WordPress is used by millions of users around the world to build their websites and blogs, owing to its simplicity and ease of use. On account of its popularity, WordPress has often been the target of many malicious attacks, and WordPress websites and blogs can be hacked or compromised. This, obviously, is not because WordPress has a flaw within itself, but simply because it is a large target, due to the high number of websites and blogs that run using WordPress.
If you are a WordPress user, though, there is no need to be scared. By following some simple steps, you can harden and secure your website within minutes, and then be safe from malicious hackers.
In this article, I will be discussing some simple hardening and security tips for WordPress users.
Security Tips For WordPress Websites
The Basics
First up, let us focus on certain basic points that you must consider and bear in mind, irrespective of the configuration or nature of your WordPress site.
- Always ensure that the software that you are running is of the latest version. Be sure to keep your WordPress installation up to date. More importantly, also update your plugins and themes regularly. Furthermore, if a given plugin or theme has not been updated in a long time, say over a year or two, avoid using it.
- Use strong passwords, and by all means, do not use the default “admin” username for the administrator account.
- When installing WordPress, consider changing the default wp_ table and database prefix to something more obsolete, say tr_ etc.
- Cut down on the number of themes and plugins that you have installed. Obviously, if you need a given theme or a plugin, you will have to install it. But if you do not need a given theme or plugin, consider deleting it. Many users have this habit of deactivating a plugin, and then forgetting about it, all thanks to the high level of storage that web hosting plans nowadays come with. However, an inactive plugin is still code that rests on your hosting account, and it might be compromised without you even knowing. So it is wiser to delete the plugins or themes that you do not need or use.
- Consider changing the default file permissions. You can easily do this via cPanel, and WordPress.org has a detailed article about which permissions you should change and why, so I’ll not go into the details here.
More Advanced Tips
Use a Security Plugin
There are numerous specialized security plugins out there for WordPress, both free and premium. If your business depends on your website, or you are truly paranoid about website security (which, by all means, is not a bad idea), or you really need something feature-rich, you can opt for a paid plugin as well. Otherwise, even free plugins are feature-rich enough to block most unwanted and undesirable attacks.
For securing WordPress, my personal favorite has always been Wordfence Security. The free version keeps a log of all activity on your site, alerts you about plugin and theme updates, blocks out failed login attempts and brute force attacks, also monitors your traffic, and does a lot more.
Alternatively, you can also go with something like Bulletproof Security or iThemes Security. Note that these plugins are slightly heavier on resource consumption, and perform more or less the same set of functions, so you should pick one out of these three, not all three.
Use Only Quality Software
You should always download plugins and themes from reputed sources. Generally, many WordPress security blogs and websites are quick to recommend “premium-only” as a simple solution for avoiding security issues with poorly-coded themes or plugins, but that is not always the case. A well-coded theme or plugin is well-coded, be it free or premium.
The official WordPress.org repository is the ideal place, if you are looking for clean code that is not home or malware or viruses. For premium themes or plugins, opt for ones that have good reviews, and have been around for quite a while, say at least 6 months or above.
Additional Useful Plugins
There are a lot many steps that you can take to further secure your WordPress website. However, these are more based on a case-by-case basis, and you should pick the necessary solution only if you are facing the problem or are concerned about facing such a problem.
If your wp-login page is being targeted by brute force attacks, such as attempts to guess your password, you might wish to lock it down. Wordfence has an in-built feature to block out the user’s IP address after a given number of failed attempts, but you can also install a dedicated plugin for that purpose: Login LockDown is a very popular plugin that can do the job easily.
If you wish to keep an eye on site-wide activity (generally useful if you are not comfortable reading through the default WordPress logs, or have a website with multiple admin accounts), you can install a security audit plugin, that provides you details related to website activity, user logins, actions, etc. One such plugin is WP Security Audit Log.
Similarly, for scanning your WordPress site, you can rely on a plugin such as Antivirus, that checks both your site and your database for any malicious code or activity. Note that such plugins generally compare your code with repository originals, which can also be done by a master security plugin like Wordfence or BulletProof Security mentioned above. Furthermore, you might also wish to rely on an online service such as Sucuri Sitecheck for testing your website, thereby cutting down on the usage of an additional plugin.
If you are the only admin on your WordPress site, or the other admins do not mind an extra step, having two-factor authentication on your WordPress site is possibly the best way to deny access to evil folks. The Duo Two-Factor Authentication plugin lets you do just that — you enter your password, and thereafter, with the help of your mobile phone, you authenticate yourself prior to logging in. Naturally, this measure requires you to have your phone always at hand, and can lock you out of your site if you fail to authenticate yourself.
Conclusion
The above-mentioned security tips will ensure that your WordPress site will remain healthy and clean and away from malicious eyes.
It goes without saying that you should not overlook the standard security tips that apply to every situation, not just WordPress: update your password often, and make sure it is strong enough. Furthermore, also be sure that you an antivirus or at least a firewall installed on your computer that you use to access your WordPress site. And most importantly, check with your web host about the version and quality of software that they are using: a good web host will promptly apply security fixes and updates, in order to keep security issues away.
Finally, irrespective of your security strategy, make sure you backup your data and content often, so that even if things ever go wrong, you can get back to safety easily.