Security is a hot topic in tech and WordPress is no exception.
It seems that no one is safe from the risk of being hacked. Governments, banks, retailers, bloggers, and virtually everyone else has reported being hacked at some point. And these are just the successful hacks we are aware of. Perhaps you have already experienced the frustration of being a hacking victim. Most Americans have had payment info stolen or their email or social media accounts hacked.
Don’t let your WordPress site be next.
Most hackers leverage simple and easily patchable vulnerabilities to hack into your site. Here are some simple ways you can make your WordPress website more secure today.
Update
Security patches are one of the primary reasons for updating software.
Keeping your WordPress install and plugins up to date is one of the easiest ways to keep your website secure.
By default WordPress automatically installs minor security updates. However, major updates are not installed automatically.
You should be regularly checking your website and installing available WordPress and plugin updates.
If you are letting those updates pile up you are probably missing some essential security patches. Let the developers behind this software keep you secure – install their updates.
Use Strong Usernames and Passcodes
Weak login credentials are to blame for most hacks.
According to one study conducted by Verizon in 2016, “63% of confirmed data breaches involved leveraging weak, stolen or default passwords.”
There are three ways to make your WordPress login more secure:
1) Use a Unique Username
That is, don’t use “admin”. Many WordPress beginners install their site with “admin” as the admin’s username. Hackers can leverage this to hack into your site because this is (a) the default setting and (b) easy to guess. Remember, your username is half of your login credentials. If a hacker knows or guesses an admin username they’re halfway in.
2) Use a Strong Passcode
The traditional advice for creating a truly strong passcode is:
- Use at least 12 characters
- Use a mix of numbers, symbols, capital letters, and lower-case letters
- Avoid obvious words and combinations of obvious words
- Avoid obvious substitutions
Here are some examples of strong passcodes (DO NOT USE THESE):
- cow9!output
- AWOL7?rocked
- Wanda4″save
Now look back over those passcodes and our requirements. These contain 12 characters (feel free to use more), a mix of characters, avoid obvious words and phrases, and avoid obvious substitutions. Don’t use things like: Johnny1987 (obvious combination of name and year), BigHouse (obvious combination of words), B@bbyDo11 (obvious character substitutions), or the like.
Certainly do not reuse your passcodes.
3) Limit Login Attempts
Sure, we all forget login credentials. Yet that doesn’t mean you should leave your website’s number of login attempts set to infinity and beyond.
Limit the available login attempts. If someone fails to login after x tries lock them out. You will thank yourself later.
You could use a plugin like Login LockDown to accomplish this or have your site hosted with a company that will secure it in ways just like this.
Use a Secure and Managed Hosting Provider
There are many places to host your website. Some are tailored for WordPress hosting while others aren’t. Those that are tailored for WordPress are usually secure and managed WordPress hosting providers.
This means that they provide a level of server-side WordPress security and management. This can go a long way to further securing your site while saving you the headache of managing it all.
The best WordPress hosts provide automatic WordPress updates, firewalls, brute-force login protection, and automated site backups.
WordPress.org is currently recommending Bluehost, DreamHost, and SiteGround. Contact us for other WordPress hosting recommendations or to host through us.
Backup
Backup. Your. Website.
Don’t wait until after someone breaks your site to wish you had backed it up.
The best backup solutions will backup your website either daily or every-time a change is made. This way, if you detect that your site has been hacked you can restore it to a clean version.
Automattic, the company behind WordPress, offers their own excellent backup solution, VaultPress. There are plenty of other plugin options though, including BackupBuddy and UpdraftPlus, or your managed hosting provider can offer you regular backups.
Disable File Editing
By default WordPress allows admins to modify their website’s theme files from directly within the WordPress admin panel.
This can be quite helpful for those beginning with HTML, CSS, and PHP who may want to edit a line or two here and there but don’t want to mess with FTP-ing into their server.
But this is a serious security risk. If a hacker gets access to your admin account he can modify any of your site’s theme files without even having your server access credentials. You can fix this yourself without installing any additional plugins by adding these two lines of PHP code to your wp-config.php file:
/** Disallows file edits from the WP admin panel */
define( 'DISALLOW_FILE_EDIT', true );
Security hole plugged – by you!
Disable PHP Execution from the Uploads Folder
Another method WordPress hackers use to wreck havoc is executing PHP scripts from your uploads directory. By default, if a hacker gains access to your admin account he can upload files to your site’s server that are designed to accomplish his purposes. All he has to do is upload those malicious scripts to your content folder. PHP is usually used in these instances but seldom (if ever) would you normally upload a PHP script here. So it is possible to tell your server to prevent PHP scripts from running in that location.
Once again, you can plug this hole without installing any additional plugins!
Open a text editor and copy and paste this code:
<Files *.php>
deny from all
</Files>
Save the file as “.htaccess”. Then upload this file to /wp-content/uploads/ folder on your server. This code checks for any PHP files in your uploads folder and denies access to it.
Another security hole plugged by your good self!
Other Security Measures
Of course, there is much more you can do to secure your WordPress website including:
- Enabling a web application firewall (WAF)
- Changing your WordPress database prefix (don’t use WP)
- Disabling XML-RPC access
- Adding security questions or other additional fields to the login page
- And more…
Ask a Professional to Secure Your WordPress Site
New vulnerabilities are found regularly. Sometimes the best course of action is similar to the one you take with your Windows PC – install some security software. Securi is top of the heap for automated WordPress security.
Or you may find it is more time-efficient for you to just hire someone to secure your site (or keep it secure). A WordPress professional, like those on the Rystedt Creative team, or your hosting provider may be able to offer such security services. Reach out to a professional or two and ask what security services they can provide and what their rates are. Then you can make the most informed decision on how (and who) can help secure your WordPress site.