WordPress Security 101

You have put a lot of work into setting up your WordPress website. You have gotten it installed, added your plugins, chosen a theme, added your widgets, created your menus, and finally added posts and pages.

But have you thought about security? Have you taken steps to protect your blog from people who want to get in and have a little fun at your expense? You have put in countless numbers of hours, and that time has value. You would hate to see it lost because someone was able to gain access, right?

The Basics

First of all, let me lay down a very important point: NOTHING you can do will absolutely guarantee that someone will not be able to “break in” to your website. I like to think of it like home security. No matter how many locks I put on the doors and bars I put on the windows, the determined burglar will find a way to get in. But this burglar wants something he knows I have. He has chosen my home because of what he knows is absolutely, positively going to be inside.

The casual burglar, just looking for an easy “score”, is going to move on to one of my neighbors’ homes. I have made it just too difficult to be worth his time and exposure for an uncertain payday.

So it is with website security. If I put a few simple measures in place that make my site more difficult to crack than other sites, the culprit will almost certainly move on to easier targets.

With that said, let’s start by looking at a few simple security concepts.

There are two basic ways to gain unauthorized access to a website. The first is through brute force and the other is by using known exploits. Let’s take a look at each in a bit more detail.

The most common brute force attack is implemented through multiple attempts to login to your site. Typically, a software program is created to simulate the login process and automatically submit the log in form to your site using hundreds, even thousands, of password possibilities until it gets in. And when a program is doing it, it can submit hundreds of password combinations every minute.

The second type of attack is the known exploit. These are far more complex and typically require more skill to implement. The basic idea is that there are known security vulnerabilities for different versions of web software, including WordPress. If the website assailant can determine what version of WordPress you are using, he can then apply exploits known for that version in an attempt to gain access to your blog.

So how do I protect myself?

To protect yourself from brute force attacks, you simply put limits on the number of times a certain action can fail before locking a visitor out. I am sure you have seen this at websites you already use. If you enter the wrong password too many times, you are unable to try to login again for a specific period of time or until you verify your identity. Be sure to also use strong passwords.

Stopping known exploits is more complex, but there are simple things you can do. Most importantly, keep your software updated whenever a new version is available. I cannot stress this enough. Simply applying the version updates is the simplest thing you can do to improve your site’s security.

In addition, you can implement “security through obscurity”. This simply means hiding as much information as possible about your site and do not use default settings. If you don’t display your WordPress version number in your html code, for example, the attacker has to guess what version you are using. By not revealing information and not using default settings, you make it more difficult to break in to your site.

This technique also works for some brute force attacks as well. A simple example is the default WordPress username: admin. Most people trying to crack WordPress sites through a brute force login use the admin username. If the admin username does not exist, however, the assailant will have a hard time getting in.

Lastly, maintain backups of your website so that you can restore your site if problems do arise. We recommend BackupBuddy for this.