Backing up every site is the first step in making sure a site owner doesn’t have to start from scratch if something goes wrong; however other steps should be taken to secure a site in case of disaster. Here are some tips for securing a site that is using WordPress.
Secure Public Directories
A blank index.html file should be placed in the wp-content/plugins/ and /wp-content/themes/ folders. If any additional folders have been manually created a blank index file should be placed in these folders as well. This prevents anyone from directly accessing the folders by typing the URL in their browsers.
Advanced users may wish to edit the .htaccess file by adding the lines as follows:
Secure Directories
Option All –Indexes
Check Administrative Settings
The administrative user should have a username other than admin. If admin is already the main user, simply create a new account with administrator privileges and delete the admin user. For extra security, the usernames that are used to update the blog should not have administrator privileges.
Checking & Securing Plugins
Make sure all plugins are up to date. If a plugin in no longer in use then it should be deleted. This is even more important for the WordPress plugins that help to secure the blog.
Login Lockdown keeps someone from guessing the password to the administrative panel by blocking the IP address after three tries. The block lasts for an hour but the time can be adjusted. Additionally every unsuccessful login attempt is recorded.
WordPress Firewall protects and bans attacks from being run on WordPress. This plugin can prevent a lot of the most common attacks run on a WordPress installation.
It should be noted that if one tries to update the site template via the panel, it will be blocked by this plugin. Users have to make an exception if they want to allow changes to the site be made that way.
Wp-Ban is a simple way to ban offending IP addresses or host names. A custom message is shown each time the blocked IP tries to access the site. It is a good idea to leave the message blank so that the user gets a blank screen instead of a message they are banned. That way someone with bad intentions will be less likely to want to cause the site harm, they will just think it’s not loading.
Wp-Ban keeps track of how many times a blocked IP tries to access the site. Used with WordPress Firewall and Login Lockdown it can be a good way to keep unwanted visitors off of the blog.
Use the Latest WordPress Version
With the frequency of version changes, sometimes it’s not possible to immediately update to the latest version. Themes and plugins have to be checked for compatibility because if something isn’t compatible, it could break the entire site.
However, users should strive to update to the latest version as soon as possible because most often the updates include fixes to known security issues.
