10 Actionable WordPress Security Tips for the Layman

Article written by:
  • WordPress
  • Updated: Jun 06, 2018

Since it was first introduced in more than two decades ago, WordPress has grown (and grown) now safely be named as the world’s most popular content management system. Today, more than a quarter of the websites that exist are run on WordPress.

Yet since time immemorial, the more popular something is, the more people want to leverage on it for nefarious means. Just look at Microsoft Windows and the massive number of malware, viruses and other exploits designed to target just this one specific operating system.

The 10 WordPress Versions with Most Vulnerabilities (source). Research in 2017 identified 74 different versions of WordPress in Alexa Top 1 million websites; 11 of these versions are invalid – for example version 6.6.6 (source).

Why your WordPress blog is a valuable target?

In case you’re wondering why on earth a hacker would want to control your WordPress blog, there are several reasons including;

  • Using it to secretly send spam emails
  • Steal your data such as a mailing list or credit card information
  • Adding your site to a botnet that they can use later

Fortunately, WordPress is a platform that offers you a multitude of opportunity to defend yourself. Having helped setup and administer several websites and blogs myself, I’d like to share with you some of the more basic things you can do to help secure your WordPress site.

Here are 10 actionable security tips you can make use of.

Tip #1. Choose a good administrator username

From experience, most site hack attempts try to login with three main choices of usernames. The first two are always ‘admin’ or ‘administrator’, while the third is usually based on your domain name.

For example, if your site is crazymonkey33.com, the hacker might try to login with ‘crazymonkey33’.

Not a good idea.

Tip #2. Make sure to use a strong password

By now you would probably think that people would know to use strong, complex passwords to protect their account, but there are still many who think ‘password’ is a great one.

A strong password will include a mixture of:

  • Upper and Lower capitalized characters
  • Be alphanumeric (A-Z and a-z)
  • Include a special character (!,@,#,$, etc)
  • At least 8 characters in length

The more random your password is, the more secure it will be. Try this random password generator if you’re having trouble coming up with one. https://passwordsgenerator.net/

Tip #3. Implement a reCaptcha

Wall bots off from your WP blog.

reCaptcha was designed to stop automated tools from working on a site. Of course, given the complexity of hacking tools today, these can be quite easily bypassed, but at least there is that added layer of security.

There are a number of reCaptcha plugins you can use with your installation that will work pretty much out of the box.

Tip #4. Use Two-factor Authentication (2FA)

2FA is an authentication method that requires a verification on your login. For example, once you’ve logged in with your username and password, the system might send a SMS to your mobile phone or email you with a code you need to input to verify your identity.

This method of authentication offers good protection and is used by many banks and financial institutions today. Again, this need can easily be met with a 2FA plugin.

See how miniOrange (a 2FA plugin) works with WordPress login in the following video.

T

Tip #5. Rename your login URL

Most hackers will attempt to login through the default wordpress login page, which is usually something like sample.com/wp-admin.

To add another layer of protection, change the login page URL quickly and effortlessly with a tool like WPS Hide Login.

Tip #6. Protect your wp-admin directory

Add an extra layer of security to your host directory.

The wp-admin directory is the heart of your WordPress installation. As an additional safeguard, password protect this directory.

To do so, you’ll need to login to your hosting account control panel. Whether you are using cPanel or Plesk, the option you’re looking for is ‘Password-protect Directories’.

Tip #7. Use SSL to encrypt data

HTTP vs HTTPS connection (Source: Sucuri)

Aside from the site itself, you’ll also want to safeguard the connection between you and the server and this is where SSL comes in to encrypt your communications. By having an encrypted connection, hackers will not be able to intercept data (such as your password) when you’re communicating with your server.

Aside from this, it’s also good practice to implement SSL now since search engines are increasingly penalizing sites which they consider ‘non-secure’.

Learn more about SSL in our comprehensive A-Z Guide to SSL.

Tip #8. Ensure ALL your software is up to date

No matter how good or expensive software is, there will always be new weaknesses found in them that might leave them open to exploit. WordPress is no exception and the team is constantly releasing newer versions with fixes and updates.

Hackers almost always seek to take advantage of weakness and a known exploit that is left unfixed is simply asking for trouble. This goes twice as much for plugins which are often created by much smaller companies with less resources.

If you’re using plugins, make sure that updates are released regularly, or consider finding one with similar functionality that is kept updated.

Having said this, I do NOT recommend you use automatic WordPress and Plugin updates, especially if you’re running a live site. Some updates may cause problems, whether internally or through conflict with other plugins and settings.

Ideally, create a test environment that mirrors your live site and test the updates there. Once you’re sure everything works fine then you can apply the update to the live site.

Control panels such as Plesk give you the option to create a site clone for this purpose.

Tip #9. Make use of a Content Distribution Network (CDN)

While this might not save your site from being hacked it does help mitigate against malicious attacks against it. Some hackers aim to bring down websites, making them inaccessible to the public. A CDN will help cushion the blow of a Distributed Denial of Service attack on your site.

Aside from that, it also helps your speed up your site a little by caching some content. To explore this option, look towards CloudFlare as an example. CloudFlare offers CDN services at multi-tiered pricing levels, so you can even use basic features for free. https://www.cloudflare.com

Tip #10. Backup, backup and backup!

No matter what security measures or how cautious you are, accidents happen. Save yourself a from a crushing heartbreak and hundred of hours of work by simply making sure you have adequate backup services in place.

Normally your web host would come with some basic backup features at least, but if you’re paranoid like me, always make sure you carry out your own independent backups. Backing up is not as simple as just copying out some files, but also take into consideration the information in your database.

Look for a backup solution that’s tried and proven. Even a small investment is worth it to save on the tears in case of emergency. Something like BackupBuddy can help you save everything including your database at one go.

Bonus Tip: Your web host counts!

Although traditionally, web hosting companies simply offered space for us to host our websites, times have changed. Web hosting providers, recognizing the urgent need for increased security, have stepped up, with many offering value-added services to complement their web hosting.

Take for example HostGator, one of the more established names in the game. Aside from basic Cloudflare features, HostGator (at the price of $10+/mo) also comes with Spam Free Protection, Automated Malware Removal, Automated Backups, Domain Privacy and more.

Managed WordPress hosting provider, Kinsta, build hardware firewalls and actively monitor their servers for malware and DDoS attacks with it’s custom-built system.

If this is something that hasn’t occurred to you yet, I highly encourage you to look at what security features your host provides and compare it with what’s currently available.

For a comprehensive list you can check out WHSR’s compilation of web hosts here.

Now what?

Before you run wild and start scouring the Internet in panic searching for a million and one security solutions – take a deep breath. As with everything else, someone will have helped you panic already and looked for a solution.

Even if you implement as many security solutions as you can find, are you sure you’re safe?

Here’s where something like Security Ninja come in, which helps you probe your site for weaknesses.

Quick demo: How Security Ninja works.

There are a couple of compelling reasons to use something like Security Ninja but let me say that it’s a tool which I would recommend using at multiple stages in your journey to secure your site.

First, run it on your website ‘as is’ – before making any changes. Let the plugin poke and prod your site before giving you the results.

Then based on those results, work towards securing your site. Security Ninja performs more than 50 tests to probe your defences. Even after you’ve made your changes, run it again (and every time there are site changes or plugin updates) just to test your site.

If this sounds like a little too much work for you, Security Ninja also comes with a host of additional modules (pro version, single site $29) that can help you fix the problems it finds.

Some other key features in these modules include:

  • Scan WP core files to identify problematic files
  • Restore modified files with one click
  • Fix broken WP auto-updates
  • Ban 600 million bad IPs collected from millions of attacked sites
  • List auto-updates, no need for any maintenance or manual work
  • Protect login form from brute-force attacks

Final Thoughts

While all of this may seem a little excessive to the average WordPress user, I assure you that all of it (and more) are necessary. Ignoring the worldwide hacking statistics and whatnot for a while, let me share with you some personal information on one of most obscure sites I help manage.

Originally started off as a simple biography site, I created www.timothyshim.com. Obviously, it was just something that I setup and most of the time leave alone, simply as a reference point. On each month-long period, this site which basically does nothing and collects no data, faces over 30 attacks – a combination of brute force and complex ones.

All it needs is for one of them to succeed and I’d be having a really bad day.

Article by Timothy Shim

Timothy Shim is a writer, editor, and tech geek. Starting his career in the field of Information Technology, he rapidly found his way into print and has since worked with International, regional and domestic media titles including ComputerWorld, PC.com, Business Today, and The Asian Banker. His expertise lies in the field of technology from both consumer as well as enterprise points of view.

Get connected: