WordPress is the most popular blogging and CMS system on the Internet which makes it a favourite target for hackers. Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data. Here is a summary of the best practices for securing a WordPress, that will help you do that.It is important to mention that these measures don’t guarantee a 100% protection against hacking attempts, mostly because a 100% secure website doesn’t exist, but they will protect you against the majority of attacks.
Use secure hosting
Not all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked. When choosing a web hosting provider, don’t simply go for the cheapest you can find. Do your research, and make sure you use a well-established company with a good track-record for strong security measures. It’s always worth paying a bit extra for the peace of mind you get from knowing your site is in safe hands.
Keep your WordPress site and plugins up-to-date
It is really important to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.
Protect your WordPress admin area
It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like http://whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xxx.xxx.xxx.xxx with your IP address.
<Files wp-login.php> order deny,allow Deny from all Allow from xxx.xxx.xxx.xxx </Files>
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xxx.xxx.xxx.xxx statement on a new line.
If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a nice little plugin called Limit login attempts.
Never use “admin” as your username
If you use “admin” as your username, and your password isn’t strong enough, then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.
If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.
Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process.
Create another admin user
The fastest way is to register another user and then give that user admin permission. Then you can login with that new admin username and proceed to delete the old “admin” username
Use strong passwords
I know most people probably think, oh, why would a hacker hack my website?! You will be surprised to know that there are thousands of people that use phrases like “password” or “123456” for their admin login details, but those are the types of people most likely to be the victims of hacking. So don’t throw hackers a bone by selecting an easy-to-guess password. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones. Avoid anything that has to do with your name, website name, or other publicly available information about you. And always choose complex password combinations.
Consider two-factor authentication
Enabling two-factor authentication for your WordPress website will significantly improve the security of your website. One of the easiest ways to do this is to use Clef to authenticate using your mobile phone. For all SiteGround users, Clef authors have created an ad-free version of their plugin.
Limit login attempts
There is a nifty little WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours. Remember how I mentioned brute force attacks and trying millions of different login combinations? Well, with this plugin brute force attacks would be much harder to pull off.
The hacker would need to have many different proxies because the plugin would keep banning that IP address after a certain number of failed login attempts.
All options are customizable in this plugin. You can select how many failed login attempts you will allow, how long they’re locked out, and how many lockouts it will take to issue a temporary IP ban.
Make sure you’re site is on a secured WordPress hosting.
Your WordPress site is as secured as your hosting account. If someone can exploit a vulnerability in an old PHP version for example or other service on your hosting platform it won’t matter that you have the latest WordPress version. This is why it is important to be hosted with a company that has security as a priority. Some of the features that you should look for are:
- Support for the latest PHP and MySQL versions
- Account isolation
- Web Application Firewall
- Intrusion detecting system
Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is xxxxx, your author archive page would be something like http://yoursite.com/author/xxxxx
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user name entry in your database.
Ensure your computer is free of viruses and malware
If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
Schedule regular backups
Regular backups are a must and having tiered backups is even better. That means backing up the WordPress database and also your server disk. There are several backup plugins and services that will back your data up. It is also very advisable to ask your host about disk based backups and remember to read the fine print.
Move wp-config up one directory and lock it down
The wp-config.php file contains all your WordPress database credentials, you can move this file up one directory on your server, outside the web root which can protect it from any browser based attacks. It it also a good idea to change the permissions on it to 600.
Disable user registration
Yes you can disable user registration in the Admin, so if your running a small blog or CMS and don’t have multiple people sharing, go ahead and disable user registration completely under your General settings.
Delete the readme and any unnecessary files
WordPress has a default readme.html, and many plugins and themes also come with one. It’s best to just delete them as they can be used for fingerprinting or general snooping and often contain version info. Also keep your folders clean of any junk files.
Use security plugins
As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
Here are a handful of popular options:
- http://wordpress.org/plugins/better-wp-security – offers a wide range of security features
- http://wordpress.org/plugins/bulletproof-security – protects your site via .htaccess
- http://wordpress.org/plugins/all-in-one-wp-security-and-firewall – adds a firewall to your site
- http://wordpress.org/plugins/sucuri-scanner – scans your site for malware etc
- http://wordpress.org/plugins/wordfence – full-featured security plugin
- http://wordpress.org/plugins/websitedefender-wordpress-security – comprehensive security tool
- http://wordpress.org/plugins/exploit-scanner – searches your database for any suspicious code
Please leave your comments below with your thoughts or suggestions.