Security is the most important issue for web sites these days as per Google’s statistics. More and more web sites are getting compromised on daily basis and used for malicious activity such as sending spam, uploading phishing materials or attacking other networks. WordPress is the most used open source software used for serving millions of web sites all over the world. That makes it a pretty good target for hackers to work on to compromise and use for malicious activity. There are multiple steps to have in mind when securing your WordPress web site such as choosing the best WordPress hosting plan for your web site, setting the proper permissions of your files containing sensitive data such as login details, installing a security plugin or multiple plugins, regularly auditing your web site’s access logs, keeping WordPress and all plugins and themes up to date and of course configuring your server to block most of the web attacks by running a WAF (web attacks firewall), HID (host intrusion detection) system, a firewall and a server with hardened security measures. The last is up to your web hosting company as long as you are not running your own server and you are the systems administrator managing it.
Here are the most important steps to follow which will guarantee your WP web site is safe.
Change the permissions of your wp-config.php file to 600. By default its permissions will be 644 which means that anybody with an account on your server will be able to read your WordPress MySQL login details, access your database and compromise the web site. Keep in mind that even the best WordPress hosting will not help if you are neglecting the security of your account and WordPress application.
Make sure you are using a hard to guess password for both your backend and the MySQL database username. That will stop the brute-force attacks that are happening 24/7 and attacking WordPress web sites around the globe. A strong password is considered a password that contains letters, numbers and characters such as “,;:)(#@!
Remove any themes that you are not using. Forgetting you have a theme uploaded which you don’t update is a security risk. A vulnerability for it may be discovered and your web site compromised due to a theme you never needed. Just keep only what you need and remove everything else.
Keep WordPress, the plugins and themes up to date at all times. It’s easiest to do that when you enable automatic updates in wp-config.php. To do that you need to add the following lines in wp-config.php in case they are not already there.
Install a security plugin such as WordFence or Securi.
Restrict access to wp-login.php and xmlrpc.php to your IP. That will block tones of attacks. You can do so by adding the following to your .htaccess file.
allow from 188.8.131.52
deny from all
Replace 184.108.40.206 with your IP address. If you want to access the scripts from multiple IP’s you can add more by putting each IP on a new line with the “allow from xxx.xxx.xxx.xxx”.
Contact your web hosting company and make sure they have mod_security installed to block attacks to your web site and a firewall to filter the malicious activity targetted to your WP web site. All that will result in your WordPress installation being secure and you will not have to waste time to fight with hackers. Good luck!
It is very important to get a suitable hosting package when you plan to use WordPress to build your web site. There are a lot of things to be considered when you start the process of choosing the best WordPress hosting plan for your web site. First of all you must make sure that the web hosting company you are considering to work with has been in business for at least 3-4 years. That will give you a piece of mind that your hosting company will not suddenly disappear and vanish your WordPress web site. No matter what company you choose always make sure to keep your backups. It’s always a good idea to rely on yourself rather than risking someone else to lose your data.
Run latest versions of PHP, MySQL, LiteSpeed. That will keep the server secure and it will provide the performance your web site needs to load instantly. Keep in mind that if your web site is loading slowly you will surely lose some sales as visitors do not like to wait. It will also show you that the web hosting company is properly managing and maintaining their servers.
Provide a tuned server environment for your WordPress web site to operate at its best. PHP memory limit should be set to 128MB minimum to avoid your WordPress scripts from failing. The php max upload filesize should be set to 100MB minimum. The MySQL server must be properly configured to cache all InnoDB database tables as that will speed up the queries dramatically. MySQL queries executed to data saved in the RAM of the server will complete 10-15 times quicker than if they are done on the disk even if it is SSD.
1-click installer for quick and easy start. Most web hosting companies offer that but still we decided to mention it as it will make your life easier and it will save time. You will be able to install WordPress from your control panel with a couple of clicks rather than wasting more than 30 minutes to download/upload WordPress, setup the database and install it.
CloudLinux _not_ installed. Always ask the web hosting provider you are considering and make sure CloudLinux is not installed on your server as it will limit the CPU/memory/IO resources you can use. If you get a spike of visitors and have a chance to get more sales, CloudLinux will block those visits to your web site as it limits your resources. It can have a negative effect too when you decide to upgrade WordPress and its plugins to the latest version in case the upgrade script needs more memory than your account is limited to by CloudLinux.
It’s best for you if your WordPress web site is running from a SSD-powered server as SSD drives are much faster and your web site will load quickly. Quick loading of the web site is not only good for not losing sales. It is also important for your SEO ranking.
The best hosting plan will also include a free migration from another host in case you are looking to change your WordPress hosting company. Features such as 24/7 support and 99.9% uptime guarantee are a must.
It would be a great advantage if the web hosting provider also offers a management for your WordPress web site. If you don’t have a dedicated programmer to contact in case of problems with your web site then that feature will be very helpful for you.
The best WordPress hosting plan and its features is not the only thing to consider though. You must also ensure that you are keeping your WP web site secure at all times. We will talk about that in more detail in the next articles on our blog. Stay tuned.