accounts, FTP, cPanel)
  • Update WordPress and plug-ins.
  • Review the security settings of WordPress and adjust.