Six Steps to Securing WordPress

Hosting

• The first step to securing WordPress is to examine the server where you have installed it. The hosting provider needs to ensure that they have patched the operating system and applications with the most current security updates. They should also provide a way for you, as their customer, to see this information easily. If your hosting provider does not perform these services, you should look for another provider.

Your Computer

• The computer that you use to log into WordPress should be free of viruses, malware, adware and spyware or you could transmit them to the server. You should also keep this software up-to-date with the latest virus definitions. Regularly perform scans of your computer for these types of vulnerabilities to protect your PC and your server.

WordPress Installation

• It is important to perform upgrades as soon as possible since most of the small releases address security vulnerabilities. Since version 2.7, the developers of WordPress have built in an automatic upgrade checker. WordPress displays a link to the latest version at the top of the administration area when you log in. There is also a "Updates" menu under Dashboard that will allow you to upgrade WordPress automatically from within the administration module.

Passwords

• Be mindful of the passwords you use for your database and administrator accounts. They should be a minimum of eight alphanumeric characters and contain upper and lower case letters, numerals and special characters such as @, # or %. The password should not contain any words or easy-to-guess patterns. If possible, do not enter your administrator password on a public computer, such as an Internet cafe, as the password is transmitted as clear text over the network and could be intercepted.

File Permissions

• You should lock down your file permissions as much as possible, with all files owned by your user account and writable by you. If a file needs write access from WordPress, it should be group-owned by the user account used by the Web server. Some exceptions are the wp-content folder, which should be completely writable by all, and the themes and plugins sub-directories. The files in the themes folder needs to be group writable while the ones in the plugins directory should only by writable by the owner account. File and directory permissions can be changed using your FTP client or within the administration page, e.g., cPanel, provided by your hosting company.

Data Backup

• You should backup your data regularly including your database. How often you backup your WordPress installation will depend upon how frequently you make changes to the overall structure, i.e., plugins, themes, WordPress updates. For many, a weekly backup is sufficient. Data backups, however, are critical to getting you back online if your website has been compromised. Determine the schedule of data backups by the frequency of your post and page updates. If you or your blog readers contribute new information every day, then you should backup your data every day.