5 Easy Steps to Secure WordPress
More than 70% of WordPress installations are vulnerable to hackers according to a recent survey of 40,000 WordPress sites by Alexa. Hackers know this and are targeting insecure WordPress sites with automated software, called bots, that when it discovers a vulnerable site, can either directly damage the site, or plant pieces of code that will allow the hacker to break in any time they choose. A secure WordPress site is critical so I’ve put together these five easy practices that will immediately improve your website’s security.
1. Update Regularly
Security vulnerabilities are constantly being discovered in WordPress core files, themeforest wp themes and plugins. These resources are being updated often and whenever there’s a new security issue they tend to push out immediate updates. If you don’t keep your WordPress site up to date you are not able to benefit from these security fixes, hence leaving your site open to a vulnerability that is now widely public and being exploited even more vigorously by hackers. This does not only apply to your WordPress core files, but your themes and plugins as well.
A common reason for not updating is because these files have been customized by a developer. Prevent this by insisting any developer who works on your site uses WordPress Best Practices and never allow them to edit the core files of WordPress. The main reason plugins and themes exist in the first place is to provide a way for developers to customize WordPress that will still allow it to be updated without overwriting the customization. Now the best developed themes and plugins have adopted the same practice and provide their own means to be safely customized. A secure WordPress site owner will insist their developers adhere to best practices.
2. Strong Passwords
Here we are some 20 or so years into computers and passwords permeating every aspect of our lives and do you know what the most popular password is? password123. Your website security is only as strong as your password and every hacker bot that bounces from site to site first tries accessing your site using a list of most common passwords. If your password is too common, your site will be too easy to hack. A secure WordPress site administrator will use strong passwords that would be hard enough to guess so the hacker bot moves looking for less secure WordPress sites to hack.
A strong password has numbers, capital letters, special characters (@, #, *, etc.) and will be long and unique. Ideally, it should not include any dictionary words. In WordPress, password can even include spaces so consider the use of a pass phrase. It is also a good idea not to use the same password on multiple sites. Of course it’s no easy task to remember all these strong passwords that do not use words and are long a difficult so there are services to help keep track of them such as Last Pass. These services take security very seriously and are generally considered safe to use.
3. Managing Users
Don’t just improve your own password standards, but enforce them on every user of your website, especially all administrator level users. While you’re at it, consider whether you really need that user to have administrator access. This is the highest level of access and if a hacker gets admin access they have complete authority to make any changes they desire to your WordPress site. Simply put, the more admins you have the greater the chances of a hacker being able to do damage. Only give admin access to a user who truly needs it and if they only need it temporarily, reduce their role or delete the account when they are finished.
As a developer, I frequently receive login credentials from clients and potential clients that are their own accounts. While I appreciate their trust, I will usually create a new account for myself and advise them to delete or restrict the account when I am finished working on their site. A secure WordPress administrator never gives anyone their own admin account credentials, but instead creates a new user account so they can easily remove or reduce it’s access level when the work is complete.
4. More on Managing Users
Another important practice is to never use “admin” as a username. Hackers know this is the most common administrator username so their bots are programmed to test thousands of passwords against this account. Other variations, such as administrator or even adminadmin are also frequently tried by hackers. A secure WordPress site uses administrator usernames that say nothing about the level of access to greatly reduce the chances of being hacked. Many web hosting tools that install WordPress automatically will use admin as the primary account username so you might need to create a new account with administrator access, then log back in using the new account and delete the old admin account.
5. Regular Backups
Without a backup plan in place you risk losing everything or not being able to get your website back up quickly if something bad happens. You need to always have a recent copy of the complete site files and the database. Your backups should also be automated so they happen without you needing to do anything. If your backup is not automated, at some point you will forget about it.
Just backing up the database, as some tools are limited to, is not enough. A database backup will save most of your content, but your styling and customization would need to rebuilt if you were to ever lose your entire site. Finally, be sure the backup tool you choose can transfer your backups to an off-site location such as Google Drive, Dropbox or AWS.
WordPress, by virtue of it’s incredible popularity for blogging and managing web content, presents some challenges to website owners when it comes to security. As you’ve seen above, however, a secure WordPress site is achievable by just taking a few easy steps. The first rule in website security is not that it must be 100% impenetrable by the best hackers. Just that your site is more secure than the next site the bot will move to.
About the Author:
Michael Davis has been consulting web developers and building websites since 1999 and has recently developed a managed security service for WordPress website owners needing premium security for their websites called WP Total Defense.