Dealing with Securitiy in WordPress.
Welcome to another G Web Design WordPress tutorial, today we will be dealing with WordPress Security. WordPress is the most popular CMS system in the world, read our article about WordPress Web Design. Because the system is so popular is becomes the target of hackers as WordPress is very well documented. There are tons of security plugins out there, one of which we will discuss in this wiki later on.
Let's start with the basics of computer security, that being you passwords. Make sure you do not use obvious or easy to guess passwords. Let you password contain Capitals, lowercase, special characters and numbers to make it very difficult for someone to get into your system by means of what is known as brute force attacks, they guess until the break your password. In a WordPress Security environment there are 4 levels of passwords to secure:
1. Database passwords.
2. WordPress login passwords.
3. Server login passwords.
4. Email passwords.
Hackers are known to use Botnets (Networks of computers performing hacking instructions, like Brute Force attacks). The trusted Google Recaptcha tool is very useful and is generally used as part of your contact form and is even a good idea to have it available before signing into.
To harden our WordPress installation we are going to install a very poplar security plugin with tons of setting call Wordfence Security. It is available from the WordPress repository. If you do not know how to install a plugin you can follow the tutorial ADD PLUGIN. A thing to remember is that your weakest link in your security can put you at risk, make sure that your people are educated and understand the importance of WordPress Security and security in general especially around passwords.
Install Wordfence security and activate it. This will go a long way to give you good WordPress Security. As you can see from the screenshot below this plugin is very well received with 1 million+ downloads, 2813 reviews averaging 5 out of 5 starts and it was updated a week ago and is updated regularly.
Once installed, a new menu item will be created called “Wordfence”. We will be looking at two options as per the screenshot below :
When you enter the “Scan” option this will bring you to the “Wordfence Scan” page. Here you can simply click scan and it will search your WordPress files to check if there are any suspicious files that you should look into. The Wordfence scan also has another good feature which is checking your WordPress version again what is currently in the WordPress repository to ensure that a hacker has not altered or inserted files in your system that does not belong there. It also does the same for plugins and themes that are in the WordPress repository.
Wordfence will list all the suspected irregularities and give you options to either delete or ignore the issue as sometimes you have altered a specific file or it is a false positive. If you are not sure please speak to a professional like G Web Design. Generally the scan will automatically rescan every 2 weeks but you are able to control this with the settings in the “Options” page.
When clicking the “Options” item you will come the “Wordfence Options” page and you will notice there are more than 60 options. We will only look at a few of them. In the Basic Options section everything can be left as is only fill in your email address if you wish to receive alerts. You can then proceed to click on the blue “Save changes” button.
The Advanced Options section contains the rest of the settings. The first sub-section is for Alerts and here can set what to get emailed for and the frequency of the email. Next is the sub-section Email Summary with the appropriate options you can look at. The next sub-section we can look at this the Scans to include here you can tick and untick what types of scans you want Wordfence to do. By default the “Scan theme files against repository version for changes” and “Scan plugin files against repository version for changes” are unchecked, however you can check them if you so desire. This has no impact if you use premium themes / plugins or if you write your own. Lastly let's look at the sub-section Login Security Options here you can control when to log users out and for how long, some very helpful options in this sub-section.
Conclusion to WordPress Security
Wordfence is a very powerful plugin and it is a free plugin. You can upgrade at a minimal cost and get some other great features. Remember WordPress Security is extremely important so make sure this is part of your web design. However if you have been infected and not certain what to do contact us at G Web Design to assist you.
Thanks for reading.
Graham (Web Designers Cape Town)
G Web Design (Web Design Cape Town Company)
“Your partner on the web”