What is Security?
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.
Your website can never be 100% secure. Hackers are always trying new things and discovering new vulnerabilities to exploit. The online world changes quickly and the same is true of security. Good security is about minimizing risk. If anybody tries to sell you a 100% secure solution, they’re scamming you. You’ll never be completely safe, but there’s a lot you can do to minimize your risk.
Security is a big technical but it depends from client to client what kind of security they need. But here I am going to talk about the basic level of practices you can implement for your WordPress site.
There’s a fine balance between security and usability. Sometimes locking down your site makes it secure, but it’s hard to use. Sometimes making your site easier to use makes it less secure. You’ll have to find the balance. You keep your site safe, including:
Qualities of a trusted web host might include:
Readily discusses your security concerns and which security features and processes they offer with their hosting.
Provides the most recent stable versions of all server software.
Provides reliable methods for backup and recovery.
Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.
Secure Server:
This you assume as you need VPS server not shared hosting and this must be single hosted domain server. Run your FTP into SFTP. Instead of saving your ftp information into FTP application, you need to use like you are using it first time on any system. SSL that can help to keep your site secure on the basis of data
you are spreading from one end to another end. You need to by-force redirect onto SSL when the personal data need to be access like login area for the user or any kind of non spreadable data can be shared. By force SSL login for cpanel users. You can also use the cpanel level of security login for cpanel as well.
A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.
Qualities of a trusted web host might include:
1. Readily discusses your security concerns and which security features and processes they offer with their hosting.
2. Provides the most recent stable versions of all server software.
3. Provides reliable methods for backup and recovery.
4. Decide which security you need on your server by determining the software and data that needs to be secured.
Security Themes:
1. Limiting access – Making smart choices that reduce possible entry points available to a malicious person.
2. Containment – Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
3. Preparation and knowledge – Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
4. Trusted Sources – Do not get themes from untrusted sources. Restrict yourself to the WordPress.org repository or well known companies like themeforest, templatemonster etc.
Security Plugins:
Some very helpful plugins have been developed that take WordPress security to the next level.
Vulnerabilities on Your Computer:
Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is any kind of spyware, malware and virus is already available on your computer.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we can recommend using tools like no-script (or disabling JavaScript/flash/java) in your browser.
Vulnerabilities in WordPress
WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress and its plugins.
Passwords:
A strong password is an important aspect to avoid these kind of vulnerabilities. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed like you need to use alphabet, number,special chracter and symbol to keep it more secure.
FTP:
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
File Permissions:
Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.
It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.
Advanced Practices:
.htaccess – The .htaccess file is a configuration file that allows us to add an additional layer of security to our sites. It’s a “hidden” file, means that you’ll need to enable viewing of hidden files in your FTP client.
Remove wordpress and theme version from head:
WordPress includes the version of the software running on your site in the , which can be seen by viewing the source code of your site. The trouble with this is that there are often security vulnerabilities inherent to specific versions of WordPress, meaning that you’re potentially broadcasting information that you don’t want in
the hands of a hacker.
Force SSL login and administration:
To enforce a secure, encrypted connection between you and the server when logging into and administering your site.
Move the wp-config file:
WordPress 3.9 shipped with the ability to move your wp-login.php file a level higher than where it resides by default.
Best Security Practices in a brief:
1. Keep It Current – WordPress is updated fairly often and whenever there’s a new security issue they roll out an update immediately.
2. Strong Passwords – Your security is only as good as your password. Keep as much you can keep it strong like need to use special character, alphabet, number and symbol as well as you need to memorize it not to write it down anywhere.
3. Manage Users – Your own strong password is useless if another admin has a weak one.
4. Back It Up – If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need a backup plan.
5. Use plugins sparingly – What this means is that each plugin you add to your site increases the chances that your site could be compromised. When evaluating a plugin, it might be helpful to ask yourself the following questions:
a. Is this something I absolutely need? Will it help me reach my website goals?
b. What feedback have others left for the plugin? Is it generally positive or mostly negative?
c. Have many other users installed the plugin on their site already?
6. Use a reputable web host – Your site should be hosted by a reputable company, You wouldn’t trust your means of transportation to someone with a bad reputation.
7. Set correct permissions on files and folders – These settings determine who can read, write, and modify files and folders on the server.
8. .htaccess – use the powerful management scripting files can help you to keep your site secure. This can help you keep the general functionality need to be change like admin login, admin user strategy etc. You can change all the standard setting of WordPress away it means you can use it another way.
9. Robot.txt – Use this to keep away unwanted robots to your site.
