WordPress has come a long way in terms of security and the prevention of unauthorized access. However, even with the extensive attention paid to making it secure out of the box, it remains a big target for hackers.
With an estimated 23.2% of all websites running some version of WordPress, it makes a tempting target for malicious activity.
WordPress itself is a solid platform. It has been around for years, and because it is so popular, it has been tried and tested with virtually all site types ranging from simple personal blogs to major news sources like TechCrunch and Fortune.
In this article, we’ll take a look at a handful of ways you can make your WordPress installation more secure.
Perhaps the single most important maintenance step you can take to securing WordPress is to keep it updated.
At any time, a new vulnerability can be discovered and potentially exploited. New versions of WordPress are released quickly to plug any holes in the software, but they are only useful if they are installed.
To check if your WordPress installation has an update available, navigate to Admin > Updates and check to see if there is a new update for WordPress available.
In addition, you can update many WordPress plugins from this page, as well. As plugins can also have potential vulnerabilities, keeping them updated is recommended.
WordPress gives you the ability to set your own administrative username and password. It is common practice to use the common administer username of Admin, but this is ill advised.
In 2013, a flood of brute force attacks on WordPress sites attempted to break into WordPress sites using the username of admin.
By removing the admin user from your WordPress installation, you can make it inherently more secure.
WordPress has taken steps to prevent people from using that username by giving you the option to choose your own administrator username during installation.
Consider using a name that would be difficult to guess. HowNowBrownCow
or DelightedBumblebee
would work just fine. Remember, this is the administrative account, and should not be the main account you post under. That one would be an Editor, Author or Contributor user profile created later by navigating to Admin > Users > Add New.
Your password should be very strong. Don’t use a single word you can find in the dictionary. These are the passwords that are cracked the fastest by brute force attacks. If you are unable to use a password manager like 1Password or LastPass to help you remember a complex alpha-numeric random password, you can try stringing together multiple words to create a complex, long password that is more difficult to crack.
DogBarks@FigTrees
is much harder for someone to guess than MacBook
, and pretty easy to remember. I bet by the time you’re finished reading this paragraph, the image of a dog barking at fig trees will be firmly burned into your mind.
Captcha, simple puzzles, and other human-authentication methods are recommended in the login process. This ensures that an automatic process isn’t able to brute force login attempts as there would theoretically have to be a human present to confirm information at each attempt.
There are many plugins on the WordPress Plugin Directory that provide captcha solutions. If captcha or another puzzle-styled authentication isn’t enough, you can consider a two-factor authentication solution for your site’s administrative accounts.
One popular choice for this is Wordfence Security, a multipurpose security plugin that provides this, and many other security options for your site.
This plugin does a lot. It enforces strong passwords among administrative accounts, but also scans your file system for vulnerabilities, reduces the amount of requests to the database, and more.
Keep in mind when adding plugins to WordPress that they themselves can become a weak point in your site’s security. Pay attention to user reviews, and keep them updated. A vulnerability caused by a plugin is often the first thing to look for when a breach is suspected.
Whether you’re accessing your site’s file system from your home network or at a coffee shop on public Wi-Fi, you should be using a secured file transfer protocol (FTP).
Check with your provider to make sure they offer SFTP service, and follow their instructions to connect securely versus the unencrypted FTP method.
If you are not encrypting your traffic, anyone with a packet sniffer can easily access your login and password with little effort.
You may even want to take it a step further and use a VPN when connecting via an unsecured network. VPNs (virtual private networks) offer encrypted point-to-point connections between you and an offsite server for all of your Internet traffic. All anyone would see on the local network is a bunch of random data, and not your vital information. We wrote a blog post on the subject some time back. Check it out for more details.
WordPress makes it possible for files to be written by the Web server. This allows for many of its features, but can leave you vulnerable, if the proper precautions are not taken.
Think of your file system as rooms in a house. Each door can be an access point or a barrier between a visitor and the information stored in these rooms.
By setting file permissions to restrict access only to rooms that you want to make available, you are basically locking these doors and keeping people out of business that is not their own!
You wouldn’t want your mother-in-law snooping around your man cave, would you? Then don’t leave the door unlocked.
Your user account is your key to the house. It’s the one account that has access to all of the folders and files. Your Web server has a key, too, and you can let it write to specific folders that you want it to have access to.
WordPress.org has an excellent guide to which folders should have certain permission settings in place. It also goes into detail about how to best secure specific files, such as wp-config.php
.
Your .htaccess file can be an important part of your overall file security process. WordPress' default htaccess file includes the following:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Under the # END WordPress
line, you can add the following snippets to better secure some of your more vital files.
Your wp-config.php file keeps your login information. It's important to lock this one down. Paste the following in your .htaccess file to block unwanted access.
<files wp-config.php>
order allow,deny
deny from all
</files>
You can even add a secondary password to the admin area of your site, or lock it down to only people with a specific IP. More details on this can be found via InMotion.
WordPress makes it easy to “set it and forget it,” but this type of thinking only leads to trouble.
If your hosting provider offers advanced monitoring tools, such as emailing you when changes are made to files in your file system, you should take advantage of them.
If you run your own server, or have a dedicated server you can install your own software on, you can gain incredible insight by using solutions like OSSEC which is an open source intrusion detection system that keeps track of your file system, databases, and more.
It is possible to have an incredibly secure WordPress site. WordPress as a platform is used by millions around the world to run a variety of site types, big and small. Through vigilance and proper practices, you can get the most out of WordPress without sacrificing performance or many of the features that makes it the most popular CMS on the Web today.
There is another, useful guide that breaks down WordPress security in great detail written at Hosting Facts here.
These are just some suggestions to help you secure your WordPress site. Have another tip to share? Leave it in the comments section below!