Why WordPress security is so important
At its core WordPress is very secure, the CMS is audited by hundreds of expert coders who write security into WordPress. Nonetheless, WordPress can still be hacked and often it is due to a lack of basic security practices.
WordPress sites that are hacked can be very damaging for the owner as it inevitably leads to a loss of reputation while also leading to financial loss. A hacker can rob a business of its confidential user data, can install software that leads to further damage down the road or even install malicious programs on your user’s PCs.
Google plays a strong role in policing websites. First, it can exclude potentially hacked websites from search results – and indeed it blacklists tens of thousands of sites every week. Google also warns users away from infected sites by displaying a warning in Chrome. The resulting warnings can lead to a huge drop in traffic for website owners.
The responsibility for securing a website lies, of course, with the website owner. It’s no different from business security at a physical place of business. Essentially, your website is your premises and you need to ensure that it is secured.
General WordPress security tips
We appreciate that risk elimination is very difficult to achieve, if large and well-protected government and military websites can be hacked it is clearly difficult for even the most capable security regimes to eliminate risk. That’s why we believe in risk reduction instead. These are the first, most actionable steps we suggest that you take.
User permissions and passwords
A stolen password is like handing the keys to a hacker, which is why stolen passwords are so commonly involved in compromised WordPress websites. One way to “steal” a password is to guess it, if you use a weak password a hacker can easily guess it and get access to your WordPress instance.
Instead, choose strong passwords for both your WP logins as well as every other area of your hosting solution including FTP and MySQL. This goes for your email addresses too as a hacked email account can be used to reset passwords.
Also watch out for user permissions, don’t hand out your admin credentials to just anyone. Where your website works using a larger team including contributors you need to ensure you control access by limiting user privileges to the absolute minimum. Don’t give users full administrator access unless they really need it.
Always update WordPress
If your host doesn’t provide automatic WordPress updates you should make sure you execute these updates yourself, regularly. As open-source software the WP codebase is regularly updated, with minor changes to the code automatically installed. However major new releases of WordPress require user intervention for the update to install.
Updates also stretch across to the stacks of plugins and custom themes that so many websites make use of. Here, too, you must ensure that 3rd-party updates are tested and installed in a timely manner. Both WordPress core updates and 3rd-party updates are key to ensuring your WordPress website is impervious to hackers.
Getting a third party involved to boost WordPress security
We’ve outlined some of the basic elements of good WordPress security. One way to ensure your WordPress site is really secure is to make use of a third party security service.
In this section we will cover the WordPress security tips you can follow that doesn’t require an understanding of how WordPress works, and which you can implement just by pointing and clicking. For beginner users these steps are ideal as they are easy to implement yet effective. Let’s take a look.
Activate an automatic backup solution
Earlier in this article, we highlighted how it is almost impossible to make a website 100% secure against hacker attacks. You can reduce the probability of a successful attack but not eliminate it. So, website owners must assume there is a chance of a successful attack. Effective backups are the most important defense against a successful attack as it allows you to restore your website should the worst happen.
Thankfully it’s not hard to get WordPress backups into place, and you have a choice of paid-for and free solutions. However, you must save your backups in a remote location – not in your main hosting account. Otherwise, if your hosting account is compromised, your backup is simultaneously compromised. Instead store your backups in cloud storage such as OneDrive, Dropbox or AWS.
Backup frequency is important, depending on how often your site is updated it should be at least once a day but for many scenarios ongoing backups that mirror all site changes are the better option, especially where user registrations are involved. Some of your best no-coding backup solutions include VaultPress as well as Backup Buddy.
Install a third-party WordPress security plugin
Backups are your first step, but you should go further when setting out your WordPress security measures. Understanding what happens on your site is important, so you need a monitoring tool that can audit everything from failed access attempts, scanning efforts performed by malware and the integrity of WordPress core files.
One excellent tool is from a company called Sucuri. The Sucuri plugin installed directly into your WP instance and is free to install and use. You start by generating a free (API) key which will activate logging as well as automatic integrity checks and various other core Sucuri features. We also recommend that you fully activate the WP “hardening” features offered by Sucuri – simply click “Harden” next to every option on the relevant Sucuri tab.
Sucuri’s hardening features essentially automatically lock down a number of areas the are often targeted by WP hackers. There is one hardening option that Sucuri uses that is not included in the free plug-in, it is effectively a firewall for websites, we cover it in the next section.
Overall Sucuri is really easy to set up because, once you’ve ticked all the “Harden” boxes, it’s job done, you don’t need to change much else. However, we do suggest that you customize the email notifications that Sucuri sends as these can be bothersome.
To stop your inbox cluttering up too much with notifications you should edit the settings in Sucuri so you only get a message when there is a major change, for example when a new plugin is installed or when a new user registers.
Overall the Sucuri plugin is a top choice for automatic WordPress protection and we encourage you to browse through the different sections of the plugin including its malware monitoring, logs and the list of failed logins. However, you can take Sucuri to the next level if you are willing to pay for a subscription.
Get a firewall for your website
Also called a Website Application Firewall or WAF, a firewall for your website is one of the best ways to keep your website safe and secure. Why? Because a firewall protects your website from malicious traffic before this traffic even reaches your website.
Clearly, stopping intruders from reaching your site in the first instance is top WordPress security priority but Sucuri offers more. In the unlikely chance that intrusion succeeds Sucuri can also do a cleanup and can help you remove your sites from black lists, in fact the company guarantees that it can do so. Sucuri will do the fix themselves.
It’s not cheap to get a hacked website fixed and it can take a long time, which makes hacks costly. Sucuri’s technicians charge over $200 per hour, but you get access to the full Sucuri service for just $199 in subscription fees. Note that you have other choices for website application firewalls, one example would be Cloudflare.
The DIY WordPress security guide
We’ve given a number of important pointers that should get your WordPress site to a point where it is reasonably safe from attack, but if you are more technically minded you can go further and do a few more things to help you get your WordPress site as safe as can be. Some of the following instructions require a bit of knowledge of coding, but other steps are simple to complete. Let’s take a look.
Stop PHP file execution where it’s not needed
Some WordPress directories are not intended to run code, instead these just store files. For example, /wp-content/uploads/. Hackers can, for example, upload PHP code to these directories and then execute the malicious code. Stop hackers from doing so by blocking PHP code execution where WordPress doesn’t need it.
It’s simple to do so, open a pure text editor such as Windows’ Notepad and paste this text:
<Files *.php> deny from all </Files> |
You then need to save the code to a file called .htaccess and upload it to the directory you want to block PHP code execution in, such as /wp-content/uploads/. However don’t add this code to just any WordPress directory as it can stop your site from working.
Alternatively, simply use the Sucuri plugin to help you, blocking PHP file execution in unnecessary directories is one of the hardening options included in the plug-in.
Change file editing permissions
WP comes with a code editor built-in which allows you to edit the files used by plugins and themes, but we recommend that this is turned off. This direct access can cause problems when used by a rogue actor. It’s easy to switch off the ability to edit plugin and theme files. Just add this code to your wp-config.php file:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true ); |
Of course, as we explained, Sucuri allows you to change this setting right in the Sucuri plugin’s control panel, ideal if you’re not keen on editing configuration files.
Don’t use “admin” for the administrator account
Older WordPress installations started out with “admin” as the username for the main administrator account so many WordPress website owners still access their sites via the “admin” account. This matters because of a lot of automated WordPress attacks rely on hitting “admin” with a guessed password to get into the WordPress instance.
Now, WordPress forces users to choose a different administrator username so that “admin” is no longer the default for a new installation. That said some auto-installers that do a one-click install can still make use of “admin”. If you see that your administrator username is “admin” you should really change it.
Unfortunately you can’t simply rename an existing user, so if your administrator username is “admin” you’d need to change it some other way. You do have three options. First, you can create a new administrator account with a different name and delete the old one. The “Username Changer” plugin can also do it for you. Finally, you could simply hack into the WordPress database via phpMyAdmin and make the change yourself.
Change the WordPress database name
A bit like the issue around standard administrator usernames, WordPress assigns a “wp” prefix to the WordPress database, and all its tables. This hasn’t changed and hackers can try and search for WordPress tables using this prefix. Changing it can trip up hackers, but you must be extremely careful when you make this change as it can break your WordPress site so we recommend that you read our detailed instructions before you try to do it.
Set a password for the WordPress login and admin pages
Make life harder for hackers by setting up further password protection server-side that asks for login details before your server presents the WordPress wp-admin directory and the login page inside of it.
Each hosting solution will have a different way of making this change, but it can prevent hackers from running a DDoS attack or some other tricks that try to access the WordPress admin directory.
Stop directory browsing and indexing
Hackers can try to find out whether your site has a vulnerability by browsing the content of your site’s directories. Many hosting solutions leave directory browsing enabled by default providing an opportunity for hackers.
It’s not just hackers you need to be worried about. Directory browsing lets anyone who is curious hunt through the files on your website to find images and other documents or to copy down your directory structure. We strongly suggest that you disable the ability to browse directories as there is rarely any purpose for doing so.
To stop directory indexing you need to edit the .htaccess file for the root directory on your website. You can do so using the file manager on your website’s control panel. You need to add this line to the .htaccess file:
Options -Indexes