Subscribe to our blog

September 06 2013

WordPress Security Tips

Wordpress SecurityAt Webstetic, we love Wordpress as a content management system. We primarily build our websites on Wordpress CMS. We believe in knowing one CMS inside and. Wordpress is a very powerful CMS that we customize to meet our clients needs daily. When designing a website for Wordpress we start just like any other site. We create custom look and feels with proper CTAs based on your SEO strategy. Then we custom code the approved design into a Wordpress Template.

It’s wonderful that Wordpress offers so much in a CMS but what about SECURITY? The downside of CMS that is so popular is that auto bots and hackers can easily break and enter. 

The drug and alcohol rehab industry that we work with is a heavily competitive industry; in fact it’s one of the most competitive industries on the web. When hackers attack our websites we don't always know where the attacks come from. Chances are, the attacks are random but for the drama of it we like to make up our own theories about our competitors.

We would like to recommend some steps you may take to protect your Wordpress website from being vulnerable to the tricks of hackers and their programs.

  1. Wordpress by default allows unlimited login attempts which is leaves your website open to brute-force attacks. There is a plugin that you can download called Limit Login Attempts which allows you to block an ip address after they try to login a certain number of tries. This plugin allows you to keep a log and send email notifications to your email when someone is attempting to login.
  2. For more protection we recommend Wordpress Simple Firewall. If you use this then you may not need to use the Limit Login Attempts because this firewall includes a login protection. This firewall also includes comments and spam protection and lets you whitelist and blacklist ips. It keeps a full log to analyze and debug traffic. It investigates all web requests to identify and stop the most obvious attacks.
  3. It’s a good idea to monitor all changes to every file. A great plugin for this is Wordpress File Monitor Plus. You will be notified whenever files are added, deleted or changes. You may tell it to ignore files if you don’t want to be notified. 

• Be aware that even if you have security on your web server where your website is hosted this won’t protect you against a keylogger on your computer so in addition you’ll want to make sure you computer doesn’t have viruses, malware or spyware.

• Always keep Wordpress and your theme up to date. Many updates have security updates in them. Make sure that your plugins are also always up to date. This is a big way hackers exploit your website.

• If you are on a shared server find out what security measures the hosting company takes to make sure they are satisfactory for your needs.

• Set a strong password.

• Use SFTP for instead of FTP to protect your username and password.

• Lock down file permissions on as many files as you can to avoid a hacker writing to them. Allow only your username and password to write to files in the wp-admin area.

* Add a second layer of security by setting up a server-side password protection to wp-admin so you are prompted or the developers are prompted for a username and password before accessing the wp-admin login.

 We don’t want to give too many tips so we may come back to this subject later to help you set up more protection. If you have any questions or if you want to hear about a certain topic please email us here.

Leave a Reply

[gravityform id="6" name="general form" title="false" description="false" ajax="true"]