Securing your Installation
Security for your WordPress site is something that varies in importance depending on your situation and your perspective. The danger of not being concerned with security is that your site, including the files and the entries of the database, could be corrupted or totally deleted. It could also effect other users and sites on your server. This may seem like a vague and remote possibility - until it happens to you. In this chapter we look at file permissions, how to keep your WordPress system updated and how to make backups.
For a good overview of all of these issues there is a detailed and informative entry on the WordPress codex site called Hardening WordPress. 1
Understanding file permissions on the files uploaded to your server is a very important piece of keeping your WordPress installation secure. There is an excellent guide on permissions on the WordPress Codex site which explains what file permission are, and most importantly how to change them. 2
If you are very restrictive when it comes to file permissions then it means that some of the best functions of WordPress like being able to upload and edit images just don't work. It makes sense to start off being restrictive, but if you find that WordPress and plugins that you have added start complaining with error messages, you can then open up the permissions of the relevant files or directories.
This may sound confusing, but normally any problem that you encounter will have been replicated by someone else. This means that you are likely to find relevant help if you search for the problems you are having in WordPress forums.
Keeping your system updated
New versions of plugins, themes and the core code of WordPress are released regularly. It is important to keep these updated otherwise your system may get cracked. Before updating there are some steps you should perform to make sure things go smoothly - or at least not disastrously. These include checking the server requirements of the update, making backups and disabling plugins. You should check the official docs on the Codex for full information. 3
WordPress now has the ability to perform Automatic Updates.
To be able to perform automatic updates you normally need one of the following situations:
- to have FTP access your server
- to have your WordPress folders given write access by the same user that runs your webserver (eg. www-data for apache on debian)
If you do allow your WordPress files to be owned by your webserver user, automatic updates should just work. If not, you may be prompted for your FTP details as shown in the screenshot below.
Security Issues of Automatic Updating
Having your folders and files writable by the user that runs your webserver is not ideal for security reasons. If you are on a shared server then it makes your system open to being hacked by the other users on that server, so therefore is not suitable.
FTP updating on the other hand solves the problem of permissions on shared hosts but often FTP is disabled by server admins who are security conscious and prefer their users to log in by more secure means like SSH. 4
You may have to compromise some of your security concerns to be able to update automatically.
Keep back-ups of your WordPress files and databases
One of the most essential approaches to security is to admit that your system is not invulnerable, and make regular back-ups that can be restored. After all, it could even be you that hacks and breaks your system by mistake.
You will need to make back-ups of the files needed for your WordPress site/s and the database/s used. You can do this process yourself manually or if you know a little about scripting and have access to another server then it is possible to set up your system to do this automatically. There is great information on the specifics of making back-ups, both manual and automated, on the WordPress Codex site.5