Hi Guys,
Searching on the internet I found this article for the security of Word Press. It’s Very useful article so I thought I share with our Readers. This article was taken from problogger. Hope you all will like it. Will keep your feedback about what you thought of this Article.
Right now WordPress powers 48 of the top 100 blogs online. More than that, WordPress actually powers 19% of the web as a whole.
Essentially, this is great. Such a strong community of users and developers means that the platform is sure to evolve even further and provide us with lots of cool features that are yet to be developed.
Unfortunately, this creates some dangers as well… Whenever there’s a big number of people trying to make something happen, there’s another group of people trying to take it all down.
The cases where a blog owner loses complete access to their site are not uncommon. Actually, sometimes even whole domains get hijacked, and I honestly have no idea on how that’s done.
But we don’t have to know how hijacking a domain or stealing a blog works to be able to implement some basic security precautions. And that is exactly what this post is about—making your blog secure without playing with source code, understanding things, and stuff.
Typical WordPress security problems
WordPress as a whole (a website management platform) is very well designed. It doesn’t have any preposterous security issues that beginning programmers could exploit. The problems, however, arise when you try to tweak your installation of WordPress by adding new plugins or themes, implementing hacks, or doing anything else that interferes with WordPress.
Of course, this doesn’t mean that you should settle for the default installation, not use any plugins, and only blog using the default theme. What it means is that you simply need to be careful when installing new stuff on your blog, as well as when setting up your blog for the first time.
Let’s start by discussing some of the common security problems you’ll need to handle.
The basics
Excuse me for being obvious, but you really need to start with proper usernames and passwords for your user accounts. Everyone realizes the importance of this, but not as many people implement the best practices.
You must use complex passwords—letters, numbers, special characters, spaces—and usernames that are not obvious. A password of “admin,” for example, is extra-obvious.
The name of the next problem in line: shady, untested plugins. WordPress plugins have a fair amount of power over how your WordPress installation works. If a plugin contains some buggy code, it can crash your blog completely. The same goes for code that’s not secure. Finally, if one of your plugins doesn’t implement any security features, it can become the point of entry for malicious bots or direct attacks by hackers.
Remember, the weakest link is where the chain breaks. You only need one low-quality plugin to get into trouble.
The advice I have here is: don’t use any plugin that hasn’t been updated in a while, or hasn’t been officially tested with the newest version of WordPress. Being up to date is always the best precaution. Also, plugins that are more popular are usually more secure as well.
There’s one more big issue we have to in terms of shady code, and that’s WordPress themes. I will say this again—and I’m not sorry for it—free themes are evil.
Well okay, not all of them. There are two kinds of free themes:
(1) The good ones, released by quality theme stores as a way of attracting new customers by spreading one or two great free themes,
(2) The evil ones made primarily to look great, attract many users, and use the space in the footer for SEO purposes.
These SEO-focused themes often use some strange, encrypted PHP code that can’t be removed, otherwise the theme stops working. This code usually displays search-optimized links (sometimes in an invisible font).
You never, let me repeat, never want to have encrypted code on your site. Even when you get the theme for free in exchange for hosting this encrypted section, it’s not worth it.
If you’re planning to use your WordPress site as the base of your online business then buying a quality theme is a must. If you have a bigger budget, you could even hire a developer to build your theme on top of some popular theme framework.
Since we’ve now covered the basics user accounts, plugins, and themes let’s look into some of the things that you can do to actively make your blog more secure.
Steps to better security
First, let’s talk through some of the best practices in terms of security. Then, let me show you some cool security plugins.
Hosting security
Yes, it all starts here. The story is similar to the one about WordPress themes: if you want to have a secure environment, you simply need to invest money. Don’t use free hosting.
Make sure that your web host implements basic security features and that it has good reviews among users (search on forums; Google is likely to display only affiliate reviews, which aren’t always credible).
Secure your own machine first
This is not something that comes to mind immediately when we’re talking WordPress security, is it? But what’s the point of securing your WordPress installation on the host if you have a malicious key-logger installed on your computer that will pick up your password and send it to the attacker?
You always need to start by securing the machine you’re using to connect with your WordPress blog. There are many good antivirus apps available, so I won’t discuss this any further. Just keep in mind that this issue is equally as important as anything else described in this post.
Update, update, update
Update WordPress. Update your plugins. Update your theme. Try to install these updates immediately after the alert apepars in your Dashboard.
Here’s why. Fixes to new bugs and security holes are always a big part of every update. The minute an update gets released, all the changes are announced in the official doc that goes along with the update.
If a hacker wants to attack a site that hasn’t been updated yet, they just have to take a look at the document, do a little research and tackle the holes that the new version fixes.
For example, here’s an excerpt from the information on the newest version of WordPress:
“WordPress 3.3.2 also addresses: Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.”
Essentially, such information is a guide for hackers on how to attack outdated sites. So be sure to update everything, without delay.
Back up regularly
No one likes to get hacked, but we can’t assume that it won’t ever happen. You always should have an up-to-date backup of your WordPress site, just in case something goes wrong and you have to restore your blog.
You can do backups manually, or you can sign up to a paid service or simply get a plugin to do this for you (more on this later).
Delete plugins you don’t use
There’s no point in occupying your server’s resources with stuff you don’t use. The same advice applies to themes. Leave just the theme your blog uses, and delete the rest (you can leave the default theme, just in case).
Handy plugins to improve your blog’s security
Everybody loves them some cool plugins, right?! So here’s a list of the ones I recommend you use to make your blog more secure:
- AntiVirus: This plugin protects your blog against exploits, malware, and spam injections. It scans your theme’s files and notifies you if anything suspicious is going on.
- Online Backup for WordPress: This app is the one I use for my backups. You can use a schedule or perform backups by hand, and have them sent to your email address or made downloadable. The plugin backs up the database as well as the file system.
- Secure WordPress: This is where you stop scanning and start acting! This plugin performs a number of security tweaks to your blog. There’s no point in listing them here, so I invite you to check for yourself. Also, you can choose which ones you want to enable and which you don’t need.
- BulletProof Security: The list of things this plugin does is quite impressive. It’s a really serious piece of software. Just to name a few features: protection against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts, one-click htaccess protection, wp-config.php protection, and loads of other tweaks. It’s really worth looking into.
- Hide Login: This plugin has a very simple idea behind it. You can use it to hide your login page. In other words, it creates a custom login URL. It also lets you create a custom admin URL (instead of domain.com/wp-admin), and a custom logout URL.
