WordPress Security

I won’t be exaggerating if I were to say that there are thousands of WordPress sites hacked or compromised every year. Even those who took extra precaution can be hacked due to either own fault, or fault of their web host. For people who value their online reputation, WordPress security is important!

There are many sites with how-to secure your WordPress site if you use Google search for the subject matter. They range from changing CPanel and FTP passwords, creating solid .htaccess rules, renaming the admin login file, using different database prefix and so forth.

All those are very valuable advise, and if you continue reading other articles you’ll soon find out that hosting your own WordPress blog or site takes a lot of time and hard work. The only way to be secure is eternal vigilance, they say (or something to that effect).

My own blog kennyyeoh.net was hacked twice, and the company website which I maintain, hypertunemag.com, was hacked too. The first hack happened around the same time, which made me suspicious that it could be a compromised computer over at the web host, or possibly their servers had outdated software. It could just be my own fault that I did not make sure plugins and themes were updated. But that’s already history.

Make Sucuri part of your WordPress security plans

I took Exabytes’ SiteLock promotion and signed up with them for about RM160 a year. The yearly recurring payment is the same amount due to this promotion. My boss had no problem signing up for the security service as he was aware that some clients’ websites were hacked too. Talk about coincidence!

For my own blog I got the Wordfence Security plugin, but my mistake was that I did not schedule it to scan on a daily basis. I was sure then that setting to scan twice a week was sufficient. Was I wrong! Looking back there are many things that a website owner can do to maintain good security.

Here’s my non-conclusive list for things to do in regards to WordPress security:

    1. Keep changing your Cpanel password, especially after you asked your web host for whatever help you need on the server
    2. Use a security plugin for WordPress to scan your files for any changes. I use Wordfence. Make sure you set it to scan at least once a day. If you are paranoid, twice to three times a day, but that might take up some server resources if you have a huge site.
    3. Use strong authentication – a two password to log-in step. You can use htpasswd with htaccess method, or use Google Authenticator – which somehow didn’t work for me when I used the 1 minute option. It says that the code given has expired. I switch to the less secure 4 minutes option and it worked. You need to download the plugin for your site, and the app for your smartphone. On some sites I use More Secure Login plug in – which has a set of codes which you either print out or save (image file). At the login page it will give you a code, and you have to match it with the printed code and enter it into the second password field.
    4. If you can afford it, sign up with Sucuri, Sitelock or Website Defender. From testimonials and reviews, Sucuri seems to be the better choice.
    5. Daily database backup and if possible site backup too. Depending on how active the site is, it can be once every few hours, daily, or weekly. There are lots of free plugins for this, which will automate the back up process. You can manually do this in your CPanel as well.
    6. Change the default WordPress database prefix from wp_ to something else.
    7. Download and install plugins and themes from only trusted sources. If you find on some site giving out free premium, non-beta themes which you have to pay somewhere else, then you have to suspect something is fishy.
    8. If all these (and more) are too much work for you, get a paid hosted WordPress site from WordPress.com or elsewhere. It’ll be less headache for you if you are not a full time site admin.

Do you have any good tips for securing a WordPress website? Share with me by commenting below.

Note: At the time of this writing my kennyyeoh.net server is down. It is one of the reasons why I switched to Serverfreak as well – Exabytes, or rather WPWebhost tends to go down quite often for me. The recent hacks prompted me to switch to another web hosting service provider. And somehow I do not get their Security emails, just their Promo emails. My friend who has a website hosted with them gets all their Security emails.

Update: Microsoft Defender has managed to find the culprit when I did a full system scan. It was in my full server backup file, located at the public_html/_vti_cnf/index.html. ClamAV on CPanel didn’t find it at all during the few scans which I ran on the server. As you’re now aware, I deleted and reinstalled WordPress and yet Google blacklisted me.

So most likely this is due to my server being compromised instead. Use SFTP if possible, and keep on changing your CPanel and FTP passwords. Any more recommendations for site admins and self-hosted bloggers in regards to server security? I definitely can’t control the frequency server software is updated nor if the AV scanners are up to date.

Leave a Comment