How To Protect Your Word Press Site

Share This:

Word PressOver the years of using Word Press as a blogging platform I have gained much attention on my blogs. This attention has increased the risk of attacks to my wordpress sites. Because of this I’ve had to focus more closely on protecting my word press blogs.

In this article I will talk about some things I use and recommend to protect your word press blog. Unlike my previous post about protecting your website which talked about website security in general here this is specifically about word press security.

SSL Certificates

SSL certificates are great in many ways. Not only will they improve your position in Google but they also are an encrypted protocal which allows for more security to your site. They do costs money and the price range can be between a few dollars a year to a few hundred per year. If your just blogging for fun and aren’t making any money on the blog I honestly don’t think it is important to get, but if have the money to invest in an SSL it is best that you do so.

AntiVirus and Firewall Plugins

Even though you know your not intentionally putting malicous software on your wordpress site, and know that all the people who have access to your server wont be putting malicous files on your site, doesn’t mean that your site is safe from viruses.




Remember many viruses may be written for Windows users but Mac users and Linux users are the ones who spread them the most. This is because Mac and Linux users tend to be less likely to have Anti Virus software that scans files for viruses. So they will often have files that are infected, but they will be unaware of the malicious nature because they are immuned to them.

Because of this you may be uploading malicious files to the word press site and not even be aware of it. Another scenerio for this argument could be the fact that you may have gotten your browser hooked without even knowing it. And depending on the hook, all your keystrokes could be logged. Allowing an attacker to gain access to your site to place malicious code in it.

Of course in that scenario it would be advisable to take care of the current security problem on your computer by removing the hook first then taking care of the problem on your site. Eitherway it is best to install an Anti Virus plugin on your word press blog. One good one to use is WordFence.

Setup 2FA

2FA is Two Factor Authentication. The way it works is you first must type your username and password into a site to login. And before you can access the site you will be sent a random security code via SMS/MMS on your cell phone. Once you get that code you need to type it into the site in order to gain access to the site.




You can set this up yourself programatically using PHP. Like so.

<?php
//Replace $dbuser with the username,password and databasename for the MySQL //database you created with the correct information.
$dbserver = "localhost";
$dbuser = "username";
$dbpassword = "password";
$dbname = "databasename";
$connect = new mysqli($dbserver,$dbuser,$dbpassword,$dbname);
//The 10000 99999 insures a 5 digit random number is generated. To increase or //decrease the numbers simply change the integer to greater or less then what is listed //below
$code = rand(10000,99999);
//sends the message to the SMS gateway of your phone yournumber with your //cellphone number and yourgateway.com with your SMS gateway.
$msg = "Your 2FA code is $code";
$msg = wordwrap($msg,70);
mail("[email protected]","",$msg);
$insert_code = trim($code);
$insert_code = htmlentities(mysqli_real_escape_string($connect,$code);
$sql_insert = "INSERT INTO table (code) VALUES ('$insert_code')";
mysqli_query($connect,$sql_insert);
mysqli_close($connect);
?>

Obviously the script can be more in depth and more advanced. For example you may want to use PHP-Mailer library to gain more mail control of the script. But it is simply an example of what pretty much any 2FA service will do anyway. Because the above script is very basic in design you may want to consider getting a service that does 2FA for you.

Some good 2FA plugins for WordPress are listed below.

Backup Plugins

It is always a good idea to backup your data if your a Word Press user or not. But if your a Word Press user the task of backing your site up is fairly easy. You can do it manually by logging into your server and issuing the following commands.




mysqldump -u USER -p DATABASE > wordpress-data.sql

The above will export the entire database that your wordpress site uses. You will need to change USER with the username of the database and DATABASE with the name of the database for the wordpress site.

Next we would backup the Word Press files.

tar cvzf wordpressdata.tar.gz /location/of/wordpress/installation/*

NOTE: If you don’t know the username/password or database name for the mysql on the word press site you can find it in wp-config.php

And if you want to automate the backup process and backup on a regulair schedule. You can use CRON. To do this we would first create a shell script like the following.


#/bin/sh
mysqldump -u USER -p DATABASE > $HOME/wp-backups/wordpress-data.sql
tar cvzf $HOME/wp-backups/wordpressdata.tar.gz /location/of/wordpress/installation/*

After we have created our shell script we would connect it to our CRONTAB.

0 0 1 * * /location/of/our/shell/script/shellscript.sh

The above will run the shell script on the first day of every month at Midnight.




Of course there are plugins that you can use to make the backup process of word press much easier. For example you can use All in One WP Migration plugin which will make an entire backup of everything for you. You can also automate it and schedule backup dates and times.

Fight Spam with Akismet

Comment Spam is a common problem with Word Press sites in general. And because of the epidemic you may choose to require all comments to moderate and make all comments pending and waiting for moderation. However sifting threw thousands of spam comments to find one real comment can become difficult.

Akismet is designed to automatically delete any spam comments it finds so you wont have to review the obvious spam comments.