When you’re new to WordPress or blogging online using WordPress, there are many things you may not understand right away. To operate a successful blogs online, you’ll need to manage, update and secure your blogs using combinations of different techniques and tutorials written online.
One important areas to focus on as a webmaster is security. Security is hugely important. If you want to be successful, you must enable the best security practices to secure your blogs and websites or you won’t go very far.
Many new users who are just starting with out with WordPress always ask me the same question: What the best ways to protect a WordPress blog?
I myself don’t know everything. And there might not be a 100% surefire way to protect anything online. If your blog is online and you’re facing a very knowledgeable and determined hacker, he/she might find ways to hurt you.
Your work is to make it very difficult for that hacker to succeed. Make it so unbearable that he/she might abandon his/her goal to take down your site.
Now, how do you make it difficult?
First things first:
- Everyone you ask about protecting WordPress will tell you the first thing to do is creating stronger passwords for your users, especially WordPress administrator account.
- Another is changing the default WordPress administrator username to something other than Admin
- Creating stronger password complicity for WordPress database user account
- Updating your blogs and websites as soon as newer updates are made available. Installing security patches is a must.
- Install fewer WordPress plugins if possible, because the more plugins that are installed, the more avenue to attack your sites.
- Set the correct file level permission for WordPress files and folders
Those are just few of the steps you can take to make your site secured. Another is making sure that the computer you use to access and manage your WordPress sites is secured and protected as well.
Make sure Anti-virus software are installed, updated with latest security patches, and must not contact software that might make it easy for hackers and rogues to penetrate.
- Setting WordPress file level permissions
If you set up WordPress file level permissions to be too restrictive, the more work it will take to manage your sites. For example, if you set ownership of all WordPress files and folders to another user other than the web server, you will have to manually upload themes and plugins to be installed.
Most professionals will set their environments in this manner where the web server isn’t owner of WordPress files.
Making the web server owner of WordPress files isn’t entirely a bad thing. You can survive an attack as long as you implement other security measures.
For easy management, especially for newer WordPress webmasters, follow the steps below to set an easy-to-manage WordPress file level permission.
First, make the web server the owner of WordPress directory. On a Linux system, run the commands below, assuming the root directory where WordPress content is installed is at /var/www/html.
- For Apache web server
sudo chown -R www-data:www-data /var/www/html/
Or
sudo chmod -R apache:apache /var/www/html/
- For Nginx web server
sudo chown -R nginx:nginx: /var/www/html
The above commands give the web server full ownership of the Root Directory assuming WordPress content is installed /var/ww/html/
Now, set the permission for folders. To do that, run the commands below to set all folder read/write/execute for owner, read/execute for others for the root directory
sudo find /var/www/html/ -type d -exec chmod 755 {} \;
Next, run the commands below to apply read/write for owner and read for others
sudo find /var/www/html/ -type f -exec chmod 644 {} \;
Restart the web server and you’re set. These above steps should buy you some time with determined hackers who want to bring your site down.
There are more to protecting your sites and other might have other ideas. If you feel the need to add to this, please comment below.
Enjoy!