7 Easy Ways to Secure WordPress

WordPress is an excellent application used the world over. This unfortunately makes it also a target for hackers. There are some very simple steps you can take, completely non-technical, that can help secure your WordPress blog.

1. First things first. Eliminate all known vulnerabilities. Now.

Update your WordPress installation to the latest version. This is the absolute most important and most effective first step. Do it now.

2. Don’t make your WordPress blog so easy to target

Install WordPress in a folder rather than document root, this makes it slightly more difficult for large scale hackers to find your system files. There are so many root installations of WordPress to keep hackers busy that the effort returned finding sub folders is not usually worth it.

3. Do not delete the admin account. Yes, you read it correctly.

So we need to secure admin, do this by creating a new administrative user, then downgrade the admin account to subscriber. This will make it impossible for a hacker to administrate your site using admin. By not deleting the admin account the hacker is kept busy trying to guess the password and the focus is away from the ‘real’ administrator account.

4. Control failed login attempts.

Lock the account after a number of failed attempts. This will render dictionary attacks on your account pointless for the hackers. Use a plugin such as Login LockDown to control failed log in attempts.

5. Implement easy eveyday plugin security

Use some WordPress security plugins such as Stealth login, AskApache password protect and WP security scan.

6. If they get in – don’t let them take you out

Take regular backups. Should a hacker gain access at least you don’t permanently lose your site. You will be able to restore, tighten up and continue. Don’t let them take you out!

7. Honestly, this is the step that is most often ignored

Have an absolutely ridiculously difficult to guess password. Have some numbers, uppercase and lowercase letters and maybe a punctuation mark or two. They’ll never guess it – maybe not even with a quantum computer.

Security is an ongoing job, it is never complete. There are other ways using file permissions,  .htaccess with IP restrictions that can further secure your blog but these are a little more technical. So, be on the look out for part 2.
We hope you enjoyed this article and found the information useful. Happy blogging!

WordPress upgrade fails, “Could not copy file: /var/www/wordpress/wp-activate.php”

Have you logged into WordPress and you get the message “WordPress update available, click here to upgrade”, you click “here”, wait and then the upgrade fails?

This is a common problem so we would like to post the solution for our clients:

1) Ensure that your FTP user is the owner of your WordPress install directory, this is most likely not the problem unless you have your own dedicated server and installed WordPress using root user.

2) Ensure that your WordPress directory has the correct permissions, it should be 755. This is the most probable problem. Change the permissions to 755 and then try the WordPress upgrade again.

If your FTP user is not the owner of your WordPress directory OR your WordPress directory has permissions other than 755, your WordPress install/upgrade will fail with the message “Could not copy file: /var/www/wordpress/wp-activate.php”.

How to Install WordPress in Plesk

As you are reading this, you are probably unaware of how easy it really is to install a web application such as WordPress. It really is just a few button clicks with Plesk.

  1. Login to the Plesk Control Panel
  2. Click on “web hosting”
  3. Make sure “php safe mode” is OFF
  4. Click on “Web Applications”
  5. Click “Install Web Application”
  6. Type “wordpress” and press “Search”
  7. Click “Install”
  8. Agree to the WordPress user license
  9. Select “document root” if you dont want wordpress in a sub directory
  10. Set the WordPress database password
  11. Set the WordPress admin password
  12. Enter your email address for admin notifications
  13. Enter your wordpress page title (can be changed later)
  14. Click “install”
  15. WordPress is now installed!

Ok, so there are 15 items in the list – really, it would have taken you longer to read the list than to install WordPress. Install WordPress now and see how easy it is, you can just delete it afterwards – and that’s just as easy as pressing one button!

For more information about installing web applications see our Hosting FAQ entry “How to Install and Manage Web Applications” or, watch our short video “How to install a Web Application in Plesk”.