Website security is an important issue that many new WordPress users can easily ignore. How to ensure WordPress site security is also a difficult problem faced by many users who have just come into contact with WordPress. This series of tutorials on WordPress teach you to introduce a series of steps to protect your WordPress website security. We have devided these steps into 32 steps, today introduced the WordPress website security ultimate checklist Step 6 ~ 12.
WordPress website security ultimate checklist Step 6 ~ 12
6. Install the plugins, themes, and scripts that are downloaded from their official website only
Some users do not have genuine sense, like to download from some unreliable sites should pay to buy the theme and plug-ins.
We do not do too much value judgments on the piracy behavior of these users. But according to the actual situation of WordPress host users, the use of a pirated theme is one of the main reasons for the domestic WordPress Website is black.
Many people do not realize that many of these pirated themes that you download for free from pirated websites have been put into malicious programs such as Trojan viruses. Most of the time, there are backdoors in these themes so that hackers can remotely control your site through backdoors.
Would you like to give your wallet to a liar? I don’t think so. Similarly, you should not give your site to the scammers. Don’t trust those who steal someone paid themes to“free” for your pirated websites.
A genuine theme, the price is usually within $50 only, in order to save this money and the risk of huge, not worth it.
So, which secure websites can get high-quality themes?
WordPress.org official website is the most commonly used to download plugins and themes of the site. We also recommend HappyThemes for instant support, beautiful, functional and affordable themes.
If your WordPress site is more important, remember to stay away from pirate sites.
7. Choose a secure and reliable WordPress hosting provider
Good WordPress hosting service providers that can protect your site away from hackers.
Security-focused hosting providers often have an independent security team to monitor the latest vulnerabilities(and even 0 days exposed no solution vulnerabilities), and promptly set the rules in the firewall to mitigate a variety of hacker attacks against your site.
How to choose WordPress hosting, is a big topic that we will specifically discuss later.
Our WordPress Website is designed to provide users with professional WordPress hosting, attaches great importance to user data security, high reliability.
8. Make sure your website runs on the latest version of the PHP version
According to global WordPress website statistics, there are currently 7. 3% of WordPress runs on PHP 7.1, 2.3% on PHP 7, and 22.1% on PHP 5.6. And the other 68. 3%of WordPress sites are installed on top of PHP 5.5 and earlier.
Here is the official PHP support schedule for each version：
The green version number represents the official technical support, green strip represents the official technical support of the date range; orange strip said the official only for serious security vulnerabilities to provide repair; red version number, said the official no longer on the version of the technical support, even if the discovery of the vulnerability is no longer repaired.
If your site is still using an older version of PHP, you will not only be able to enjoy the performance gains brought by the new version of PHP, but you will not be able to patch the future security vulnerabilities of PHP. This way your website will face data security issues.
So, just like upgrading the WordPress kernel version, you have to upgrade the PHP version of the server in a timely manner, so as to make your website more secure.
Upgrade PHP version
Upgrading the PHP version is very simple. Our hosting space has supported the latest version of PHP 7 (currently PHP 7.1 is still in beta testing State, has not yet released the official version). You can use the PHP version to set up the host management system.
For users who choose different hosting providers, remember that upgrading the PHP version is the responsibility of your hosting provider. If you find that the PHP version of your space is too low, you can contact the service provider to upgrade. Good service providers should be like friendly, timely upgrade PHP to the latest version.
WordPress currently supports running in a minimum PHP 5.2 environment, but the official recommended PHP version is 5. In the middle of next year, WordPress will recommend the official version of PHP modified to 7. 2.
Special note: there are some plugins that are still not compatible with the latest version of PHP 7.2. If you are upgrading to PHP 7.2, we recommend that you test it first, and do not upgrade the PHP version directly from the production site. You can do a separate backup site first, after the first test, make sure there is no problem after the upgrade operation.
9. Modify the default admin username
Prior to WordPress 3.0, the default username for WordPress was admin. This setting makes many web hackers do not need to guess the username of the site administrator. Until today, there are still many new WordPress beginners who choose admin as the default admin account.
To increase the WordPress site administrator account security, the quickest move is to modify the default admin username, changed to other difficult to guess the name.
You can set your own administrator username when installing WordPress.
If your WordPress site is already installed, using admin as the username, then you can add a new admin account in the WordPress background, then log in with the new admin account, delete the previous admin account.
This step can also be done by manipulating the database. Rename the admin username in phpMyAdmin or another database client：
UPDATE wp_users SET user_login = 'newcomplexusernameforadmin' WHERE user_login = 'admin'
Note that here wp_users is the user table in the WordPress database, and wp_ is the default database table prefix set when WP is installed. It is not safe to use the default settings, which we will describe in Article 21 later in this article. If you installed WordPress with other database table prefixes, such as mytableprefix_, then here you want to change mytableprefix_users. In the above code, newcomexusernameforadmin is the new administrator username, and you can choose your own username.
So simple modification, you can make your WordPress from a lot of hackers.
10. Use strong and secure passwords
Have to say, many users are really low-security awareness, they set a password at the time, not after much consideration.
Many users choose to use 12345678 or admin as a password, it seems to be worrying.
Even when you enter the password, there will be no other people to peek, using a simple password is also very easy to be used by hackers. Although WordPress does md5 encryption for user passwords, if the password is too short is too simple, it is easy to crack by technical means.
Therefore, be sure to use a password that is robust enough to be secure.
If you do not know how to set a complex password, you can directly use the WordPress password generator to help you set up, and then remember to save the password in a safe place. WordPress password generator can be found in WordPress background i.e user profile section.
11. Do not reuse passwords
Never repeat passwords!
Many users prefer to use the same password on all websites. To remember the passwords of the various sites, the simplicity is too difficult, so that they choose to use the same password.
It is a big mistake.
Again, hackers understand the shortcomings of humans. Therefore, once they know the password of one of your accounts, it is easy to know your password in all other websites.
12. Do not use plain text format to save passwords
As we all know, there are a variety of peepers on the web. You should encrypt sensitive data, such as credit card numbers, passwords, etc.
There are a lot of eyes staring at your data. Be sure to follow these steps to protect your password：
- Do not send passwords via email, chat software, social networks, and other unencrypted forms.
- Deploy HTTPS to your site, especially the backend, to avoid transferring passwords in plain text.
- Avoid using pure FTP to access your website and use SSH and FTPS. The FTP protocol was developed in the dark ages of the internet and is not too secure.
- Passwords and files are transmitted in plain text, and data is not encrypted at all. The FTPs (Secure FTP, encrypted FTP) protocol encrypts all data transferred via FTP. To use the FTPs protocol, you need to set it in the host space first.
- Of course, multiple users should not share passwords, nor should passwords be saved as plain text, no matter how cumbersome it is. Shared login usernames and passwords are subject to security and liability risks.
We offer WordPress professional hosting support for users to deploy HTTPS (additional purchase of a separate IP, SSL certificate, and setup fee), support FTPs (free) encrypted transmission of data.
(Unfinished, continue reading…）