I have a number of wordpress sites that I host and many of the people who I host them for don’t keep the site up to date which can cause problems with malicious people exploiting known vulnerabilities in wordpress to use your server for sending out spam with spambots and getting your server blacklisted which is a pain.
After having this happen I made a number of changes both to my server setup and the wordpress setup. This is a brief how to on securing wordpress to best protect you against malicious people. It is not a complete step by step dummies guide but does show you all the different plugins I use and compiles many hours of googling and experimenting with different plugins to give you the best ones I have found and use personally.
Before proceeding it is best to make sure you have a current backup of your wordpress site so we will start with adding a backup plugin.
The backup plugin BackWPup Free can be used to save your complete installation including /wp-content/ for a local backup and push them to an external Backup Service, like Dropbox, S3, FTP and many more. With a single backup .zip file you are able to easily restore an installation.
Installing the plugin is easy and adds a BackWPup menu item for creating your backups. You can also create a scheduled automatic backup.
It is a good idea to do regular backups of your site so if anything happens, be it a hacker corrupting your site or spammers overrunning your site with crap you can easily restore to a known clean, safe copy of your wordpress site without having to invest too much time into the clean up.
Once you have installed this plugin and done a complete backup of your wordpress site you can finish the rest of this how to. Once finished this how to and you’re happy everything is still ok then do another backup afterwards to save an up to date working copy of your wordpress site.
WordPress is probably the most popular content management system being used for websites and blogs and as such hackers and spammers exploit known vulnerabilities of the wordpress software. The best way to avoid being exploited by known vulnerabilities is to keep it up to date.
By default wordpress automatically updates the core of it’s installation but does not update plugins and themes etc. This plugin makes it dead simple for anyone to make wordpress automatically update the plugins and themes as well. If for some reason you don’t want specific plugins or themes to be updated then you can manually turn off automatic updates for individual items you don’t want updated automatically.
Once installed the Dashboard will have an Update Options section which will allow you to change pretty much anything you want with updating your wordpress site.
You will want to enable All Plugin Updates and All Theme Updates as well as Automatic Plugin Updates and Automatic Theme Updates this will then automatically keep your wordpress site plugins and themes automatically updated.
This is generally what you want and any major plugins should be kept up to date by their maintainers to work with current wordpress installs and by having the latest version you will have all bug and security fixes applied as well as any new features they add.
NOTE: You should definitely backup your site before doing this if you skipped the backup part of this how to then do not do this until you have a complete backup of your database.
Pretty much any article you read on securing wordpress recommends that you change the default database wp_ prefix to something different. This plugin makes it dead simple to do that and all you need to do is to make sure that wp-config.php is writable through wordpress before proceeding.
Once you have installed this plugin go to the Settings menu then Change DB Prefix when the change db prefix plugin loads you will have a option for changing the wordpress prefix to be anything you want. I did this with a site that had a number of modules like wishlist member installed and it updated all the prefixes in the database without issue.
Sucuri Security – Malware Scanner and Security Hardening has many of the options that Wordfence has but what I like about this plugin is that it has a Hardening tab which lists a bunch of things that you should make sure is secure and 98% of the options has a harden button you can press to automatically harden that option.
Their malware scanner also has a Blacklist Status tab which will show you if you are listed on any of the major blacklist sites.
Another feature which can be useful is their automated email alerts which let you know about failed login attempts, successful login attempts, posts that have been updated and a number of other options.
They have a number of paid add on services but the free version should suit most people.
Wordfence scans for known malware and will also compare your installed wordpress and plugins against the version listed on the wordpress repositories. If there are conflicts you can see the difference from the old and new files to determine if the changes are malicious or if their database isn’t updated to the latest version. I found quite often the changes in some files are because wordpress has updated things but wordfence hasn’t updated their database yet.
The Wordfence live traffic feature is useful for seeing what is happening real time and if you see malicious activity you can click a block ip link to block that ip from accessing your site.
WordFence can also automatically block ip’s that have frequent login failures or accessing pages that don’t exist within a time frame you set. This will automatically block brute force attacks on your wordpress site.
Wordfence also has performance tools which will cache your site but I don’t use it as their are other tools for that.