12 Simple Wordpress Security Tips
WordPress is a great content management system (CMS). With more than 140 million downloads and a huge user community, it’s the world’s most popular CMS. Unfortunately that also makes it a popular target for hackers. This means you need to take some extra precautions to secure your site and your data.
Most casual attacks are Brute Force attacks, where the hacker tries to guess the login URL, username, and password for a WordPress site, either manually or with a script. Since the default WordPress installation uses /wp-login.php as the login page and most sites use the default username of “admin”, when a site with these defaults turn up all a hacker needs to do is guess the password. It doesn’t take much coding to test combinations of words, letters, and numbers until the script finds the password.
When there's a determined hacker, there’s no such thing as a 100% secure website, but some relatively simple measures will protect you against the majority of casual attacks.
Hide your login pageSince this is the first assumption in a Brute Force attack, start here. Hide the login page so that it is accessed using a different URL than the default of /wp-admin.php. For example, instead of www.yoursite.com/wp-admin, use www.yoursite.com/SomeSecurePhrase. This makes the login page harder for hackers to find and helps deter any malicious bots from trying to break in. Fortunately this is part of the iThemes Security plugin, which offers a suite of security options. This plugin makes it easier to change the URL. What it does behind the scenes, however, is not trivial, so be sure and make a full back up (not just a database backup) before installing this plugin and read the instructions carefully.
Never use ‘admin’ as a usernameThe majority of attacks begin with the assumption that there is an ‘admin’ username with unrestricted privileges. Some attacks consist of repeated login attempts to the ‘admin’ username combined with common passwords (more on that later).
Since version 3.0, WordPress no longer creates an ‘admin’ user by default – now it asks you to provide your own admin username. However, many people continue to use ‘admin’ because it’s easy to remember. Some auto-install scripts also set up an ‘admin’ account by default.
This is such a simple fix: create a new administrator account using a different, less obvious name. Then log in as that new user and delete the original ‘admin’ account. If you have blog posts published by the old ‘admin’ account, you can assign all those posts to the new account.
Use strong passwords for all entry pointsWeak passwords are the reason behind 8% of hacks. This may seem low but the potential damage can be significant if a malicious person gains access to a privileged account.
In 2015, ‘123456’ officially became the most popular password in the world, followed by ‘password’. Imagine how easy it is to put those at the top of a list of passwords for an attack. This is a matter of education and discipline. Make sure your WordPress users know how to create a strong password. If you want to encourage strong passwords, there are several WordPress plug-ins that help your users do this. Force Strong Passwords is the most popular (but doesn’t actually force) while WP Password Policy Manager automates enforcement of password security.
Don’t just stop there. Your WordPress site is part of an overall IT infrastructure. What about access to ftp/cPanel?
Hide login errorsDon’t give hackers more clues than they already have. Ever noticed those login error messages? Error: Incorrect Password and Error: Invalid Username pop up if you login with a non-existent username or password combination. Talk about providing clues.
Remove this error message by adding the following line to your functions.php file:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
This returns a blank line instead of those error messages.
Use two step authenticationAn even stronger deterrent is to use two step authentication. Plugins such as Google Authenticator and Duo will handle this for you.
Limit login attemptsIf you use Limit Login Attempts, this overrides the WordPress default of allowing unlimited login attempts through a login page or cookies. You can set the number of retries and length of time an IP address is locked out from retrying. Experienced Brute Force attackers will keep trying via multiple IP addresses, so the Login Lockdown plugin is another one to try: it tracks the IP address and timestamp of failed logins and then disables login for that range of IP addresses.
Use CAPTCHA for loginsImplement this one at your discretion. CAPTCHAs reduce the success of a Brute Force attack by non-human means, but if you have internal users who log in frequently to edit content, this could annoy them. The Captcha plugin is a simple solution, while plugins such as All In One WP Security & Firewall and iThemes Security include this capability as one of many security features.
Disable unused accountsIf you’ve had employees leave, it goes without saying that you have disabled their accounts. If you have or used to have user registration enabled on your WordPress site, you should clean out unused accounts and spam registrations to prevent malicious users from accessing your blog. Go to the WordPress dashboard and click on Users. Then go through the list of users and delete the ones you know are inactive. User Spam Remover makes it easier to get rid of spam registrations.
Update WordPress, themes, and plugins regularlyThis is one of the major reasons why WordPress sites are vulnerable. Hackers find it easy to target older versions of WordPress and plugins. For one thing, each new release of software comes with documentation that describes enhancements and fixes – and some of those fixes are to do with security vulnerabilities. You’re just leaving yourself open to hackers who intentionally go after WordPress sites using versions with known security issues. The same goes for themes and plugins.
Use reliable themes and pluginsVulnerabilities in themes are the reason behind 29% of hacked WordPress sites while plugins are responsible for 22%.
There is a huge community of conscientious WordPress developers. Some of them offer their work for free because it’s fun or as a way to attract customers to their premium versions. Unfortunately, not every developer knows how to write secure code. Plus, there are also malicious developers who offer free plugins or free themes as bait to users who are looking for a cheap (free) deal. These could be pirated versions or themes that contain malicious code.
Your website is your online business presence. You want a reliable and supported foundation. The cost of paying for a premium theme and legitimate plugins is minimal when compared to development, content creation, and ongoing maintenance. Is it worth the risk? Download plugins from the Wordpress plugin repository, where plugins are reviewed according to strict guidelines. For themes, check out trusted theme marketplaces such as: the ThemeForest, WooThemes, and WPexplorer. When in doubt, use the Theme Authenticity Checker to check for malicious code.
Backup regularlyI know, this sounds so mundane but having a backup and disaster recovery plan gives you peace of mind. If your site is seriously hacked, the only way to recover quickly is to go to backup. Back up all your WordPress installation files: core, databases, files, plugins, everything.
Use secure hosting41% of WordPress sites are hacked due to hosting vulnerabilities – the single biggest reason. Not all hosting providers deploy the security you need. Make sure you go with an established company that understands WordPress. At the very least you should get:
• Support for the latest PHP and MySQL versions
• Intrusion detecting system
• Anti- virus
• Account isolation
If you deal with a hosting company that offers managed web hosting services, they will install and test WordPress updates, stay current with the latest security issues, and backup your WordPress site.
WordPress sites are popular and therefore an attractive target for hackers. Businesses have lost blogs and investment in content, been hacked in ways that destroyed their reputation, lost credibility, or ruined years of work they had put into building an online presence.
The most common reasons why a WordPress site is vulnerable come down to: issues with themes and plugins; lack of patches and upgrades; general sloppiness in user and site security. These are all risks that you can reduce by educating users and taking the simple security measures described in this blog.
In another blog, we’ll talk about some of the more in-depth security measures and plugins available to safeguard your WordPress site. In the meantime, if you have questions about WordPress security or managed web hosting services, contact us!