How to Improve Your WordPress Security
WordPress Security Guide
One of the most important things you can do with your WordPress website is to keep it secure. Sites that are not secure are vulnerable to attacks by hackers and can spread malware to their readers, and could potentially place customer’s information at risk- making you lose readers and clients.
In this article we’ll take a look at some best practices that you can do to enhance your WordPress Security. Many of these sections include links to suggested plugins.
Make sure your host keeps security as a priority. Make sure they use the latest version of PHP and MySQL. They should use web application firewalls and have an intrusion detection system. Also look for account isolation.
Keep a Recent Backup of your WordPress Site
Backups allow you to perform a one-click recovery of your website. No matter how safe you make your website you still need a recent backup just in case. Hopefully you’ll never need it but if you do you’ll be grateful you have it. Backups can be automated and stored in online storage such as DropBox or on your own PC.
Keep Your WordPress Site Updated
Your WordPress installation, themes, and plugins should be kept up to date. Updates are often issued in order to solve security issues such as open ports or to remove scripts with known security holes. Minor updates are taken care of automatically but you’ll still need to perform major updates by hand. It’s important to keep them updated as any security issues are solved to keep hackers and viruses from taking advantage of the older versions.
Use Caution when Choosing WordPress Themes and Plugins
There are lots of places online to get themes and plugins for WordPress. This creates potential for unsecure code that can leave your website open for hackers and ruin your WordPress Security. Before downloading anything check when it was last updated, read the most recent reviews, check for support issues and the author’s response to problems. If you’re not sure then keep safe by avoiding anything questionable. Make sure you have a recent backup before installing anything to your website. Don’t keep plugins and themes you don’t need. Delete them from your server. Enable automatic updates on any theme or plugin that has the option.
Avoid free themes and plugins unless they’re from reputable developers or hosted on WordPress.org. Free themes often contain base64 code which gives the developers the ability to include ads and spam links and potentially malicious code.
Limit WordPress Login Attempts
If anyone can attempt to login as many times as they want then your site is vulnerable to brute force attacks. This is a script that tries to log into your website using various combinations of user names and passwords. It can try hundreds of combinations per second. Common user names and passwords put you at high risk.
You can use a plugin that will control the number of logins and block users by their IP addresses if they have too many failed attempts.
Hide your WordPress Usernames
Common usernames make brute force attacks easier. The most common username for a WordPress website is admin. Never use admin as your username. One of the best things you can do to improve your security is to remove the admin username.
Usernames cannot be changed. In order to change your username you’ll have to create a new administrator account with a new username. Next login as the new user and delete the original account. You can assign the original posts to the new account.
You should also hide your username from the author archive URL. WordPress shows this by default but this can make it too easy for scripts to find the usernames. You can fix this by changing the user’s nickname and display name in the user profile section from the dashboard.
Never use a weak password. Don’t use your name or short words. One reason passwords are easy to guess is because we humans are too predictable. We like patterns and words that we can memorize easily. For example, the most common passwords are:
The next most common practice is to add a number at the end of a word or phrase. One fourth of the time this number is 1. Using actual words allows hackers to perform a dictionary attack. Hackers simply start with the most common words and the most common numbers.
For best practice, passwords should be long and include symbols, numbers, upper-case, and lowercase characters. More characters are better than fewer. Try to use at least 15 characters.
A good password might look like this:
You could create these yourself or use an online password generator such as MD5.me Password Generator. Be sure to change your passwords often.
When creating user accounts be sure to set their privileges appropriately. Giving someone too high of access gives them the ability to make changes at will.
Also known as 2-step verification, 2-factor authentication enforces a secure login by requiring the user to use a login from two different components. The most popular is Google’s free service. The process is simple:
Step 1 – enter your password as normal.
Step 2 – you enter a code that you receive via email, text, phone call, USB security key, etc.
Use a Plugin to Improve Your WordPress Security
Plugins do most of the security work for you. They can protect you against brute force attacks, hide your usernames, hide your login page, limit login attempts, make backups, protect file permissions, protect your .htaccess file, force strong passwords, create a firewall, etc.
- iThemes Security
- All In One WP Security & Firewall
- Sucuri Security
- BulletProof Security
There’s no such thing as a perfectly secure website, but you can greatly improve your website’s security by following these tips and best practices. They are a good starting point for keeping your WordPress website secure. Keeping your site secure is a never-ending process. Keeping WordPress security at the top of your list will make it harder to be hacked and will help keep your website running smoothly.
Your turn. How do you keep your WordPress site secure? Did I leave out your favorite tip? Do you have anything to add? Let us know in the comments.