5 Simple Steps To Help Keep Your WordPress Site Secure
WordPress is an excellent platform for both novice and expert users to develop websites. Our statistics show that it is by far the most common Content Management System (CMS) we host, with tens of thousands of WordPress sites running from our systems.
However, it's easy to forget that WordPress sites require extra care and maintenance to keep them secure. Because WordPress is open source, the code is there for all to see and to find vulnerabilities in. Additionally, WordPress supports third party plugins and themes which may not be of the same quality/integrity as the WordPress code itself.
All too often we see support tickets from clients who have had malicious links, iframes or Javascript injected into their page. Whilst we will always try to assist in these instances (normally by restoring backups), there are some steps you can take yourself, pro-actively, to help keep your site secure. Almost all of the attacks work by exploiting some core or plugin related functionality in order to upload a backdoor script which then runs as your website user and allows the attacker to modify additional files.
- Regularly update WordPress to the latest version. This can be done in a matter of minutes via the wp-admin panel.
- Only install plugins from trusted sources. Try to keep the plugin count to a minimum (remove anything you're not using) and keep anything you do have installed up-to-date with the latest security patches.
- Delete any themes that you're not using. Many WordPress themes come bundled with a script called timthumb.php which, in older revisions, is notorious for arbitrary code execution attacks. Make sure you are running the latest version of your chosen theme.
- Use a complex unique password for your admin user.
- If you are sure you don't need to execute PHP code from your wp-content directory (check with your web designer), upload a file called .htaccess to the root of wp-content with the following line:
AddType text/html .php
This will mean that any PHP scripts which are uploaded to wp-content will be shown as plain text rather than executing the code. Since many of the attacks we see involve uploading backdoor scripts to wp-content, this might act as your last line of defence.
As always we are happy to help with any issues you might be facing or any concerns you might have. If you require assistance at any point feel free to email support@tsohost.com or freephone us on 0800 024 2931.
,