I believe I’m well practiced in website security these days, especially having had to manage hundreds of client WordPress sites for years now! So I’m familiar with the standard security precautions of having everything kept up to date (WordPress core, plugins and themes), deleting any unused plugins or themes, having the correct file permissions on the site etc.. But one thing I normally discount is “Database Privileges” which is basically the allowances you give the database user to interact with the database that WordPress needs to run on.
Having done some research on the matter it appears that WordPress itself only requires the following privileges to run properly:
And possibly the following if you plan on using the auto updater or installing plugins etc:
Some plugins or themes might require more privileges but you’ll quickly find that out on install and you can change privileges to suit.
Here’s the privileges I’ve settled on anyway. You can set these up while creating a new database and adding a user to it in Cpanel or go back and re-add the user to the database to change privileges if everything is already setup:
Here’s a fairly comprehensive article on WordPress security from WordPress themselves:
WordPress is an ever evolving system with new and updated functionality being added on a regular basis. While it’s not strictly necessary to constantly keep your core WordPress installation and additional plugins up to date, it’s advisable to do so. Here are the benefits:
- Keep your version of WordPress Secure,
- Overwrite potentially corrupt or attacked files in old installs,
- Benefit from newly added Functionality,
- Speed up your site,
- Benefit from plugin improvments.
The latest versions of WordPress include the ability to quickly update itself and related plugins from the admin but in my experience, this doesn’t always work smoothly. Some Hosting servers can’t handle the auto upgrade functionality at all and if upgrading breaks half way through and the process doesn’t complete, you can be left with a badly broken site.
Also, plugin versions and WordPress versions sometimes need to match and you might find that if you upgrade one, it breaks the other. The cost of having your site fixed by a web developer might be much more expensive than just preventing the problem in the first place.
My Yearly *Wordpress Service contract at just €50 per year includes the following:
- Twice yearly upgrade of the core WordPress system,
- Regular upgrading of installed Plugins,
- Compatability Testing on all upgrades.
Order a service contract now.
* I say ‘contract’ but there’s no actual contract or signing of anything so you’re not tied in!
Here’s how to better secure your WordPress installation by adding some unique authentication keys to the wp-config.php file. You’ll find this file in the root WordPress directory and it’s a file that governs some of the main and most important settings in any WordPress installation. Without it WordPress can’t function. Spammers and hackers know this and it’s one of the more attacked files so here’s how to secure it a bit.
Open up wp-config.php in a HTML editor and look for the following set of definitions:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
Go to the official WordPress Secret Key Generator https://api.wordpress.org/secret-key/1.1/salt/ and refresh to generate some random secret keys. Carefully copy and paste the given key values into the corresponding definitions above, replacing put your unique phrase here.
You can change these values as often as you like without consequence.
Donncha O’ Caoimh is offering a plugin for stand alone versions of WordPress which scans your files and database for signs of exploits or Hack attempts. Well worth installing and I’m a little surprised to find my own blog is clean considering my last post re Akismet Spam stats! Using this plugin along with making sure you have the latest WordPress and Plugin versions should keep you safe.