In part one of this series some of the basic steps to secure a WordPress installation were covered. However basic security won’t do you much good if you are targeted by anyone other than a script kiddie.
To help protect against a more advanced threat, you are going to need some stronger tools; and unless you are an expert coder you may want to turn to some plugins for help in that arena.
Establish a Foundation in Security
Before moving on let’s make sure that you have covered all the basic steps towards securing your WordPress site. Using the Ultimate Security Checker plugin you can scan your site and get an overall grade for its security based on 115 security points that are awarded for:
- Theme and plugin updates
- Secured configuration files
- Secured code
- Permissions
- A secured database
- The configuration of the server itself
Once you have received a grade for your blog, you can check out some of the other tabs, like ‘Files Analysis’, ‘Settings’ and ‘How to Fix’, which will assist you in locking down your site against attackers.
Keep WordPress Free of Malware
Something you never want your visitors to see when they try to visit your site is a browser generated malware warning like this:
This means that people who trust you to give them great content could possibly find their computer infected with malware. How did malware get onto your site? Through any number of vulnerabilities; it happens all the time because believe it or not, it is pretty easy to upload malware to a web site if you know what you are doing. Having your site labeled as malicious can cause problems for you with your hosting provider, left unaddressed it will see you removed from the search engine indexes, but perhaps worst of all it can really do some serious damage to you brand. People won’t trust you if your site is hosting malware.
There are quite a few plugins that will scan your site for malware but Sucuri SiteCheck is one of the best because it scans for known malware but it also checks for malicious javascript and anomalies in the code to help better spot zero-day attacks.
Best of all, Sucuri checks for Blackhat SEO spam that may have infiltrated your blog. Comments, invisible links, doctored up guest posts, etc. are all ways that people try to game the search engine rankings. Having blackhat SEO techniques on your site can really hurt your reputation with the search engines to the point you could be banned.
Finally, Sucuri has its 1-click hardening feature that will help you:
- Keep WordPress updated
- Remove the WordPress version
- Protect your uploads directory
- Restrict access to your wp-content and wp-includes folders
- Make sure your PHP is up to date
Protect the App
Web applications are one of the biggest targets out there because there are so many of them and so many of them are poorly configured. Many large web sites that host business critical applications protect their sites with appliances called web application firewalls (WAFs). In fact, a WAF is one way to be Payment Card Industry (PCI) compliant (more here) if your site accepts credit cards.
Since most small sites don’t have the resources or need for a commercial WAF, a plugin will do the trick. Again, there are many excellent firewalls but one favorite among blog owners is the OSE Firewall.
This plugin protects your blog against many common file inclusion and injection attacks, and also helps defend against Denial of Service attacks that are growing increasingly popular with malicious hackers.
Best of all, if OSE detects something that doesn’t look right it will email you to notify you that you may be under attack. Note well, you will need to configure OSE before it begins to protect your site, though this will take no more than a few clicks of the mouse to tell it what to defend against.
Comments?
Of course no discussion about WordPress security would be complete without mentioning Akismet. Akismet not only helps to protect your site from spammy comments that are automatically posted to your blog, but it helps keep malicious code from being uploaded through your comment section as well.
Simply install this plugin, request and API key from Akismet (this is free for non-commercial use) and enter that key into the configuration page.
Not only will it help protect your site, but it will help save you time from having to sift through all the nonsensical comments that bots post.
So that’s my listed of suggested security plugins for WordPress. I am sure that I left out someone’s favorite, and certainly there are lots of other choices (we previously covered some alternatives to Akismet). If I havn’t covered your personal favorite is not on the list, please share it with the rest of the readers in the comments and be sure to tell us why you prefer it to any other options.