Beefing Up the Security on Your Wordpress Blog
Having seen a few discussions on Twitter recently highlighting security issues with blogs and them being hacked by various means I decided it was time to be a bit more proactive about this. I typically upgraded the version of Wordpress some time (maybe months) after it went to the x.x.1 release and plugins probably less regularly, usually taking a backup before going through the process .
Given the amount of effort that has gone into blog posts over the past few years this data is probably pretty valuable when you start to think about it, even if it’s just in terms of remembering problems you overcame at some point. So I implemented the following three steps to reduce the risk of problems.
1) Regular backups
My hosting provider Bluehost offers a basic free backup as part of the package. While “Daily, Weekly, and Monthly backups are stored on our servers” they don’t guarantee them, so I started downloading a manual backup weekly for that extra bit of confidence. I have the following options below available to me, so I take a Full CPanel Backup - I figure that if anything ever goes completely wrong with the hosting provider than I can restore it all to a new service elsewhere. It’s a few hundred MB, so make sure you have plenty of space available to store a few of them.
2) Wordfence Plugin
I saw some security recommendations around the Wordfence plugin. There’s a free and premium version with a summary of the features below. I was interested in the features that monitored if any of your files become infected, being able to clean those up if necessary and the email alert to warn of any issues.
Post installation of the plugin, it’s possible to run a scan to determine any issues:
You can also have it run scheduled scans and email those results through:
This includes reminders to upgrades for Wordpress, Plugins and Themes, something I will be attempting to stay more on top of. Particularly when you look at the Logins and Logouts tab of the Live Traffic section, you will want to make sure you keep your versions up-to-date and default passwords changed!
Out of curiosity I looked at the All Hits part of the Live Traffic section. I noticed that the majority of traffic (which was originating from Far East locations) was heading to a single post and leaving comments. Although I use the Akismet plugin to dispose of SPAM comments, it seemed a bit of a waste of resources to let these be left in the first place, so I looked at possibilities to add a CAPTCHA to the comments form.
3) Conditional CAPTCHA
The Akismet stats showed quite a significant increase in SPAM over the last couple of years, so after some research I decided to try out the Conditional CAPTCHA plugin.
One of the main attractions was the feature that will only offer a CAPTCHA when leaving a comment if Akismet determines it to be SPAM. Checking the Live Traffic section of Wordfence following the install of this plugin showed a significant drop in traffic from China to that one post and a more interesting picture of visits from ‘real’ people.
I’ll update this post should I find more resources to improve things further