Welcome to the second post in our WordPress security series this time we focus on WordPress hosting. Over the years we’ve seen more than a few compromised websites. It can get ugly. It can get costly. It is almost always stressful.
This post focuses on a few things that happen on the hosting/server side of things. TL/DR:
- Choose a solid WordPress host
- Latest PHP version (your host can do it for you)
- Tighten up your database
- File system permissions
- Attack prevention
1. Choose a solid WordPress host
Some of the work that needs to be done to lock down your site is the responsibility of your hosting company. Most web hosting companies are okay. There are some ugly predators out there too. What you want to look for specialty WordPress hosting (that’s pretty easy to find because everyone will make that claim) and who speaks to their WordPress security hardening in their service information. A lot of hosts will talk about optimization and speed but don’t really address security.
2. Use the latest PHP version
PHP is the language that WordPress speaks, it is very important that your site operate on a fully-supported version of PHP for many reasons and security is one.
Almost 80% of WordPress sites are operating on an older unsupported version of WordPress. At Boom12, we frequently update our hosting settings to stay ahead of PHP version updates. We’re currently running version 7.3+ on almost every site. All of the sites we host are running a supported version of WordPress and none will be out of date this year.
3. Tighten up your database
As with anything that has default settings, your database can be a little more secure by simply setting it up with a few modifications. When you first install WordPress you get to make choices about your database. Two quick tips for setting up a more secure database (or securing your existing database):
- Name your database with a string of random characters, it won’t take it personally.
- Don’t prefix your tables with “wp_” use something else that’s either random or not an abbreviation for WordPress. 😉
- If presented with the option, don’t allow access from remote hosts (only let your server talk to your Database)
4. File system permissions
People work really hard to not understand this one. At first glance, server file permissions are a bit weird. You’ve got 7s and 5 flying around left and right. Sometimes the right is write, sometimes it’s read. It all seems so strange … at first glance. The reality is, some of your files only need to be read, others need to change, and some “run” or are executable.
If you go too far in the secure direction, some parts of your website may not work. If you don’t go far enough, you may end up compromised and serving porn ads to far away markets.
These concepts of permissions come down to what files and directories can be accessed, modified, and run and who can do those things. WordPress goes into great detail on this on their support site. We recommend getting help with this (and most of the hosting/server stuff, frankly).
5. Attack prevention
You’ve probably seen CloudFlare’s DDoS protection (even if you didn’t/don’t know what that means), it’s a kind of ugly screen that’s all text and gets “in the way” of you logging in to certain websites. It’s super effective and those sites should be thanked for caring about your personal information. It’s a 2 second delay and a world of security. The Coming Soon plugin we use uses it to protect their login page.
Boom12 hosting (powered by WebSavers) covers DDoS protection using the latest technology, server-level protection isn’t always enough. The right targeted attack can overwhelm before server-level protection kicks in. Adding the premium version of WordFence to your maintenance package would protect you (and the server) from such an attack even if it is more than the core server protection would catch.
We protect against DDoS attacks every day. We recently saw a targeted attack that overwhelmed the server and saw intermittent, brief outages across all of our sites. Our maintenance packages would have helped avoid that. It takes a village to run a fast, secure, and optimized web server.
Boom12 WordPress Hosting & Security Services
If you’re ready to lock down your site without the hassle, get in touch.