Four ways to improve security on your WordPress site

email article email article print article print article tip @techmeme

In recent months, the web world was hit with a code exploit that affected many users across various web development platforms, from custom systems to Drupal and WordPress.org. This hack exploited a security vulnerability in the popular TimThumb image resizing PHP script, which allowed the hacker full access to any website running the older version of this script.

An exploit of this nature, of course, didn’t go unnoticed. Within hours of the exploit being publicised, developers and website owners alike were rushing to their computers to make sure that all was safe on their online real estate. Having assisted many WordPress users in upgrading and safe-guarding their websites, I can assure you that this was not a hack to be taken lightly.

Website security is a topic that is in constant discussion online. Constant evolution and discovery of web exploits ensures that website security specialists are kept constantly on their toes, making sure that their clients have the most secure websites possible. Security is also a topic that cannot be discussed enough, as it is important for website owners (technical and non-technical alike) to be aware of the latest developments and methods of safeguarding their content online. Today, I’d like to run through a few steps that can be done towards safeguarding your WordPress-powered website.

Awareness

As with security in any context, awareness of one’s surroundings is important. The difference here is that one’s surroundings is, essentially, the entire internet. As daunting as that may seem, there are methods of keeping informed as to developments in the web world. Simply following several tech-related websites such as Memeburn and, for WordPress users, WPCandy, is a great way of making sure that you know exactly what’s going on around you and your website.

In addition to this, keeping an open line of communication with your website development team (if you haven’t developed your website yourself) is important. This is to make sure that the team behind your website are also aware of developments in website security. This goes for your theme provider as well, if you make use of a premium WordPress theme on your website.

Upgrades

This is something that cannot be mentioned enough, and also ties in with awareness. When using a third-party system, it is important to keep aware of developments on the system. Over time, for example, WordPress releases maintenance and security releases to make sure your website is as secure as possible. Keeping on top of these upgrades is important, as it ensures that you’re running the latest and most secure version of your software (as well as any new features they’ve bundled in which is, of course, beneficial).

The same goes for plugins and themes for WordPress. If you’re looking to modify your theme, be sure to use a child theme in order to facilitate easier theme upgrades. Regarding plugins, be sure to keep up with upgrades, as any outdated code on your web server could result in a security exploit. Keeping your WordPress-powered website up to date isn’t too difficult, provided you keep up with regular upgrades. Upgrading is one of those things one only realizes the true benefit of if/when something goes wrong or an exploit is made known online.

wp-config.php – The Technical Side

Up until now, we haven’t really looked into any code that can help to secure your website.

When maintaining or upgrading your WordPress-powered website, the wp-config.php file is one file that isn’t modified. This file contains your database settings and any other setup you’ve manually added to the file. Naturally, it’s possible to bolster this file a bit more, following a few guidelines available on the WordPress Codex’s section about the wp-config.php file. While this page explains each section of the file in detail, I’d like to focus on a few headings in particular that relate to security.

Security Keys

If you let WordPress create your wp-config.php file for you, you’ve no doubt seen the security keys section when opening the file in a text editor. This is a really great way to add further security to your WordPress installation. You can even use the online security key generator to create the code for you, which you’d then place in your wp-config.php file.

WP_DEBUG

This setting, while incredibly useful in a development environment, should always be set to false on a live website. While this isn’t strictly a security measure, a PHP warning message displayed on your website could indicate certain aspects of your server configuration.

Moving wp-config.php

By default, WordPress knows to look for wp-config.php within your server’s public_html folder, as well as one folder up from that. Placing wp-config.php outside of the public_html folder ensures added security, as the file isn’t directly accessible to users who may be FTPing into the public_html folder with limited access.

Further Reading

There are several other advanced techniques listed on the WordPress Codex regarding custom table prefixes, etc. These are best handled when first installing WordPress. If you wish to implement this on an existing website, I’d advise erring on the side of caution, unless you are a more advanced user who is comfortable working on a MySQL database at direct database level. That being said, it doesn’t hurt to read the full page on the WordPress Codex to familiarize oneself with the possibilities. This is part of keeping oneself aware, as mentioned above.

In addition to the above, when installing WordPress, make sure to setup your default administrator as a username other than “admin”. This is a common starting point for hackers trying to get access to your website.

Additional Services

If your website receives a high amount of traffic, is updated regularly or is a primary source of income, your data has become even more valuable. If you are prepared to invest in a third-party security system, VaultPress by Automattic is a great way of making sure that your website is constantly monitored for vulnerabilities and that backups are made available to you, should anything transpire. With the price tag attached, this service may not be for everyone. If you feel it important to further secure your data, I’d recommend inspecting VaultPress further.

In addition, I’d recommend contacting the company hosting your website, asking what security and backup measures they have in place on your hosting account. Whether or not you ever need to use this information, it’s important to know the full scope of what is keeping your website secure.

On a final note, while website security can seem daunting and intimidating, it’s something that should be approached from a standpoint of keeping aware and in the know such that, if issues do arise on your website, you are able to calmly resolve the issue and get your website back to where it was, knowing full-well the scope of the security measures in place.

email article email article print article print article

  • Charles Ash

    Any advice for Joomla websites?

  • Rowan Puttergill

    Nice article… I think that all too frequently, people get a site up and running and then leave it to rot in cyberspace. I’m even guilty of that on occasion, and I’m pretty security obsessed. One thing most worth mentioning is that you should have a great backup strategy, with the ability to rollback to a copy of your site as it was at least a week ago. That means backing up your database, and the code for your site daily. Once you’ve got your backups in place, you should practice disaster recovery every few months, so that you know that if your site is taken out at any point in time, you are able to get back up and running in the shortest space of time possible.

  • Rowan Puttergill

    Nice article… I think that all too frequently, people get a site up and running and then leave it to rot in cyberspace. I’m even guilty of that on occasion, and I’m pretty security obsessed. One thing most worth mentioning is that you should have a great backup strategy, with the ability to rollback to a copy of your site as it was at least a week ago. That means backing up your database, and the code for your site daily. Once you’ve got your backups in place, you should practice disaster recovery every few months, so that you know that if your site is taken out at any point in time, you are able to get back up and running in the shortest space of time possible.

  • Seo

    My advice would be to do an upgrade to WordPress.

  • Pingback: Memeburn Recommends VaultPress to Improve Site Security | VaultPress Blog

  • Pingback: Wordpress Security Advice – 4 Points « Menlo Technical Blog

  • Pingback: Four ways to improve security on your WordPress site – Memeburn › Wordpress Ranks

  • Pingback: Four Common Sense Ways To Improve Security On Your WordPress Powered Site

  • Pingback: Four ways to improve security on your WordPress site | Themes & Plugins

  • Pingback: Website Defaced (Hacked): The How-to!

  • Pingback: Four ways to improve security on your WordPress site | Information Threats

  • Pingback: Four ways to improve security on your WordPress site | Word Press Business Tools

  • Pingback: Four ways to improve security on your WordPress site | Theme Junctions

  • Pingback: Four "Magic Makeup Methods" To Help Save Your Marriage | Magic Makeup Methods - Get Your Ex Back - Prevent Divorce

  • Charles Ash

    WordPress is a blog platform pretending to be a CMS. Joomla is a complete web development framework. The Joomla ecosystem is far more rich, vibrant and interesting than WordPress. Thanks for the chirp though.

  • http://wordpressthemes.eu.com/ wordpress theme

    Thanks Matt!

  • http://twitter.com/davegreenway David Greenway

    > Whether or not the reasons are South Africa specific, the fact that I live in South Africa means that it is a problem for me (well not really, I faked a US account)

    > I find that because I have to use the ‘suggest’ option it slows me down terribly, only on the iPhone though, the iPad’s keyboard is beautifully spaced.

    > Using Siri is just about the most pointless excercise in SA. It doesn’t have any features that would qualify as being useful. By the time you make an appointment and eit it (to fix the crap that Siri has translated your words into) you may as well have typed it yourself.
    > When you look at iOS everything in its design methodology is about splitting the screen to reveal more. The Folders and the dock, reminders are pulled down over the top of everything, it is a blatant copy of other people’s work and clearly doesn’t add functionality the same way it does in Android

    All that being said, I think the iPhone is a fantastic piece of engineering, and iOS is a great OS on the iPad. I just think that there are glaring issues with it.

    Look out for my next piece though:
    5 reasons to hate Android… sort of

  • you are a faggot

    this is shit, you are shit

  • just a reader

    Are you running out of contributors because this article is really weak.

Related articles

Topics for this article

[ advertising enquiries ]

Share
  • BURN MEDIA TV

    WATCH THE LATEST EPISODE NOW
    Latest Episode
    Review of Facebook Group app

MORE HEADLINES

news

VIEW MORE

interviews

VIEW MORE

future trends

VIEW MORE

entrepreneurship

VIEW MORE

social media

VIEW MORE

facebook

VIEW MORE

twitter

VIEW MORE

google

VIEW MORE

advertising & marketing

VIEW MORE

online media

VIEW MORE

design

VIEW MORE

mobile

VIEW MORE

More in Web development

A new path to internet privacy: Breaking the SSL addiction

Read More »