WordPress is one of the most popular web content publishing tool. It is used by some very popular website. So hackers are always try to break the security of the WordPress. Since WordPress is very nicely developed and has some good security implementation however if you will follow some practices you will be double assured that your website is protected from hacker. In this article we will discover some best practices for WordPress security.
Hacker always try to find out the area where venerability is possible. Or in other word hacker always thy on the open point of your WordPress. Following are some open point:
- WordPress Theme
- Admin Login
- Registration Page
- Image Uploading
- Cookie and Form Data
- FTP Account
If you will secure above areas I believe you never need to think for the other thing about your WordPress security any more. In next section we will learn on how to secure these area.
WordPress Theme and Security
Hacker always try to give you their own theme. In the theme they can insert their own code and eaisly break your WordPress security. Also some developer develop venerable theme. For example they use GET and POST parameter openly in the query without escaping or sensitizing the value. So hacker might try SQL injection.
To avoid this situation always try to use authentic theme. If you are going for free theme always take it from WordPress.org. If you are going for the paid theme always purchase from big vendors. If your webiste is very critical for you then you should always try to audit your theme code.
Protect Your WordPress Admin Login and Registration
Hacker usually create automated WordPress Login script in which they dynamically generate combination of username and password and try to login on your WordPress admin. They may Identify your website and can hit with their script. If your password will be generic or less complex then believe me next days they can easily break it. You can protect your Login from hacker by following way
- Try to use captcha in Login and Registration: On every login form your can use captcha so that no any automated script can try to login or register. You can either create your own captcha or use plugin like Captcha, reCaptcha.
- Password Protect Admin Directory : You can try to HTTP authentication to protect your admin directory. IT will create extra layer of security to your wp-admin directory.
- Ask your server administrator to define your own IP address for Admin access : If you have static IP at your home or workplace(from where you are managing your webiste) then it is best to only allow access to your wp-admin folder to your own IP.
- Create More Secure admin User and Password: Always try to use some more secure password. IF you can not motivate your editors or your self to create secure password you can use plugin Force Strong Password.
Image Uploading Protection
In WordPress I have personally seen a common mistake made by some webmaster. They always give 777 permission to the upload folder. Hacker may exploit these folder. Also if your image uploader will be vernable then they can eaisly upload their PHP or shell script on your server and execute it. The best permission you can give to upload folder is write/read/execute permission to apache user only.
Cookies and Form Data Security
Default wordpress login works on cookies. So if somebody will get your login cookie then they can easily start a new login session. In some cases it is ovserved that due to some virus on network sometime hacker get your login detail or cookie while you submit your login detail. To protect from the network hackin use SSL on login and admin page. If you have SSL certificate install on your hosting server use following code in your wp-config.php to move your wordpress admin and login on ssl:
Put above line on the beginning of your wp-config.php (after <?php tag).
FTP account Protection
While you upload your file on the server hacker create a virus which append some code on the file before it get uploaded to the server. Because FTP is little bit less secure protocall for the file uploading because it transfer the file in non encrypted mode. So always use sFTP or FTP over the SSL.
Last but not least. Plugin is nothing but a set of PHP code you use to create a new feature in wordpress. So please do not use any WordPress plugin from unauthentic source. They might put some code to trap your wordpress security. Either download plugin from wordpress.org. If your requement is not fuilfilede by wordpress.org plugin always higher good developer for plugin creation.