It never amazes me how many people aren’t worried at all about WordPress security. They just go along every day thinking their blog can never be hacked into because it “never has”. That’s like thinking you’ll never get into an accident because you’ve always been careful, or you’ll never need health insurance because you’v enever been sick.
If you’re reading this post right now, chances are you’ve reached my web site because you are investing a lot of time online – your business might even be online. You are working hard, and if someone broke into your WordPress web site you could lose a lot of work, time, and money. Today we’re going to talk about webhosting and usernames and passwords. These are two areas you can easily tighten up your security.
This is Part 4 of my WordPress Security Guide, be sure to read the other parts in the series to be fully protected.
Things to Ask a Web Hosting Company
The cost of a web host has nothing to do with the security or competence of their support department. If you have a web host, or are looking for a new one, just try two simple google searches for your host: “webhostname sucks” and “webhostname hacked”. Replace ‘webhostname’ with the name of the host you want information on. Then, read the blog and forum posts of people that had problems with that host. This takes only a few minutes and it’s always good to get some “real world” opinions. It’s also good to see if a host has just a few complaints, or hundreds. Next, ask your current or potential host some very important questions.
- How often are backups performed? If you ever are hacked, you need to know you can get your data restored ASAP!
- How far back are backups kept for?
- At what time of day are they performed?
- Can I specify a specific date and time for a restore?
- Do they offer “SFTP” or “secure” FTP? If not, you don’t want to host with them (explained later)
- What “account” does the apache web server use to serve pages? It should use a “www-data” type user so your files in your hosting account run under your user, and other hosting accounts on the same (shared) server run under their own user – helping to prevent cross-account attacks.
- Does MySQL run on the same server as the web server? Better web hosts typically have MySQL databases running on separate servers.
- Does your web host you allow “777” file permissions? Not only is this dangerous, but not necessary. Normally “755” permissions are all that’s necessary for any web site, and hosts that don’t allow “777” permissions (writeable by all groups) are normally more security concious than those that do.
- Could a virus from another users web site infect mine? If no, why not? Have your current or potential web hosting company explain to you exactly what precautions they’ve taken to ensure that one infected account can’t take down an entire server. Companies that can’t answer this question with an intelligent answer aren’t worth doing business with.
On top of all this, you want to make sure that if something bad happens you find out about it right away and there’s someone to talk to at all times in support. Ask if your current or potential web hosting company has 24/7 monitoring, and if they have toll free support via phone 24/7 as well. In addition, it never hurts to call a company at midnight to see if a live person actually picks up – or it goes to an answering or “call-back” service.
I get asked a LOT which web hosts I would recommend. Here are shared web hosting companies that I personally use and would recommend:
Hostgator: I’ve been using Hostgator a loooong time, and they are on top of security. You can use secure FTP to transfer files and you can login to your web control panel securely. They have helped me with hacked sites, and can tell you the exact data and time files were changed (and most times by who). This is a North American company with a North American data center.
Servage: Servage has also been a hosting company I’ve been using for years. They have their own internal control panel with lots of features, and you can use secure FTP here as well. The control panel login is secure (https), and they take security very seriously. This is a European company with a European data center.
How to make BOTH usernames and passwords MORE secure
Choose strong usernames and passwords: By default every WordPress powered site starts with an “admin account”. Every hacker in the world knows that nearly all wordpress sites have this account. So the first thing you should do is create a new account, grant it “administrator” access, and delete the “admin” account.
Strong Usernames: Make your username unique by using both letters and numbers, and make it 8 characters or more. If you make it more than 8 characters you make it much, much stronger. The username you choose should be unique, don’t make it the same as other online logins you have, the same as your email, or the same as your web control panel or MySQL database login. Most people only put letters in their username, adding in some numbers and characters makes it much more secure.
Strong Passwords: Make your password unique by using letters, numbers, AND symbols – 8 characters or more. Don’t use the same password username combination as any other login, and definitely DO NOT make your passwords the same on your WordPress login, MySQL database login, or hosting web control panel login. Visit Strong Password Generator for examples of what really good random passwords are.
Choose unique usernames and passwords for different logins: This was already mentioned, but it’s worth mentioning again. You want to use different username/password combination for your WordPress login, MySQL WordPress database login, and web hosting control panel login. If someone breaks into one account, at least they won’t have access to every account you have.
Change password regularly: WordPress and (most) web hosting providers don’t require you to change your password on a regular basis, but most online banking does. Isn’t the time you spend on your web site or blog like putting money in the bank? If you lost it all would you be losing money? Changing your password every 30, 60, or 90 days just like online banking is a good idea.
Many people buy expensive alarm systems for their car, and purchase extra strength dead bolt locks for their house. Having piss-poor login names and passwords for your blog is like leaving the door to your house wide open!