With over 25% of the websites on the Internet using WordPress, it should be no surprise that hackers find it an attractive target. Being open source makes it somewhat easier for e-villains to break into, if no precautions are taken to lock the door. Using best practices to secure WordPress sites can make your life a lot simpler.
There are a number of things you can do to make your WP installation more secure, though. Let’s take a look at a few:
Always use a very strong password
We’ve all heard this before. Using password or some nonsense like 12345 as your password rates right up there with licking light sockets. You might as well not have one, if that’s the best you can come up with.
There are a lot of old “tricks” to help invent complex, but memorable passwords. But they are just that – old tricks. Things like using a real word, but capitalizing several letters, such as in alLiGatOr. Or substituting numbers or symbols for similar letters, such as in @lL1G@+Or. These helped a little when they were new and previously un-thought-of… these days, not so much. The best password will be a random selection of numbers, symbols and letters, in upper and lower case, and they should be 12 or more characters in length.
Never use the default admin username
If your username is still the WordPress default, admin, you’ve made another rookie mistake – one that could cause you a lot of heartache. WordPress assigns this username by default in a new installation, only because they have to put something there. Change this immediately, and don’t use your online username. Pick something unique that nobody would ever be able to connect with your online presence. Something like three-legged-bulldog might work for you. And be sure that your posts and comments aren’t credited to your admin username.
If your site is already live, you can still change your username, The easiest way is to create a new user with admin privileges, then delete the old account. Alternatively, you can use phpMyAdmin in your cpanel to change it. This is a slightly more complex method that can take your site down if not done properly, so if you’re unsure, I suggest you use the former method.
Always change the DB prefix
When you first install WP on your server, you should change the default database prefix to something unique. It can be done after the fact as well, but this should really be a basic part of every WordPress install you do.
Limit the number of login attempts
There are plugins available that you can set to a maximum number of failed login attempts before a user is locked out for a time. I recommend Login Security Solution or Login LockDown. These will help block brute force attacks by blocking an IP range for time-frames you can adjust from the settings panel in your WP backend.
Implement two-factor authentication
Two-factor authentication is another great way I highly recommend you use, to help protect your WP site from hackers. I tested Shield WordPress Security and found it to be very comprehensive. To go the extra mile in securing your site against unauthorized logins, I suggest you choose their Yubikey method.
Restrict access to wp-admin to your IP
In your .htaccess file, you can easily whitelist your IP address, while blocking all others. Just add this code to the file:
<Limit GET POST> order deny,allow deny from all allow from xxx.xx.xxx.xx </Limit>
(put your own IP address in to replace the xxx.xx.xxx.xx)
If you have multiple locations, such as home and office, you can just add more IP addresses, separated by a space. If your IP address changes, you’ll be locked out of your backend, so you’ll have to go to the hosting account via either ftp or cpanel, to put in the new IP. This is probably the single most secure method of stopping intruders from accessing your WP admin area.
Be careful with plugins
There are a LOT of plugins out there… thousands just in the WordPress.org library alone. If you’re considering a plugin from an independent source, you need to be very cautious. Some may embed malicious code, others will conflict with other plugins you’re using, some will just be semi-abandoned, with no recent updates, while others may offer little or no support. Dig deep into the performance of any plugin you’re considering.
And of course, try to limit the number of plugins you run. I’ve seen sites running 70+ plugins… a colleague had a new client that had 120+ running. That can have a terrible impact on your pageload speed, slowing your site down to the point that users (and search engines) no longer consider your site worth the effort. Personally, I cringe when I see more than a dozen plugins installed.
Keep in mind that even though WordPress tries very hard, it’s impossible for them to check every plugin sufficiently to ensure it won’t conflict with another plugin. They vet them the best they can, but it’s up to each site-owner to do the final testing.
Update, update, update your WP, theme and plugins
Remember all those occasions people hammered at you to back up your work? It’s even more important today than ever. But when it comes to ensuring you won’t need that backup, it’s critical to keep your WordPress version, your theme and all your plugins updated. Most updates are necessitated by some security flaw being fixed. And you can bet the hacker community knows about those flaws before you do. And by the way, even plugins that aren’t activated can present a potential vulnerability… if you don’t want to uninstall it, at least keep it updated. So keep your site updated! ‘Nuff said!
Why you should!
Don’t think hackers won’t be interested in your site because you don’t handle financial data or other sensitive customer information. The vast majority of hacks don’t result in stolen data… they redirect users to other sites, inject malware, are used for sending mass spam… all things, by the way, which can cause your site long-term problems with the search engines, lasting well beyond the time the hack has been discovered and corrected. In order to secure WordPress against hacks and attacks, implement the preceding 8 best practices now, before it’s too late.