Previous | Next
- In hacker lingo, a script kiddie is the lowliest form of hacker (using the term hacker loosely), and relies on common tools and scripts to find and take advantage of the weakest and most common security vulnerabilities: crappy passwords, use of public WiFi without a VPN, outdated plugins, low-security hosting, phishing attacks, and other things of this nature. Sadly, these issues alone grant access to a shocking number of sites.
Unless you're in charge of a WordPress site for a major brand, the majority of the security issues you're likely to face will be the result of script kiddies. - There are a few things to keep in mind (WP Engine does most, if not all, of this):
- Run secure, stable versions of your web server and any software on that server.
- Have a server-level firewall.
- Keep your server under lock and key. Only your IT team should have access.
- Never, ever access your server from an unsecure network.
- If you need to FTP in, use SFTP via a reputable program.
- Make sure your MySQL installation is as secure as possible.
- Always create a unique database for each blog installation, and make sure your database table DOES NOT begin with wp_.
- Backup your database and other files as often as possible, especially right before you make a change (there are plenty of options for this, such as CodeGuard and VaultPress).
- And, of course, make sure your passwords are both complex and not used elsewhere.
- Plugins to consider:
- Better WP Security - This is sort of an all-in-one security option. It handles a variety of tactics covered in this post. Can overlap with other plugins, so be careful. Free.
- Limit Login Attempts - Exactly what it says, and a phenomenal way to deter brute-force hacking attempts on a site. Free.
- Akismet - Great way to filter out a lot of crap before it ever touches your site. If your site is easy to spam, it might also be easy to hack, so make it a hardened target on all fronts. Paid.
- Sucuri Security - When you pay for this service, you get a plugin to install on your site that helps with the monitoring and hardening process. It has overlap with other plugins though, such as Limit Login Attempts and Better WP Security, so you don't want to use all of them at once. Paid.
- CodeGuard - Great backup service that lets you easily roll back if you ever do get hacked. Also, people don't back things up nearly as often as they should, so doing it automatically is handy. Paid.
- CloudFlare - CloudFlare is a CDN, but also so much more. It has some great security features built in, and comes in both free and paid versions.
- Google Authenticator - Enables two-factor authentication on WordPress, which is awesome. I use two-factor wherever it's offered, because it rocks. Free.
- Stealth Login Page - You can't crack what you can't find. This plugin hides your login page without needing to edit .htaccess files. Free.
- WordPress SEO by Yoast - Not only does this have great SEO benefits, but it allows you to easily edit your .htaccess file from within the WordPress admin, which is very handy. Free.
- Wordfence - a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups.