Security should be a concern for every webmaster regardless of what platform is being used. However, even though a good WordPress web host will put measure in place to secure your server, when it comes to WordPress, security should always be given a certain level of attention. WordPress is the most popular content management system (CMS) on the web, powering close to 10 percent of all websites. It is also an open source platform, which makes it more vulnerable to hacking attempts.
Many top hackers target open source platforms, simply because the rewards are greater. For a good hacker open source is an easy target, reaching a critical mass of people and providing financial gains. Yes, your website may not be as lucrative as, say, hacking a bank, but it is no less a target.
Here’s how you can set about securing your WordPress website against the threat of hacking.
Keep WordPress updated
It is important when securing your website that is running the latest WordPress software and all plugins are kept up-to-date. Updating WordPress is a quick and easy task and the CMS does a good job of keeping users informed of the availability of new software.
By logging in to your WordPress Dashboard, you will see any required necessary updates featured next to the name of your site in the top toolbar. Check the boxes of the plugins you wish to be updated and click on the “Update Plugins” button. Plugins that are not being used should be deleted as opposed to deactivated. Doing so will completely remove the code from your server.
On the same page, you will also be able to check whether you are running the latest version of WordPress. If not, select the “Upgrade Automatically” option.
Remove default posts, comments and footer
New WordPress sites are easier to hack into, so you should make sure to remove any signs that may give the game away. The “Hello World” post can be removed by going to Posts > All Posts and clicking on the “Delete” button on the post. Comments can be removed in the Comments menu by checking the boxes and selecting the “Trash” option.
You may also want to remove the “Powered by WordPress” text from the footer. This can be done by going to Appearance > Editor and finding the footer.php option. In there you should remove the text that looks like this:
<?php do_action( 'twentyten_credits' ); ?>
<a href="<?php echo esc_url( __('http://wordpress.org/', 'twentyten') ); ?>"
title="<?php esc_attr_e('Semantic Personal Publishing Platform', 'twentyten'); ?>" rel="generator">
<?php printf( __('Proudly powered by %s.', 'twentyten'), 'WordPress' ); ?>
</div><!-- #site-generator -->
Disabling custom HTML
Certain functions in WordPress allow custom HTML to be used. If it is not required for the look or function of your website, you should disable unfiltered HTML by heading to your server directory and the wp-config.php file. In there you should add the following:
define( 'DISALLOW_UNFILTERED_HTML', true );
Install Exploit Scanner
Install the Exploit Scanner plugin by going to Plugins > Add New and run it regularly to check for any signs of malicious goings on.
Always back up your WordPress
We have spoken in a previous article about how to back up your WordPress website and doing so will protect you against the worst-case scenario. WP-DB Manager and BackWPup are two great plugins for doing this.
There is no way of guaranteeing 100% security in WordPress but by implementing these basic tips, you are giving your website the best possible protection against hacking.