Protect your WordPress site. It is better to be proactive than reactive when it comes to your website’s security. I am speaking this from my own experience. Here is the short version of my story. I have approximately over 50 WordPress sites that I run which brings me a steady income. This blogs range from costumes to baby products. The income lasted until December 2011 when I started noticing that the traffic to my sites were decreasing tremendously. Most of my sites rank #1 on Google search so I get about 90% of the traffic. December is a busy month for me being the mother of two toddlers so I did not pay much attention to the traffic, until Google blacklisted my sites and the hosting said they will not host my sites as my sites have been hijacked, some sites has SQL injection, hidden iframes in my code. I was in a panicked state. I thought common “who would do that to me?”- well hackers would and they stole my traffic. Lesson learned but its too late as I lost my earnings and took me a while to get on the good side of Uncle Google. So if you are doing any sort blogging with your own hosting, here are some tips so you won’t loose revenue, trust of Google and your visitors. It takes months to recover from such an attack.
Steps to Make Your WordPress Site Secure
Back Up your WordPress Site Regularly:
Back up your wordpress database regularly. A great plugin is “WP-DBManager”. The best way to do is run a DB backup and then backing up all your files.
Scan Your Files:
I use the plugins “AntiVirus” or “WordPress Expolit Scanner“. You can use one or the other. These plugings will scan your files everyday to see if there are any iframe code embedded or SQL injections. You will receive a e-mail with the code it found. After I installed the plugins I was surprised to see how many attempts were made a day to inject the malicious code into my site.
Change Your Password:
I agree with you that we get lazy sometimes and are comfortable with the same password but it is important that you change your password at least every 90days. I pick a word and usually convert the letters to numbers and symbols making it hard for others to guess.
Change Your Login From Admin
Most of the time the default login name is admin. Go to users and add new users and make the new username to be the admin. If possible delete the admin or reduce the admin to a subscriber.
Rename WordPress Database Tables:
I use the pluging “WP Security Scan”. Make sure that you have backed up your database.
Hide Plugins Folder Content:
The easiest way to hide the content is to create a blank document called “index.html” withing your plugins directory.
Use SSH instead of FTP:
I have not used SSH but this is what Hightech Dad advices
use SFTP if you like having a GUI for your file management. SSH is a bit more secure (another topic completely) and will let you shut down the FTP service and port (something you should do).
Don’t Let Search Engines index your WordPress Folders:
use robots.text file and include the following line – Disallow: /wp-*. I use the plugin PcRobots.txt. So far I love it.
Protect Your Login Page:
This means that you can stop someone or a software from trying to login over and over again to figure out your password. I use the plugin “Login Lockdown” and I love it. The default is 5 times then it will not let you login for 24hrs but I have set mine 1 which means the first time someone tries and fail my blog locks down for 24hrs. I made mine 1 as I lost over 50 money making sites but you can leave yours at default.
Monitor Changes to Your WordPress Files:
I love this plugin “WordPress File Monitor” – this takes snapshot of the files and directories and will send you an alert if anything changes.
Check Your WordPress Files Permission:
If you have shared hosting most of the permissions are already configured for you. If you don have shared hosting then you should restrict files and folders to 755 or 644. Click here to get more wordpress permission and security recommendations that you can use as well.
This plugin “WordPress Firewall Plugin” is very useful.
Hide Your WordPress Version:
This is very important as most hackers will try to hack sites that are not updated, so hiding your wordpress version will prevent your site from being visible to them. I am not good in codes so I use a plugin called “Secure WordPress”.
Scan Your WordPress Blog:
“WP-Scanner” scan your WordPress blog for vulnerabilities.
List Of WordPress Plugins & Links
- Admin Renamer Extended
- WordPress Automatic Upgrade
- WP Security Scan
- Login Lockdown
- Chap Secure Login
- WordPress Exploit Scanner
- WordPress File Monitor
- WordPress Table Prefix Rename Plugin
- WordPress Firewall Plugin
- Secure WordPress
Hope this helps you to protect your wordpress blog or site. If you have any questions let me know I am more than happy to help or direct you to the right source.