Update, Update, Update!
Everybody has seen this over and over again, and with good reason. WordPress is one of the most widely used Content Management Systems (CMS) for blogging and the security patches provided in their updates can help keep your site secure. The older your WordPress version is the more time there has been for hackers to try and find a way in. Remember to keep your themes and plugins as well.
Remove unused plugins and themes
Even if you keep everything updated, you will want to make sure that every old plugin or theme you do not use is removed. A common, unused theme could still serve as an entry point to your site. As long as the theme/plugin is installed the files are on your site they are potential risks, so cutting back the amount of entry points is key to keeping your site secure.
Hide your wp-config.php file
Your wp-config.php file contains extremely sensitive information (such as your database connection). Because of this, WordPress added the ability to move your wp-config.php file one directory above your webroot so it is no longer visible to the public.
So, instead of [code]/domain.com/public_html/wp-config.php[/code], you would have [code]/domain.com/wp-config.php[/code].
Now, even if permissions aren’t set correctly, or there is an exploit within your version of WordPress, your wp-config.php is not accessible in a browser and your database information is safe.
Remove “admin” user
Oftentimes hackers won’t be guessing your password. They will use a program that attempts to figure out your credentials by using common usernames and passwords over and over again until it logs in, called a brute force attack. Since “admin” is the default username, it is often at the top of the list. Removing this username and switching to unique usernames can help prevent these types of attacks.
Don’t use the default database prefix
If somebody is able to compromise your site using an injection attack, they might be able to input information into your database without even looking at it first due to using the default prefix. By default your database will use “wp_” as a prefix, and if it is left as that hackers will instantly know what tables your user information is in and change your password to gain access for themselves or even create their own user. If you change your prefix to something random, let’s use “h97gw_” for example, your “wp_users” table is now “h97gw_users” and a hacker will not be able to guess his way into your database.
Use an IP whitelist for wp-admin
One of the best steps you could take is adding more verification layers to your admin login. Using the .htaccess file you are able to make a password prompt show up in the browser before you can access the login screen, or even block everybody but yourself or your developers based on IP address.
Here is an example you can modify and use in your /wp-admin/.htaccess where either your IP address to be on the list, or a password is required to access the login screen:
AuthName "Please Log In"
Deny from all
Allow from 18.104.22.168
Allow from 22.214.171.124
Satisfy any [/code]
Using this, everybody will be required to enter an additional username and password to even view the login screen, unless your IP address is allowed. If you change the Satisfy option from “any” to “all” you will only be able to access the login screen if you both have the username and password, and your IP address is allowed.
Limit login attempts
Another useful method to prevent brute force attacks is to limit the amount of times a certain IP address is allowed to try and log in. Unfortunately, there will always be people out there trying to hack into websites, but the more steps you take to secure your own computer and website, the less likely you will be forced to deal with it. You can also get fully managed WordPress hosting from Nexcess to help monitor and secure your site. I personally use Login Security Solution for my sites, but feel free to find one that fits you best.
Hide your wp-plugins directory
Depending on how your hosting environment is set up (and, with our server configuration standards, this is not required on any Nexcess hosting plan; I only mention this as a courtesy), you may be able to go to domain.com/wp-plugins/ and view a list of installed plugins as well as their versions. This is a very simple way for a hacker to find out what plugins are installed so they can search for exploits, and another reason you will want to make sure you remove plugins you no longer use. You can prevent this by placing a blank index.html file within your wp-plugins directory, so when attempting to view that directory in a browser you would just get a blank screen.
Prevent search engines from indexing your admin login screen
It is never a good idea to allow a search engine to index your wp-admin login screen, because that can provide a direct link to your login screen when somebody is simply searching for your site. To stop this from happening you can put the following line within your robots.txt file:
Set proper file permissions
Permissions can often be a large issue, and oftentimes they are set incorrectly which, in turn, can lead to security concerns. If a directory is set to 777, that means anybody in the world is able to read, write, and execute any file within that directory. The proper and safest permissions for most environments are going to be 755 for directories and 644 for files, so anonymous users don’t have the control required to make changes to your site. You can view a full breakdown of the numeric value permission system.
Even if your hosting company is providing backups of your site, make sure you create your own backups on a regular schedule as well as before making major changes. Sometimes a site will be compromised but will lay dormant in an attempt to outlive the available backups (I’ve personally seen malware lay dormant for over two years). In that scenario it is good to have backups from when you know when your site was fine and not have to rely on the time frame of your hosting company’s backup policy.
Virus scan your computer often
Another one of the largest entry points is actually your personal computer. If your computer has a virus that logs your passwords somebody can gain access to the FTP account you’ve been using for your uploads/backups, or corrupt your site files on your local computer so you end up uploading pre-infected files that can grant them access to your site. No matter what length you go through for securing your WordPress blog, if the computer you use to work on your blog is infected the hacker may gain access to your site.
Unfortunately, there will always be people out there trying to hack into websites, but the more steps you take to secure your own computer and website, the less likely you will be forced to deal with it.
You will also need to move your images manually or as a batch via SFTP if you feel comfortable with that technology. If you'd like to further assistance moving forward, check out what Nexcess offers for managed WordPress hosting.