Websites running WordPress may not be as secure as you may think. Rudtek has and always will put an emphasis on Web Security & Hardening. When you are considering your site security you should take the process very seriously as well.
There are many types of intrusions and malware and more are invented everyday. Some statistics say there is a site hacked every 5 seconds! Security is accomplished though is risk reduction, not risk elimination. This page is designed to give you the best tactics to ensure your site is up and running in the best possible secure method, but it’s not an exhaustive list.
Secure your server
Over 40 percent of sites that are hacked are hacked at the server level. That is to say, before WordPress is even part of the equation. Take steps to secure your server by, at minimum checking these items.
- Add HTTP (SSL)
- Lock down file permissions
- Ensure the server and its software (Apache, PHP, your databases, etc) are all up to date.
- Add a server level firewall on your web server to filter content before it is processed by WordPress. The most popular open-source WAF is ModSecurity.
Secure your site
It’s more about preventative measures than reactive. In the long run it is much better to stay ahead of the security concerns and issues rather than be successfully attacked or hacked. Depending on the extent of the issue it could be costly to repair, especially if you don’t have a current working backup.
Secure sites run faster
Just because you don’t see a problem doesn’t mean there is one. Your site could be doing all types of things without your knowledge. It’s better to be in control than be “Pretty sure”.
Secure sites get better rankings
There are many SEO issues associated with insecure sites. Your site could be sending out emails (spam) or posting ads (spam, malware). Poorly written malware could be slowing your site with bloated code (speed). Malware could be blocking or adding pages which leads to location errors (404, 301, 302).
Secure sites let you sleep better at night
Knowing everything is running smoothly and that if a problem were to come up you would be immediately notified is a HUGE relief. Not having to wonder or even consider that there will be data loss, because you have backups scheduled regularly is invaluable.
WordPress takes security very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This is not a definitive list, but as a starting point here are some items Rudtek considers when securing our clients’ sites.
- Keep WordPress, plugins, and themes all updated. See Rudtek’s post “How do I update WordPress?” or our Optimizing WordPress page for information.
- Move the wp-config.php file outside of WordPress.
- Ensure that the directories such as WP-Content and WP-Upload do not allow any PHP code to be run on them.
- Install a firewall plugin optionally with reporting so you know if there is an issue. (WordFence or iSecurity)
- Hide the WordPress install with a tool or plugin.
- Don’t use Admin as your login.
- Lose the login link if there is no reason for the public to login to your site.
- Do use complex passwords and consider 2-factor authentication. Change them every once in a while.
- Limit who has access to your site dashboard, ftp system, hosting system, etc.
- Close Comments after 30 or 60 days.
If you want more details you can check out WordPress’ own article on hardening WordPress.
How do I know if my site has a virus or malware?
There can be many symptoms but here is our short list.
- Your site is simply down – when you load your site you get a white screen, server error, or WordPress error message.
- Your site has new pages or posts that you didn’t add.
- Your hosting contact company informs you that there was a potential breach and your site appears to be affected
- You are getting new users that shouldn’t be signing up on your site.
- Your security plugin alerts you that there is a problem.
Recovering from an attack
If you are here because you are concerned that your site is victim to an attack. Take action right away.
Use a backup
Now is the time to take action with those backups you have been regularly taking. You’ve been taking backups, right? Either server side or if you have a WordPress plugin, recover your site with a known working backup. This is the fastest and cleanest method of getting rid of malicious code (malware, virus etc) on your site.
Find the culprit
No backup? See if anything new was added to your site. Look for plugins, or files on your system that you know are not part of the site.
You’ll have to don your Sherlock Holmes hat here and really investigate. Review everything…files, database, server logs. Sometimes it isn’t just files added, malware can edit and alter already existing files too.
No backup and no problems are evident? You may need to start over. If you’re on WordPress delete plugins (or remove them from the plugin folder), refresh the core files. Delete your theme and re-install. These are not the best options, but this time-consuming process is better than a site filled with malware.
So, what happens if you you didn’t have a backup running, can’t find the culprit and/or you don’t want to start over by yourself? Get in touch with us through our contact form and let us help!
Get a check up
This page is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts.
Rudtek can perform a quick checkup on your site for you with a one-time cost. You may be interested in our Security & Hardening audit, send us a note on our contact page and let us know. If we find there is a vulnerability, we’ll lay a plan out for you with which plugins to install if you are on WordPress, which systems need to be updated, and set a action list for making sure your site is hardened and secured.