(Image Source: PixelCeller.com)
Previously, when I started this blog, I was least bothered about securing my blog from hackers and other threats, because I didn’t know anything about WordPress security and was least interested to know anything at that time. I was driven by a wrong myth, that I am completely secure and there is no one who needs to hack my blog as there is nothing that he can gain from my blog.
Now, I feel like laughing when I think about the past days when I was so much careless about securing my blog. But recently, before a few weeks, I saw many of my friends blogs getting hacked one by one. Even some very popular blogs, also got hacked, like FamousBloggers.net. I am a big fan of Hesham Zebida, and I was really disappointed to see his blog also getting hacked.
I was really moved, by all these. Many of my friends, had lost everything they did for months or even for years. Some had regularized backups taken, while some didn’t have that also.
Some of them showed me screenshots of hackers asking for money, (in amounts of $1000, or even more), to get their blog back.
It’s Time To Take Immediate Action
I started searching and reading every single article about WordPress security. I had installed almost every single security related plugin, in the hope to secure my blog to the maximum level. But too many security plugins are not going to secure your blog better, neither installing any XYZ plugin (which we have never heard of) is also not going to help you in any way.
In the quest of securing my blog better, I have learned many things about WordPress security which I am going to share in detail with you.
I cannot say that my blog is completely secured and it will never get hacked. This is completely a wrong myth. Nothing is completely secured in this world. Whatever security measures you take today, will be broken my some hacker tomorrow.
You need to audit the security of your site regularly, and need to update yourself with the changing circumstances.
The Most Important WordPress Security Measures
In this article, I am going through the most important security measures that you must take in your WordPress blog. This article focuses completely on WordPress blogs, but some of them can be implemented in other CMS also for better security.
1) Choosing the Right Web Host comes First
(Image Source: EarningDiary.com)
The first thing that comes while building a blog or a website is choosing a web host. Now, a web host can also be a very important factor in securing. There are many new and unpopular webhosts you have probably heard of, who will give you unlimited web hosting features on very cheap cost.
Be aware of these web hosts. I have seen many of my friends who have hosted their WordPress blogs with these hosting sites and have got their blogs hacked. Actually, webhost plays a very important role in securing your WordPress blog, and if the webhost is not secure enough, then how will it help you in securing your site.
I myself have faced the same problem when I used to host my site in a very unpopular webhost, mainly because it was too cheap. One day, I found that there are many spammy links going to many different spammy websites from my blog, but actually I had never done anything like that on my own.
Next, the question that comes, is if Shared Hosting dangerous for hosting? Obviously, VPS is much more powerful and secured than Shared hosting. But, you may not be able to afford a VPS or your blog may not demand a VPS right now, and that is quite justified.
Shared hosting is not bad even. Our blog is also hosted in shared hosting. There are few limitations implied but that doesn’t cause too much problem for our blog. Just ensure that the server where you have got your blog hosted, doesn’t have too many other sites hosted there. If any of them gets severely hacked, then the other sites in that shared environment also have the risk of getting compromised.
2) Use a Password Stronger than Superman
One of the most important mistakes that many of us do, is by choosing a simple and thus weak password. Many of us argue by saying that, they need to open their WordPress Admin Panel, many times a day, so writing a long and difficult password is very tiring work.
I sometimes wonder, how some people still use “password” and “1234” as their password. It can be hacked within seconds.
Try to use a 12-15 letter long password, with alphabets (both uppercase and lowercase), numbers and special symbols. There are many sites which can help you to generate easy to remember passwords but still making them strong enough.
Taking a strong password, is one of the most important aspects of securing your WordPress site. See, now-a-days, almost all attacks are automated and there is hardly anyone who will manually try to hack your site. So, they employ various automated bots and brute-force attacks. So, if you take a very strong password then it will be almost impossible for the hackers to breach into your blog.
3) Restricting Access to your WordPress Login
There are many ways to secure your WordPress admin area. First of all, you can change the login and admin area slug, from http://domain.com/wp-login.php to something that you only know, and something that is un-guessable by others.
This will work like to magic to protect your site from potential threats. It is like hiding the lock of your safe in such a way that no one can find it. Many will try to find the key, but if you do not know where the lock is, then it is useless to find the key.
Now, if somehow someone reaches the login area, then what you can do is restricting their access by using Login Lockdown method. If a certain user uses wrong password to enter your site for too many times, than they will be blocked from entering your site any time. Only you can manually unblock that person, which you will never do, I guess.
You can also change the “admin” username. This is also a very important task in WordPress security. Any hacker knows, that every WordPress blog will have an admin username for sure and all he needs to do is guess the password. But, if you completely remove the “admin” username, (which will not hurt your site in anyway), then it will be very difficult for the hackers to guess both the username and the password.
4) Never be Late to Update your WordPress, Plugins and Themes
I have heard many bloggers, blaming WordPress for getting their blog hacked. It is yet another myth. The core of WordPress itself is very secured and you should be proud that you are working in such a secured CMS. It is our own mistake that gets us hacked.
But as I told before also, nothing is 100% secured in this world. There are many loopholes in WordPress itself, but the WordPress Development Team is prompt enough to work on a fix or patch and solve the problem immediately.
So whenever you see a notification in your WordPress Admin area to update your CMS, then you should immediately update WordPress without any delay.
The same is applicable for plugins and themes too. There are many loopholes in many plugins and themes. Don’t get into the myth, that if you are using themes and plugins from WordPress Repository, then they are completely safe.
So, whenever you see any update for your themes and plugins, then do it without any moment of delay. This step itself can protect you a lot from many threats. There are many who don’t take this step seriously enough and gets their WordPress site compromised.
5) Keep both your CMS and your WorkStation Clean
You need to take care of both WordPress and the computer from where you operate your blog. Both are equally essential. If any of them is compromised, then there is an ample scope of getting your site hacked.
If the computer from where you operate your blog gets infected by malware or virus, then that can prove damaging your site too, as you are accessing your site internally from that infected computer only. Suppose, you are trying to upload a file to your server from your infected computer, but what actually will happen is that, the virus will also work at its best to upload a piece of threat on your server too. Now hackers can easily access your server from anywhere in the world and can hack your site easily.
Scan your computer for viruses regularly, and clean it whenever any threat is detected. This helps a lot, I can tell you. Even using a very strong 12-15 lettered password will not help, if your computer has been infected by viruses like Key Logger. Doesn’t matter how much strong your password is, it can easily be logged and send to the hacker. So be very cautious and aware.
And moving to the WordPress part, you also need to keep your CMS clean by scanning for malware regularly. If somehow, any malware enters your server then you should scan for it and remove it immediately.
An another thing, that many of us ignore, is that, we have a bad habit of keeping unused plugins and themes in our CMS. Though they are deactivated, but still they can be accessed from the Internet, if they are malicious enough. So always make it a habit to delete unused plugins and themes.