WordPress security

Posted on

Category: wordpress

WordPress has potential security issues just like any other software. There are some steps that can be taken to help prevent your site being attacked.

The most common attacks usually fall into one of two categories:

  • Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
  • Attempting to gain access to your blog by using “brute-force” password guessing.

The main thing you can do is keep WordPress up to date. Security vulnerabilities are always being looked at and fixed, so keeping up to date is very important.

  • Make sure the web server your WordPress site is being hosted on is running secure stable versions of it’s software, or use a trusted web host that takes care of this for you.
  • Find out if your web host makes regular backups of your site and database. You have to consider how you would restore your site if it was attacked. Personally I store all my sites on a Git server (Github is also a good choice for this if you don’t have your own server), meaning that I would just need a backup of the live database if I wanted to restore a site. Backup plugins are also available for WordPress.
  • Use strong passwords for all WordPress users, and make sure the Administrator user is not called ‘admin’. Use SFTP when connecting to your site, so that all data and passwords are encrypted.
  • Lock down file permissions as much as possible. See the codex for more info on this. Keep plugins updated, and delete any that aren’t being used. Plugins that need write access to the WordPress files and directories should be used with caution. Make sure these are plugins from a trusted source.
  • Block some SQL injection attacks by changing the database table prefix to something other than ‘wp_’.

This information was taken from the WordPress Codex, but common sense can also be applied. WordPress itself is pretty secure, it’s often the web hosting itself that can allow attacks to happen so make sure you use a reputable hosting company that doesn’t cut corners.

Leave Your Comments

blog comments powered by Disqus