The subject of WordPress site security is one of much debate. Not to mention, a fair amount of misunderstanding. On one side of the fence, you have those who argue that any open source script is naturally vulnerable to a variety of attacks. On the other, you have those who (correctly) point out the fact that this is predominantly incorrect. If anything, often the opposite proves true.
But even in instances where WordPress sites are hacked, it’s typically not as a result of flaws in its core coding. Instead, it’s primarily the fault of the webmaster behind it. Like it or not, there are certain key security responsibilities that every website owner needs to take responsibility for.
The question being – exactly what, if anything, are you doing right now to bolster the security of your WordPress website?
If the answer is a) nothing or b) not a great deal, this guide is for you. A concise yet informative overview of the steps required to enhance and improve WordPress security starting right now. All of which begins with ticking a few important boxes you should prioritise above all others.
Set up website lockdown
For example, you can largely eliminate the risk of brute force hacking by setting up website lockdown. Which basically means that in any instance where the wrong password is entered X amount of times, the site as a whole is locked, all users are barred entry and you’re personally sent a notification of what’s happened. There are countless plugins available to set this feature up – one of the best of which being iThemes Security.
Use 2-factor authentication
Slowly but surely, 2-factor authentication (2FA) is becoming something of a standard among those who take WordPress website security seriously. It takes no time at all to set up plugins like Google Authenticator, which effectively double the security of your website in an instant. Use a secret code, secret question, set of characters or anything else to place a further barrier between your site and potential attackers.
Use email as login
The main reason why it’s advisable to use an email address to log in instead of a username is that the latter of the two is typically easier to predict. While it’s not to say that an email ID cannot be predicted, it nonetheless makes the life of the attacker more difficult. That said, if you do decide to go ahead and use the standard username approach, you might want to think about making them as random and difficult to guess as possible.
Rename your login URL
Another reason to try your hand with the iThemes Security plugin is to change the default WordPress login URL. Why would you want to do so? For the simple reason that by identifying the URL of your website, any hacker with even a day’s experience can easily head straight to your admin login page. By changing the URL of the login page, you make it at least a little trickier for them to find your front door in the first place. In fact, simply replacing the login URL can eliminate up to 99% of direct brute force attacks.
Adjust your passwords
You know you should be updating your passwords on a regular basis and ensuring that the passwords you choose are as complex and difficult to guess as possible. The question being – are you actually doing it? Research would seem to suggest that the answer is…no, you aren’t. Even today, the vast majority of security breaches associated with WordPress websites come down to nothing more than poor password security. Which, for obvious reasons, is rather unfortunate.
Protect your wp-admin directory
If hackers manage to gain access to the wp-admin directory of your WordPress website, they’ve free-run to wreak as much havoc as they like. By contrast, simply gaining access to your website but being barred access to the wp-admin directory will significantly limit the damage that can be done. As such, it’s worth protecting the administrative core of your website with a security plugin like AskApache Password Protect. Simple to set up and comprehensively flexible, it’s a great tool for locking-off certain key areas of your website, while leaving others open for those who need to access them.
Encrypt data with SSL
Implementing an SSL (Secure Socket Layer) certificate is typically considered an essential security standard these days for every type of website. SSL helping ensure that hackers are not able to access data as it is transferred between the server and the end-user, which is typically how personal data is fraudulently mined and used to commit crime. You’ll need to speak to your current hosting company to find out whether you already have an SSL certificate up and running for your WordPress website. And if you don’t, you need to make it happen – or take your business elsewhere if necessary.
Take care when adding user accounts
One important thing to remember is that each and every user account you set up represents another potential ‘gateway’ any hacker could use to target your website. The more potential access points there are, the more vulnerable your website becomes in a statistical sense at least. Which in turn means that it makes sense to only ever add user accounts you absolutely need. And of course, ensure that each of these user accounts is sufficiently protected with the strongest possible passwords and so on.
Avoid the admin username
One of the worst things you can do as far as WordPress Security does is to simply leave the administrator account username as ‘admin’. You can rest assured that each and every time a hacker attempts to gain access to a WordPress website, this will be the first username they will try. And in most cases, they’ll get it right – far too many WordPress webmasters retain the ‘admin’ username. Still, it’s worth remembering that the username you choose represents 50% of the total access key to your website…and is therefore worth taking a little more seriously.
Monitor your files
iThemes Security, Wordfence and a variety of other security plugins can be great for helping you keep an eye on your website’s files. The long and short of it being that anytime your files are in any way altered – with or without your authorisation – you’ll know about it. A great way of minimising potential damage, should an attack occur.
Back up your site regularly
Another mandatory requirement you really should be paying close attention to already. The reason being that even with the most robust security in the world, it is fundamentally impossible to rule out every possible attack across the board. Should the worst-case scenario occur, it’s by retaining a comprehensive backup that you’ll be able to ride things out and emerge (at least relatively) unscathed. You can back your website up manually using tools like VaultPress by Automattic, or have the facility incorporated into your wider web posting and management package.
Protect the wp-config.php file
Once again, the importance of protecting the files that hold the most critical information about your WordPress website and installation cannot be overstated. Hence the reason why it’s in your best interests to take your wp-config.php file and move it to a higher level than your root directory. It’s a simple and quick change to make that can make a quite extraordinary difference to the overall security of your website.
Disallow file editing
Simply by adding the following code to the very end of your wp-config.php file, you can make it borderline impossible for hackers to mess with your files – even if they do manage to gain access to your WordPress website:
It’s always worth remembering that when a hacker gains access to your WordPress dashboard, they can do pretty much anything they want with your themes, plugins and so on. Which, for obvious reasons, could have potentially catastrophic consequences. So given the fact that it’s so quick and easy to disallow file editing, it is probably something you should be doing right now.
Hackers are constantly working hard to get around the latest security measures implemented by WordPress developers all over the world. Which is precisely why WordPress developers are likewise constantly improving and enhancing the security of the platform, not to mention its themes and plugins. As such, there’s little of more importance than ensuring you constantly keep up to date with any and all updates that become available, just as soon as they become available. If not, you leave yourself wide open to attacks unnecessarily.
Delete the WordPress version number
Last but not least, publicising the WordPress version number you are currently working with makes things that little bit easier for hackers looking to gain access to your website. Viable approaches to hacking differing slightly from one version of WordPress to the next. As such, it’s worth deleting the WordPress version number from public view, rather than giving potential hackers clear instruction as to where and how to target their efforts – should they wish to gain access to your dashboard.