As the world’s most popular CMS software, WordPress is particularly vulnerable to attacks by hackers who take advantage of the fact that many WordPress users simply fail to maintain a clean and up-to-date website.
Securing WordPress is much simpler than you probably think. Below is a list of easy things that average WordPress users can do to increase security measures against potential attacks on their websites and blogs.
1) Install a WordPress security plugin
There are countless security plugins available, both free and paid options, that help you in securing WordPress. Depending on your technical experience and needs, these security plugins address a wide range of potential security threats.
When downloading a security plugin, proceed with caution, because if you download from an unknown source, you could be opening yourself up to malware. The only way to guarantee a safe download, free of malware, is to access all plugins from the official WP plug-in repository at http://wordpress.org/plugins/.
Make sure you are downloading a security plugin from a trusted source. Downloading anything (even a so-called “security” feature or plugin) from a random website is just asking for trouble.
2) Change the admin username and default admin/login URL
Every WordPress installation includes a default admin account, with a login URL such as http://www.yoursite.com/wp-login.php. Websites that use the default Admin account and/or login URL are great for hackers who are aware of these defaults and are therefore easily able to attack such websites.
While the default Admin account can be changed via WordPress admin, a plugin is required to allow changes to the default URL. Various plugins are available for this purpose at http://wordpress.org/plugins/.
To change the Admin account, log in as the default Administrator, then create a new Administrator via the Users > Add New tab in wp-admin. Ensure that the new username is unique, and not easily guessed. Once the new account has been created, log in as the new Administrator and delete the default Admin user. By deleting the default admin account and creating a more unique login, hackers are less able to discover your username.
3) Update everything (WP, themes, plugins)
Hackers know that many WordPress users don’t keep their sites updated, and therefore seek to attack WordPress sites with outdated installations, themes, and plugins. Whether a WordPress upgrade is released to introduce new program features, or to implement bug fixes and security patches, it’s highly recommended that WordPress users complete each upgrade/update within some timely manner after the release is made.
While WordPress updates can help users decrease vulnerability to hackers, it is totally up to the user to apply these updates sequentially. The more updates that are skipped, the more holes that exist in the system, and the more likely that a new update could cause an issue if it’s applied without first applying the preceding updates.
Hackers take advantage of outdated software, and can easily access a website through holes in the update process, seeking out known vulnerabilities in the outdated software and plugins that make it easy to attack. Following a sequential upgrade process will avoid such holes.
Plugins and themes, both active and inactive, should also updated as releases are made. If inactive plugins and themes will not be used again, delete them to avoid forgetting to update them.
4) Remove unused/outdated plugins & themes
In the process of developing a WordPress site, a user may try out various themes as they decide on the final look and feel of their site. Unfortunately, once they stop using those trial themes, many users neglect to delete the unused themes from the system, which can leave a site open for hacker attacks.
Although WordPress themes are deactivated when not in use, unused, outdated plugins and themes create “back doors” for hackers to slip through. Outdated plugins and themes may contain known vulnerabilities that enable hackers to take control and inject malware throughout a site. Deleting unnecessary, unused, and outdated plugins and themes from the site prevents this from happening.
When deleting unused themes, it’s important to retain the most recent WP default theme as a backup, just in case you need to switch back for any reason, however removing the older themes will help with securing WordPress.
5) Use strong, unique passwords
To put it simply, the stronger and more unique that your password is, the harder it will be for someone else to guess it. Although a basic password is easy for you to remember, it’s also easier for hackers to guess, and therefore gain access to your website.
When creating your passwords:
- use at least 1-2 numbers
- use upper and lower case characters
- use special characters such as !@#
It’s also important to use different passwords for different accounts, and change passwords regularly – every 3 to 6 months for very security-conscious users, and once per year if the password is very strong.
6) Secure your own computer and Internet access
A major factor in the function and security of your website is how secure and up-to-date your computer system or network is, and how reliable and secure your Internet access is.
Make sure that your PC, laptop, tablet, or mobile device is fully secure and set up to receive automatic updates. Always keep operating systems and antivirus software updated to the latest release.
Equip PCs and servers with the latest, greatest anti-virus software, and install security against malware threats. Firewalls should be installed at every level: from the operating system to the router, and even the internet service protocol, as required by the complexity of your system.
Take precautions to perform daily malware scans on your website – even if you are running your website securely, it doesn’t hurt to add another layer of protection. Daily scans can help you identify and detect suspicious code on the front end of your site, a good sign that a hacker has successfully exploited your website.
7) Limit failed login attempts
If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. However, you can also limit login attempts on your website to add an extra layer of security, as this process can block hackers from making repeated attempts to break into your site until they succeed. Once the login attempts reach the set level, the system will lock that user out from further attempts.
There are plugins available at http://wordpress.org/plugins/ to enable login attempt limits.
8) Find a good, reliable website host
Depending on the nature of your website, there are a number of hosting options for WordPress sites, both free and paid, shared and dedicated. The host that you choose will depend on various factors, including budget, structure of your website(s), and services required. Securing a good host will help increase your website performance, and provide you with exceptional tech support in the event of some emergency.
9) Establish a regular backup plan
Even if you think that your website is 100% secure, it is always important to back up everything (database, content, and themes) regularly. Should your system be sacrificed at any point, for whatever reason, having a backup in place can save huge headaches, and even greater loss. If regular backups are performed, then the system can be restored as needed. While ideally you will never have to access the backup, this is great insurance should something occur to sacrifice your website and data.
The notion of backing up data at a remote location outside of the computer/server/office itself is especially important for those storing invaluable data, but also for anyone wanting to add yet another level of security to their backup plan. This process acts as insurance in the face of unexpected events such as fire, burglary, or hard drive failure.
10) Remove the WordPress version number
By default, the WordPress version is displayed on each WordPress site/blog, visible to the public. Displaying the version number of your outdated WordPress software is a red flag for hackers, who exploit sites running WordPress and/or plugin versions with known vulnerabilities.
Outdated versions are easier to hack, and if the hacker knows the version number, they are able to attack websites based on the known issues with that particular version. Displaying an outdated version number can act as a guide for potential hackers.
If, for whatever, you reason can’t (or won’t) upgrade your WordPress version, then at least don’t advertise the fact that you are running an earlier version. There are various plugins available at http://wordpress.org/plugins/ to help you delete the WordPress version from your source code.
Maintaining a clean, up-to-date website should go without saying, but unfortunately countless users fail to take the simple steps it takes to protect themselves from potential hackers by securing their WordPress site.
Following the simple steps above can help you avoid malicious attacks that can render your website useless and sacrifice your valuable data.