Some time ago, I posted basic information about securing your WordPress sites. Given that post has not been updated since 2012, I thought it was time. Rather than just re-hash the existing information, I decided to take a slightly different approach. I recently saw the need to create a new WordPress site and did so. I thought it might be helpful for readers of this weblog to review my thought processes as I developed the site.
First, I followed the 5 minute install for WordPress. From a security perspective, I made certain the database did not begin with the wp_ prefix. I also made the database name, database user, and database password as long and complex as possible. There is no admin username as administrator and I made the actual administrator username very long and complex.
Once the site was running, I accessed it as administrator and added the following plugins (they are alphabetized, not the actual order I installed them). Note that some plugins have similar purposes. I only activate one approach at a time, but like having alternatives readily available if I think the site has been compromised (for example, there are a couple of approached to restricting the number of unsuccessful login attempts – I am only using one – no, I won’t tell you which one). Obviously, one must activate and configure these plugins. For some plugins listed below, there is a free version (with some capabilities) and a paid version (with more capabilities).
- Acunetix WP Security – this plugin helps confirm that one has patched a number of known vulnerabilities (as a general rule, it is a good practice to eliminate all the red items on the dashboard). I eliminated the yellow ones as well.
- BackWpUp = this plugin helps generate backups for the site. After activating, you must create one or more jobs and indicate where you want the backups to be stored. I recommend a secure spot (for example, don’t send the backups via email as poor passwords can be decrypted using tools like HashCat in the event the email is intercepted.
- Contact form maker – I wanted to generate a number of forms and this is a handy pluign to accomplish that. Yes, I could have written my own PHP scripts to address this, but using a plugin was quicker.
- Google Analytics – This allows me to quickly tie my specific Google Analytics code to this site so I can track visitors, pages visited, and so much more.
- Google Authenticator – this allows for 2 factor authentication. Yes, some of the other plugins listed also allow for this.
- Login Lockdown – this is one plugin to limit the number of access attempts (I always limit this to 5 or fewer). Yes, other tools accomplish the same. Use one, pick one and use it. Otherwise, one could make unlimited attempts to access the site. Yes, scripts readily exist to accomplish this.
- Simple Security Firewall – one always needs some sort of software firewall to defend against a number of injection attacks (and more). Obviously, configure it to your needs. There are a number of options. Choose those which don’t conflict with other plugins (or inactivate the other plugins first).
- WordPress Access Control – there was a need for a “members only” part of this site. Yes, there are alternatives. Review the ratings, date of most recent update, and determine which plugin is suitable for your specific needs.
Now that the site is a bit more secure, I focused on making updates to the appearance of the site. Obviously, your mileage will vary on this point. That being said, it is very important to create a child theme and modify that one (don’t just blindly make changes to the existing theme – as soon as any updated for that theme come out, you will wipe out your work when you update). You do update your themes and plugins in WordPress, don’t you?
I created a folder named MDchanges (or maybe not, but I did create a separate folder). Within that folder, I created a style.css document which pointed to the parent theme. Remember that the child theme is loaded first so you only need to focus on modifications as the rest of the CSS will be pulled in from the parent. I also created a functions.php file (which did not contain much initially). You need both the style.css and functions.php files in order to activate the child theme within WordPress. Once active, it is a good idea to periodically check that your updates work as planned. Of course, I added other files with my desired modifications. Pne example would be a custom 404 error page when someone requests a page not found.
I also confirmed all displayed properly in both mobile and desktop browsers. Yes, it is 2015 and we need to keep mobile in mind.
Ok, I made additional modifications as well, but you have the main idea. Total elapsed time to make these changes after the initial install (less than 2 hours). This is what I recommend (at a minimum) to make certain your site is reasonably secure.
I am curious if you found this information helpful. I look forward to your comments. I do have to approve each.