WordPress is the most used CMS in the world. This also means that it is the most contested content management system in the world. Again and again try hackers control of WordPress installations to usurp to inject malicious code. How to make WordPress safer by simple means, I would like to explain in this post.
Everyone knows the normal starting position. Man has set up a wordpress for a new web project. Quick installed a few plugins, selected a new theme and away you go write the posts.
Normally nothing should happen here. The WordPress installation runs as you would expect from her. If the posts are good and one gains awareness of the call as well as the hackers on the plan. The then attempt to gain access to the system. Why do something and where do they come at all from?
The reasons are manifold. The make a just for fun to see what you have because it so. The others want to just cause and find the great when someone annoys damage. And then there are the hackers who abuse the hacked pages for spam and links in order to make on many other offers attention or generate unfair backlinks.
How does the hacker work
There are several methods to break into a system. As the first method as mentioned trying. Here, the intruder tries to find out the username and password by simple trial and error. Often these people are to be found in the immediate personal environment of the website owner, because you at least need to have the user name and an idea for the password.
The second method is to find out the password by accident. For this purpose, the hacker uses a program that tried random passwords in the login area automates until it has found the right.
Slightly better savvy hackers look to the update list of wordpress and then attempt to exploit a known bug or a known vulnerability for the compromise of systems. These attacks are often carried out by children who have found somewhere on the Internet a detailed description of such a vulnerability.
Most of these things can be avoided by simple means, or at least very difficult. Mecanto Reviews has written about some WordPress security products that will automatically protect your blog against these threats.
Basically most vulnerabilities lie at one himself. If you stick to a few small recommendations continuously, you can already do a lot here for the security of WordPress. Even with board funds is much to accomplish.
1. When you install
During the installation of WordPress, you can observe a number of principles as a deterrent to breaking. Firstly, I recommend to use long and especially cryptic password for WordPress database at least one 12 characters. Further asks WordPress during installation after a prefix for the database tables. Here I recommend deviating from the standard, and to choose a different prefix. The reason is that the names of the database tables are no secret and at a SQL code infiltration not work so simply.
Secure password with cryptic characters you can create at best with a password generator. Here, the password should consist of a mix of lowercase letters, uppercase letters, numbers and special characters.
2. The user accounts
Another big point the user accounts are to be mentioned. Again, the same password rules apply as with the database password. Awarded Never passwords like “123456” or “klaus76”. Widely used is the default user of the administrator. In many installations, this simply means “admin”. Here is definitely a different user name to choose, otherwise the attacker only needs to find out the password, because it has the name of the main admins already.
Use cryptic passwords, possibly with upper and lower case and numbers and special characters
Refrain default user name as “admin” and choose a proper username eg “Mustermann76”
3. Plugins and updates
A very big point are the updates. With the latest WordPress version 3.7.1 is there already a step in the right direction have been taken. Here you can leave automatically import an AutoUpdate feature current patches. To ensure that security holes are closed as soon as possible. Who does not use this feature should install these updates periodically by hand.
The same must also be carried out for the installed plugins. Here, there is no auto update feature. But be careful, these are tested and released the plugins for the latest WordPress version. Namely, the developer of the plug-ins are responsible for security vulnerabilities in plugins.
4. Making the server itself safe.
Also, the server itself poses a security risk. For a shared Housting package is responsible for the software on the server admin of hosting provider. Here you can not do much himself one.
Here, however, must be set correctly via FTP, the write and read access. Especially the wp-config.php must obtain the correct file permissions. So that this file just for WordPress (PHP server) is readable and no write permission. If you want to make changes to this file, write permissions must be changed again just a short time.
It’s not that hard to make WordPress safe if you follow a few guidelines. In support of course you can still take some plugins to help. In Part 2 the subject of security I will introduce some of these plugins. If you have some tips or I forgot something in the post, I’d appreciate a supplement or a comment.