Secure your WordPress site: 10 ground rules
What are the guidelines for securing your WordPress site? This CMS, which runs on almost 25% of websites on the Internet is very secure in itself. But the more plugins, themes and extra code you add, the greater the risk of being hacked. Here are ten tips that will help you avoid problems with your WordPress security.
1. Keep WordPress up to date
- When you log in to your dashboard and see that an update is available, make sure you install it as soon as possible.
- Do not let your fear of having your site broken because one of the plugins or themes are not compatible with this new version stop you from doing what you have to do.
- Always make a backup before the installation, so that you can return to the previous version (if necessary).
2. Be very careful with plugins and themes!
- You should also keep your plugins and themes up to date. They can be a backdoor to the admin interface of your website! Think about it: according to most sources, the information in the Panama Papers hack have been hacked via an obsolete and unpatched plugin!
- Delete plugins and themes that you do not use. Deactivating them will not do the job.
- Download plugins and themes only from reliable sources such as the Theme Directory and the Plugin Directory provided by WordPress itself, dev sites like org, or popular sites with a good reputation like Themeforest.
3. Practice good password hygiene
- Never use “admin” as a user name. For their attacks, hackers will search for sites with “admin” as their admin name. Have you done it anyway? Follow the instructions provided in this video to change your admin-user name.
- Make sure you choose a strong password, which combines numbers and uppercase and lowercase letters. Since version 3.7, WordPress features a tool that tells you how strong the password is.
- Regularly change your password; use a password manager such as 1Password or Lastpass, which will remember your passwords for you.
- Ensure that your users also use secure user names and passwords.
- NEVER use the same password for multiple sites.
4. Limit the number of login attempts
Hackers often use “brute force” attacks, which means they keep trying to log in to the site until they have guessed the password. So, make sure to take the following measures:
- Install a plugin that limits the number of times that a user can try to log in from a given IP address within a certain period of time, like Login LockDown. Most of the time, such a tool is also included in security packages that have extra security features, like iThemes Security or Securi Scanner.
- If you are looking for maximum security, try two-factor authentication. By using this technology, you will be required to enter a password, as well as a token (a code that is texted to your mobile). Clef and Duo are both plugins that you can use for 2-factor authentication.
5. Limit the number of users with rights
If you work on a website as a team, make sure that you assign proper roles to each team member when creating their accounts on your site:
- Administrator: manages the entire website, takes care of updating plugins and themes, creates user accounts and manages them, can edit the code of the website. Limit the number of users with this role to the minimum necessary.
- Editor: creates, edits and publishes messages written by himself or by others.
- Author: creates, edits and publishes messages.
- Contributor: creates messages, but is not allowed to publish them (only an admin or editor can do this for him/her).
- Subscriber: a guest who created an account, so that he/she does not need to enter his/her information every time he/she wants to react to an article.
The golden rule: never log in as an admin when you do not need to perform maintenance tasks.
6. Run security scans
Just as you have an antivirus installed on your computer, which checks your machine for viruses and malware, you should actually also use a scanner with WordPress. It will scan the code in your plugins, your core files and your themes to verify if it has not been changed. Popular scanners include Theme Authenticity Checker, Antivirus and Sucuri Security.
7. Monitor the activity in your admin panel
Install a tool that keeps an eye on what happens in your admin module. It is a fact that WordPress automatically logs this information, but the data are not easy to read. Therefore, you should use WP Security Audit Log, Aryo Activity Log or Simple History. When something goes wrong on your site, you can return to the critical point (the installation of a certain plugin, a change in your code, the upload of a file…).
8. Always use HTTPS!
Every time you log in to your admin panel, your browser adds an authentication cookie to the request that is sent to the server. If communication is not encrypted, anyone may be able to intercept this cookie and use it to log in to the server and execute commands.
By using the https protocol, communication (including the cookie) will be encrypted. For this, however, you will need an SSL certificate. Feel free to read our articles on this topic: “SSL: what is it and how does it work?” and “The SSL certificate: what should you do?”
9. Go for good quality hosting
If you do not have a decent hosting provider, all your efforts will be wasted. According to security experts at WP White Security, 41% of hacked WordPress sites were hacked through a security vulnerability on the host itself. This is why you should choose your hosting provider very carefully!
A Managed hosting provider that specialises in Content Management Systems, like Combell's range of Managed WordPress hosting, usually provides (in addition to hosting) a firewall, regularly runs malware scans, makes sure that PHP and MySQL are up to date, and has a helpdesk team that knows WordPress inside out.
10. Healthy scepticism cannot hurt
Be cautious at all times and pay particular attention to the following:
- Do not log in to your admin account using a public Wi-Fi network (like when you are in a Starbucks or staying at a hotel).
- Only use a trusted Internet connection (like the one at your home or at your office).
- Preferably use a VPN (Virtual Private Network).
- Think like a hacker: what are the most vulnerable elements of my setup? How could someone easily enter my system?
- As a developer, you should never fully trust your users’ content.
- Assume that there will always be someone who will attempt to hack your site.
The tips above do not require any particular technical knowledge. You just need to have some common sense and be familiar with the installation of plugins. In a next article, we will look deeper into this matter and give you a few concrete examples of codes you can add and settings you can change in order to make your WordPress site even more secure.