WordPress System Security
The best thing you can do to make sure that your site and business are not affected by a hack is to keep multiple current and regular backups. Get a plugin that handles scheduled backups so you don’t have to manage it. Some options are:
- Backup to Dropbox (Free)
- Backup to Google Drive (Free)
- Backup Buddy (Paid)
- ManageWP (Paid and Free subscriptions)
These are not just backup tools, but robust tools to manage multiple WordPress installs, updates, users, and even posts.
If backups are best to prevent damage (because you can recover quickly), updates are the best way to prevent a hack in the first place. When you login and see the message that your WordPress core is out of date or that your theme has an update or 20 of your plugins need to be updated; do it! Make sure you have a recent backup before running updates, but do it and do it often. You don’t need to be on the cutting edge, but the most recent version of WordPress has been through many many rounds of testing. Even if you have plugins that are not used or not even active on your site, you should still update them (or remove them if you truly aren’t using them).
Similar to updating your plugins and themes, you should start out on the right foot and make sure you are using regularly maintained high quality plugins and themes. The WordPress plugin repository offers some great tools for evaluating a plugin’s quality. If a plugin hasn’t been updated in years, they will warn you. For all plugins you can review the number of downloads, the user ratings and the date it was last updated on the right side. You can also look at the plugin’s forum to see if the author responds to bugs and questions. Themes are similar, I like to buy themes from trusted authors and not anonymous ones on large marketplaces. Even on the marketplace you should be able to review the credibility of author based on their responses to issues and the number of themes they have out there.
Back on the technical side: you should hide your WordPress version from the public. Currently it is printed in the header of your site and thus can be viewed by anyone coming to your site. This could give a hacker a headstart if they know that the version of WordPress you are running has a specific vulnerability. Again there is a simple piece of code you could use in your functions.php:
However, the Secure WordPress Plugin hides that for you, so that is the best route.
Protecting your WP-Config.php
The single most important file in your WordPress install is the wp-config.php file. It is also a security risk. It contains critical information on your site and install including your database name and password. If a hacker gets that information they have the keys to the kingdom.
Two ways to protect your wp-config file:
Move it to the folder above your WordPress install. So if you installed your site at your root web folder (something like public_html/[wordpress files]) You could move your wp-config file to the same level as your public_html. WordPress will still be able to find it, but hackers won’t.
For more technical users, you can protect your wp-config by adding server code there (see Net Magazine article in the Other Resources section for more details there).