After publishing the first article in this series, I received a number of emails asking for a layman’s punch list. Ask and you shall receive. Here’s the recipe minus the technical mumbo jumbo, suitable for any WordPress admin interested in buttoning up their security.
1) Don’t use the Admin account for everyday use. Create a second user whose permissions do not include editing theme templates or adding plugins. That is, set the Role to Editor, not Administrator You should then create a new Admin account with a name other than “admin” and delete the original Admin user.
2) Security begins with good passwords. Use strong passwords, not the name of your spouse, pet, or favorite band. Update your passwords to both the wp-admin site and any FTP/SFTP accounts. Don’t forget to change the password to your hosting company’s control panel too.
This is a terrible password: freedom
And this isn’t much better: Am3rican
Now, here’s a good password generator: http://strongpasswordgenerator.com/
Which produces good passwords like this: a9vVcX,7!
But this is even better: “Hi, 1 love to p3t Cats?”
It’s called a passphrase and nowadays with password dictionaries and rainbow attacks, it’s the only way to fly.
Finally, when was the last time you changed your password? I bet you’re still using the password you created when you started. Don’t be lazy, change the password every few months.
3) Don’t ignore the WordPress updates. Updates are your friend, not because they add nifty new features and themes, but because they repair security issues found by diligent hackers. Running your WordPress site on an out-of-date version only invites attacks as hackers can (and do) scan for these older versions. When they find them, they launch attacks accordingly.
Your WordPress installation will nag you by default to upgrade. If you see this message when you login, follow the instructions! The latest version (as of this writing) is 3.4.2 and contains a number of important security fixes (If you’re unsure, check this link to see what the latest “stable” release number is: http://wordpress.org/download).
4) Remove unused plugins. Plugins = Danger. Plugins are given free reign on your system. Since anyone can write these things, they represent a serious security risk to your site. Research the plugin before you install and activate it. I also suggest you review what you have and uninstall those that aren’t being used. Treat these things with extreme caution!
5) Disable FTP access. FTP? You still use it? Time to stop doing that. You should only be using secure FTP known as SFTP. FTP sends sensitive login information without the proper security and it’s vulnerable to hacks. There are numerous free Secure FTP clients available. You can usually disable FTP using a checkbox found inside your hosting service’s control panel. Ask them for help if you can’t find it.
6) Block access to sensitive areas using .htaccess files. This is a bit more advanced, but it only requires you copy, paste, and upload. If you feel brave, this stuff allows you to blocks requests for files users should never see. Read this for more info: http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
7) Modify the permissions of your files to be read-only. This grants the web server permission to read, but not WRITE files. You can do this through any (S)FTP client. Here’s a primer: http://codex.wordpress.org/Changing_File_Permissions
Still reading? Impressive! Further reading on these tips: http://codex.wordpress.org/Hardening_WordPress