Member Article

Top ten tips to make your wordpress site more secure

WordPress is the most popular blogging and Content Management System (CMS) in the world and, according to WordPress founder Matt Mullenweg, it powers one in five of all the world’s websites.

But WordPress’ popularity has made it a favourite target for criminals who wish to recruit a ‘zombie army’ of computers, now commonly referred to as botnet (although there are legal botnets in cyberspace) to relay spam or participate in distributed denial-of-service attacks. In distributed denial of service attack (ddos) multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests.

A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.

The research, carried out by vulnerability researchers EnableSecurity and reported by WordPress security outfit WP WhiteSecurity, was conducted between Sept 12 and Sept 15 2013 shortly after the release of the WordPress 3.6.1 Maintenance and Security Release.

As with any application on the web, the first rule of WordPress security is to always run the latest version of WordPress. This is your first issue to deal and really simple to check and remedy via the admin panel of Wordpress. And while you are in the admin panel, check to ensure that your plug-ins are all up to date. Plug-in exploits are also a common occurrence.

Another key area is the use of strong passwords to at least delay penetration attacks. The log in to a Wordpress site is by a two-step form; you fill in your name and then your password.

By default the username is set by WordPress as ‘admin’, and a surprising number of users leave this as the default username. However, by doing this you have already reduced your security factor by 50%, as the first thing an automated hacking system will do to penetrate a WordPress site is start the attempt by using ‘admin’ as the username.

Top Ten Tips to Make Your Wordpress Site More Secure

If you are running a website that uses WordPress here are some suggestions to help you avoid ending up in the 70% of vulnerable sites.

• Always run the very latest version of WordPress
• Always run the very latest versions of your plugins and themes
• Be conservative in your selection of plugins and themes
• Delete the admin user and remove unused plugins, themes and users
• Generate complex secret keys for your wp-config.php file
• Put a Web Application Firewall in front of your website
• Create a New Administrator Account, using a unique username and password.
• Remove access to Uploads Folder
• Don’t Look Brand New – delete the default comment, default post and default page (if there is one)
• Consider an automated security scan system to monitor the website.

It is also useful if you subscribe to a couple of internet security blogs so you can be made aware of any new threats on the horizon so you can take steps to apply countermeasures.

Believe me, being hacked is no joke for you - or people in your contact list who will suffer the full onslaught of any malicious attack.

This was posted in Bdaily's Members' News section by James McRoy .