8 WordPress Security Secrets
Learn how to prevent, deter and recover from attacks on your WordPress website with these must-know tips
Add Extra Security To User Accounts
A great deal of vulnerability comes from the user accounts that intentionally give access to your sit, particularly administrator and editor roles. If a hacker gains access to one of these accounts, of any user on the site not just the main admin’s one, then they can make changes at will on the website.
Always make sure accounts only have the access they need. For example, if a user is only going to be writing articles, consider giving them only contributor or editor access, never administrator. Keep in mind the level of ability of your users, ensuring that anyone with admin or editor access is fully trained to use all the account’s features to avoid accidents.
You can add features to allow temporary access to a certain role level, i.e if you have a contractor working on the site and they need temporary admin access, you could give it to them with a set time to expire so that you don’t need to remember to revoke their access later down the line.
If a certain role level does not need all of the default permissions, you can install role and permissions plugin to turn off certain permissions that will never be used. To help prevent attacks coming from user logins, put a limit on the number of times an account can make a failed login attempt before that username is locked out for a period of time. This mostly catches out bots who are guessing passwords, but remember to warn your users that they should not attempt to log in more than the number of times you set in a row. If they can’t remember their password, and if they forget their password, they should reset it instead of trying to guess!
Change Old Defaults
New WordPress installs make you choose a custom username for your admin account, but if you installed your site a while ago, your admin account may have a default ‘admin’ – this makes it easier for hackers to guess your login credentials as half the work is already done for them. Change the default admin username to something else to improve security. You can do this manually via the database in the wp_users table or you can create a new admin admin profile and delete the old one via the Admin panel (be sure to attribute all the old posts to the new one)
You can also change the default database prefix to something other than wp_ to add a further layer of obscurity to your default setups. The easiest way to do this on an existing install is via a plugin, but backup your database first.
Keep WordPress Updated
WordPress is always updating and improving its built-in-security, so make sure that your version is the most up to date to stay ahead of old vulnerabilities and exploits. Most WordPress installations updates automatically, but if yours doesn’t, keep any eye on you Admin panel or Inbox to be noticed of when new updates are ready to install. Hackers are on the lookout for sites that haven’t been updated and only 22% of WordPress are running the latest version. Since WordPress runs almost 30% of all websites on the web, that’s a lot of outdated websites!
If your running a staging site, you can test all updates compatibility with your current theme and plugins before pushing it live. This is good practice to avoid any automatic updates accidentally conflicting with existing installations. It gives you a chance to catch any problems before going into production. Don’t forget to update your Plugins and Themes too. It’s not just old core WordPress vulnerabilities that can give hackers a way in; anything you install on your WordPress website needs to be secure as well/ The next tip will tell you more on choosing trustworthy plugins.
Install Trusted Plugins and House Clean Regularly
There’s a temptation to install as many plugins as you have problems to solve, but to many plugins can cause bloat and one unreliable plugin can cause a security risk. As always check the plugins are trustworthy before installing. Download through the official WordPress interface or website and always check the star rating and reviews for negative feedback that may indicate a security flaw.
Plugins are created by developers with all different levels of ability. Even though plugins are vetted before being added to the WordPress site, you should always do your own research to make sure that the code you are installing is solid.
It’s not just the security of your own site you need to think about. If you host your sites on shared servers, you run the risk of cross-server contamination, where hackers gain access through a different site and are able to damage other sites sharing re same space. Consider managed hosting or Virtual Private Servers (VPS) hosting to eliminate this threat, where your site is hosted separately.
Cost is an obvious implication, but for sites with huge loads and traffic dedicated servers can improve performance as well as security. Different hosts have different solutions compare a few to assess which best suits your needs.
Mask, Lock And Hide
Hackers have less leverage if they don’t know where to start. Hide your WordPress version number from your code so only admins know which version of WordPress you’re running. That way, hackers don’t know which vulnerabilities are present to exploit.
Move your login page from /wp-login to something that’s not default. This makes a huge stumbling block for DOS and brute force attacks bots that trawl sites looking for login forms to target. It also adds a more aesthetic value, in that you can change the url to something more memorable for your users.
Deny external access to wp-config.php and .htaccess using the following code in your .htaccess file:
deny from all
deny from all
You can also disable file editing from Admin panel if you know that your themes are going to be edited via file uploads on an FTP. This prevents anyone with access to the Admin panel from directly editing files accidently or as a hacker with malicious intent. Insert the following into your wp-config.php file:
Run Backups Frequently
Make sure that your site is backed up in the event that your site is hacked and you need to roll back to an earlier clean version. How often you should you should backups depends on how often your sites updated.
It’s integral to back up in a place where your site isn’t hosted to avoid any malicious activity on your WordPress hosting from infecting your backups too. Backups can be stored on your own computer or a cloud based service like Google Drive, Dropbox or Amazon S3, but please check where the data is stored due to GDPR laws.
Install Security and Anti-Spam Plugins
Many security features can be added with a comprehensive security plugin such as iThemes security or Sucuri both of which have free and premium version. Security plugins come with a suite of tools to lock down vulnerabilities on your site such as those already mentioned in this article; from masking your version number, to installing two-factor authentication for logins, the features lists are often extensive.
These types of plugins can be invaluable in making your WordPress site more secure and most security plugins are easy to use with single-click installation for most important features, and optional installations for the more advanced or complex features. This makes them perfect for WordPress beginners, as there’s no coding needed to get a well-protected site in minutes. More advanced users will have access to features that can further secure your site, such as closing down unneeded access to protocols such as XML-RPC and updating the WordPress salts used in encoding.