How To Secure WordPress (Part 1 – basic)
This will be a short series of articles in which I’ll go through methods and habits you can use to secure your WordPress installations from hackers and spammers. The important thing to know is that every WordPress installation is or will be under attack at some point.
Every WordPress is or will be under attack
Being the most popular CMS in the world and powering around 27% of the websites on the internet, WordPress is very appealing to hackers and spammers. They in most cases use automated methods of intrusion such as sql injection attacks, brute-force attacks etc. So you see, hackers don’t even have to know who you are, their automated systems will find and attack your WordPress for them.
You can check the article I wrote on why websites get hacked. In it I went through most common misconceptions people have about hackers and their work, believing that they are 100% safe and not interesting to them.
Anyway, let us start with the most basic protection steps. In my opinion, the following steps should be applied to every WordPress installation you work on, no exceptions! There really are no excuses why you can’t do the following for every WordPress installation you set up and/or work on.
1. Use strong passwords
a) Use complex passwords
Don’t use generic and extremely easy to remember passwords. Although logging in with “Admin / 1234” seems great, it is not. Every year the list of worst passwords is published. That basically means that every one of those passwords can be breached instantly by the attacker.
While creating a new password, make sure you use tool like “How Secure Is My Password”. That way you can play with key phrases that are easy to remember for you, while making sure your password is strong at the same time. Combine numbers, upper and lower case letters and special characters for the best results.
b) Use unique passwords
Never use the same password for more than one online service. Website, mobile app, it doesn’t matter. It happened many times that user passwords were leaked directly from the service provider and shared/sold on the black market. Adobe, LinkedIn and Dropbox are few of many.
So let us say that you used the same password for Dropbox and Facebook at the moment Dropbox passwords were leaked. That essentially means that your Facebook password is leaked as well. And if you use the same password for multiple online services you are probably using the same email as well. So it is up to hackers now to use the list of leaked credentials and to try them on Gmail, Facebook and so on. This surely will be automated process so you won’t be able to “hide in the crowd” either.
You can use “Have I Been Pwned” tool to see if your email address and service related passwords were leaked at some point in time. If so, change the related passwords immediately. If you used the same passwords for other services, change them as well.
c) Force users to use complex passwords
It is not a problem for the Administrator to set strong passwords while creating new WordPress users. The issue is when users can create their own accounts. Most people like to use (too) easy to remember passwords.
First step would be to educate users about the importance of strong passwords. But either way, it is always great to force strong passwords for new users. You can accomplish that with “Force Strong Passwords” plugin.
d) Change your passwords from time to time
Changing your passwords every few months is not a bad habit at all. Although this is not something mandatory for most users, Administrator accounts could benefit by this being done. For example, if you suspect someone is trying to brute-force your account or if you simply want to reduce the chances of some password leaking exploit affecting you.
2. Don’t use „Admin“ or „Administrator“ usernames
Although it is easy to remember and makes sense, it is is not recommended to use “Admin”, “Administrator” or even “Adm1n” as usernames. Automated brute-force attacks (password guessing attacks) in the majority of cases use those 3 usernames by default.
Use unique usernames to reduce the chances of brute-force activities on your site being successful.
3. Update your core, plugins and themes frequently
Unfortunately, the most common security issue with WordPress is outdated software. I have seen WordPress installations with 20+ outdated plugins while the core was not updated in 3-4 years.
If you take into consideration that WordPress core gets security updates at least every few months and that almost daily there are new WordPress vulnerabilities in themes and plugins revealed, what do you think your WordPress security looks like on ancient software? It looks like Swiss cheese.
4. Reduce the number of installed plugins and themes
Another common issue I see all the time is plugin/theme hoarding. For example, if the website needs 1 theme and 15 plugins to run, why do you need 10 more plugins/themes installed while being deactivated?
Every plugin and theme, although deactivated is still on your server. Which means that the potentially exploitable code is on your server as well. If you REALLY need to keep deactivated plugins/themes in fear you might need them at some point, at least update them just as you should update the ones which are activated.
5. Backup your website regularly
It doesn’t matter if you update your website content once every few months or 10 times per day, you always should have the latest version of your website backed up – both files and the database.
I am not talking about backup being located on the server’s hard drive, where the actual live website is located. You should always have “offshore” backups, this can be USB flash drive or the external hard drive. You can even use your Google drive, Dropbox or your own PC but be very careful about it. Your online accounts can be hacked and your PC may be hacked or suddenly malfunction.
You can use WordPress backup plugin, server’s user panel or you can even make an arrangement with your hosting company to provide you with the backup files periodically.
IMPORTANT: Don’t assume that your hosting company is taking care of your backups by default. They should but that is not always the case. Talk with them about it, ask them how they are managing your backups. And even if they convince you that everything is taken care of, still make sure that you have your own backup stored somewhere safe.
6. Don’t use cheap hosting
Sure, you can get a hosting for few dollars a month, or even few dollars per year if you are crazy enough. But ask yourself, are they backing up your website? Will they respond to your tickets? Will they update your WordPress right away in case of a security update being released? Will they work every day on improving server security and stability? Will they research how WordPress reacts to a specific hosting environment?
Your website represents you and your business and it shouldn’t be slow, down or hacked.