Website security is an important issue that many new WordPress users can easily ignore. How to ensure WordPress site security is also a difficult problem faced by many users who have just come into contact with WordPress. This series of tutorials on WordPress teach you to introduce a series of steps to protect your WordPress website security. We have divided these steps into 32 steps, today introduced the WordPress website security ultimate checklist Step 1 ~ 5.
WordPress website security ultimate checklist Step 1 ~ 5
1. Keep using the latest version of WordPress
There are always many WordPress users who forbid WordPress kernel program to automatically update the feature because they are worried about ” upgrade may occur plugin incompatibility issue”.
It is a very wrong idea.
We contrast, one side is a vulnerability may be hacked sites, one side is not compatible with the temporary plug-in site, which does you think the problem is more serious?
Plugins occasionally appear incompatible with the latest version of WordPress, but often indicate a very short period of time. Once the site is black, it is the more serious problem. Each time the WordPress kernel is updated, many of the newly discovered vulnerabilities are fixed. If your WordPress kernel is not updated, then your site may be vulnerable to these vulnerabilities.
By default, WordPress allows for automatic updates of the minor version number but does not allow for automatic updates of the major version number. For example, if you are installing WordPress 4.2.1 now, your site will be automatically updated to 4.2.1. If WordPress 4.3 is released in the future, your site will not be automatically updated to this version, you need not click on the button in the background to upgrade manually.
Of course, you can configure it yourself in the file wp-config.php, Put the following line of code into wp-config.proper location of PHP files：
define ('WP_AUTO_UPDATE_CORE', true );
This code defines whether to allow the WP kernel code upgrade status. There are three states here：
- true: allows automatic updates of major, iterations, and development versions；
- false: automatic updates of major, minor, development versions are prohibited；
- minor: allows for automatic updates of iterations, but does not allow for automatic updates of major and development versions.
The default parameter is minor, which you can also modify to true or false.
2. Do not modify the WordPress kernel code
Once you’ve edited the WordPress kernel code yourself or your programmers, you can no longer use WordPress’s auto-upgrade feature to update to the latest version. Because after automatic updates, all the edits you make to the WordPress kernel code are lost.
In this case, if you find a new vulnerability in WordPress, and your website can not be upgraded in a timely manner, then your website may fall is in danger. You’ll have to fix these bugs manually, but it will be time-consuming and also the Website is at risk if you don’t.
So, what do you do when you want to change the WordPress feature? The answer is simple: write a plugin, a plugin dedicated to your own website (Or, get from the WordPress plugins repository). Plug-ins allow you to achieve the functionality you want without having to change the WordPress kernel code.
Again, this logic also applies to your plugins and themes. When you want to fine-tune plugins and themes properly, you will also face issues that cannot be updated to the latest version. Without updating, the site is not safe.
For plug-ins and themes, there is a corresponding solution that allows you to complete the required functionality without modifying the plug-ins and theme code. If your developer recommends that you directly modify the plugin and theme code, then it is recommended that you immediately change a developer.
3. Make sure all plugins are updated to the latest version
Like the WordPress core section, third-party WordPress plugins (and themes) may also be vulnerable. We in the first quarter of 2016 the article in the report on WordPress security trends specifically described, the vulnerability in the popular plug-in, is an important reason for many WordPress sites were hacked.
We have no intention of re-listing the names of these plugins in this article. The vulnerability is a problem that most software cannot avoid. However, how to deal with the problem of software vulnerabilities exposed, we can see the level of Company maintenance personnel.
Many times, as soon as a problem is discovered, the developer of the plugin will immediately fix and release the updated version.
It is then your responsibility to immediately update the plugin to the latest version, otherwise, your website may be hacked.
Whether you are upgrading manually or automatically, remember to keep the plugin updated.
You can set the auto update plugin automatically from the WordPress plugin directory, just put the following code into your WordPress theme’s function template functions.php
add_filter ('auto_update_plugin', '__return_true' );
However, this statement is only valid for download from WordPress.org the official plug-in directory. Download the plug-in from other commercial sites, have their own update mechanism, also need you to keep updated.
4. Remove all non-enabled plug-ins
As the number of plug-ins you install increases, the more likely these plug-ins become vulnerable.
Sometimes we install plugins to test their functionality and then forget to remove those plugins. If these add-ons reveal a vulnerability, your site could become a target(especially if you haven’t upgraded to the latest version).
Even if these plugins are not activated, your website may be attacked.
To minimize the risk, the safest way to completely remove unused plug-ins. To find out which plugins are useless is very simple, as long as this plugin is not enabled(activated), there is no use of the plugin.
Delete these plugins.
Similarly, for those plug-ins that have been activated but are not used, they should be removed. Another point, to test the plug-in, do not test in your production site. You can create a copy of the test (locally for testing, or on other servers). Then in the beta version of the site to test the plug-in.
5. Make sure all themes are updated to the latest version
Timely upgrade to the latest version, not only for WordPress core programs and WordPress plugins but also for WordPress themes. To keep your WordPress site safe, you need to update all your themes to the latest version. Otherwise, any bug that has been fixed on the theme will still exist in your site.
You might think that you have made a lot of adjustments to personalize the theme, and if you upgrade it, those changes will be lost. For this problem, the correct solution is that all theme tweaks should be set by sub-themes instead of directly modifying the original theme. This way, you can upgrade the WordPress theme directly to the latest version without worrying about affecting your website.
If you want to do something completely, you can also remove all the other unused topics.
Similarly, you can set up from WordPress.org automatically upgrades the theme to the latest version. You just need to put the following code into the function template file with the theme functions.php
add_filter ('auto_update_theme', '__return_true' );
Of course, this is only for download the theme from WordPress.org, the official theme directory.
Other business topics have their own update upgrade mechanism, also need you to keep updated.
If you are not good at Editing WordPress wp-config.php files and functions.php files, you can also install the Advanced Automatic Updates plugin for setup. It can set various settings above.
(Unfinished, continue reading…）