When launching a new website it’s easy to get carried away with crafting the perfect design and adding great content. For many, including myself, security is merely an afterthought.
However, every year attacks on WordPress websites are growing in-line with the platforms popularity.
More worryingly, 70% of WordPress websites have vulnerabilities that hackers could exploit. With minimal protection, that means your precious website could be a hacker’s next play-thing – scary, right?
Today I want to help you boost your WordPress website’s security with eleven simple tips you can implement right away. If you want to build a successful, sustainable website, protecting it is an absolute must.
So let’s dive straight in and beat those evil hackers!
1. Backup your WordPress website
All the security tips in today’s article will help you prevent your website from being compromised.
However, no website is 100% secure 100% of the time and, should the worst happen, you need to be prepared. This is why it is fundamentally important that all WordPress users regularly backup their website – it’s not the most glamorous thing in the world, but it’s a real lifesaver should something go wrong.
If you don’t backup your website, all of your content could be lost as a result of one successful attack – that could mean months of hard work down the drain.
However, if your website is regularly backed up, at least your efforts can be salvaged as your website can be fully restored in just a few minutes.
Most web hosts offer a daily backup service, but I recommend being doubly careful. Personally, I’d want to backup my website externally, too, by using iTheme’s BackupBuddy plugin.
The plugin lets you specify how frequently you want your website backing up, and BackupBuddy has a range of options for safe, off-site storage. The plugin also scans your website for malware, and your database to resolve common issues.
2. Update everything on your website
As well as adding new features, WordPress updates patch up known security vulnerabilities and other risks.
This means it’s critically important to keep the WordPress core up to date – if you don’t, those security weaknesses are still there to be exploited.
You might think that you only need to update WordPress when a major update comes along – for example, when WordPress 4.0 was updated to 4.1. Sure, this is when the majority of the new features are added, making them the more exciting updates, but it’s actually the minor updates – 4.1.0 to 4.1.1, for example – that generally address the bugs and glitches that can cause security concerns.
If you want to improve your website’s security, you need to make sure the latest version of WordPress is running on your website, at the very least – even if the latest update is only a minor one.
From WordPress 3.7 onwards, all maintenance and security updates are automatically installed, giving you one less thing to worry about.
But it’s not just the WordPress core that needs updating to improve security: you need to make sure your theme and plugins are up to date, too.
Security glitches can exist in themes and plugins, so always make sure your entire WordPress website is up to date to minimize security vulnerabilities.
3. Hide your WordPress version
Leading directly on from point 2, because hackers know that old versions of WordPress are vulnerable – and often have well documented problems – this makes them the prime targets for attacks.
Even if it’s not immediately obvious, a quick look through the source files of a WordPress website is enough to reveal what version of WordPress is being used.
For example:
<meta name=”generator” content=”WordPress 4.0.1″ />
After a few seconds, it is clear that this version of WordPress (taken from an anonymous website) is outdated. This means that there are security vulnerabilities to be exploited – yikes.
If you can’t ensure your WordPress website is consistently up to date, you can hide the version of WordPress you’re running, to ensure you aren’t attracting unwanted attention from the hackers.
All you need to do is add the following code to your functions.php file and you’ll erase all traces of your WordPress version from your website.
function remove_version() {
return '';
}
add_filter('the_generator', 'remove_version');
4. Choose secure passwords
For a more detailed explanation, check out the fantastic WPMU DEV tutorial on hiding your WordPress version.
Alright, this one seems like common sense, but it’s one that many WordPress webmasters overlook.
When you pick simple, easy-to-guess passwords, you significantly increase the risk of your website being infiltrated by brute-force attacks – this is when hackers attempt to maliciously access your website by trying exhaustive combinations of letters and numbers to correctly guess your login credentials.
For example, it would take far fewer attempts to guess a password like “password123” than it would a secure password like “r1K!+#dVc*a?@zx,” right?
Make sure your password uses a combination of lowercase, uppercase, numbers, and symbols if you want to create something really secure – you can use a strong password generator for help.
WordPress even has its own built-in password strength indicator to help you choose a secure password. At the very least, your password should register as Strong.
I know what you might be thinking: how am I going to remember all of my complex passwords? It’s a nuisance, and probably why so many people opt for an easy-to-remember password. If you need help with remembering passwords, consider a password-remembering service like LastPass – just make sure your master password is uber-secure!
For extra password security, it is well worth changing your password often.
5. Use a secure username
During a WordPress installation you will be asked to provide an admin username. When put on the spot in this way, most of us will simply opt for the first thing that pops into our head – and it’s usually something basic, like “admin.”
Sure, this might be easy for you to remember, but it’s also the least secure username possible. It’s the first thing the bots will attempt during brute-force attacks, which essentially means that all they need to figure out is your password.
If you use a random combination of letters – or at the very least, not admin! – then you make life that much more difficult for the malicious bots: they have to work out the username and the password.
Of course, the solution to this problem is simple: when installing WordPress, just choose a more secure username.
Unfortunately for those of you already using the admin username, usernames can’t be changed from the WordPress dashboard. The easiest thing to do is to create a new account with administrator capabilities, login to this new account, then delete the existing admin account. If you’ve already published posts under the admin username, don’t worry, as these posts can be attributed to your new username after the old account has been deleted.
6. Move your login page
As well as your username and password, there is one other thing brute-force attacks need to succeed: your login page.
During a default installation, WordPress uses the wp-admin and wp-login extensions for your login page – for example, www.example.com/wp-admin. This is something few of us question, and even fewer of us bother to secure.
Knowing this one simple thing about WordPress means I can access the vast majority of WordPress website’s login pages. That probably doesn’t concern you much as I’m not going to hack your website (honest!), but if I can do it, so can the bots.
The good news: you can easily change the wp-admin URL, making it far more difficult to find your login page.
Simply install the HC Custom WP-Admin URL plugin, and you can change your login page to something more secure, say www.example.com/randomletters.
7. Hide your username
If you’ve followed the earlier advice, you’ll already have a more secure username – and definitely not admin.
However, using something obvious isn’t the only way bots can get hold of your username to launch malicious attacks on your website: they can also use your author archive URL – this can usually be accessed by clicking the author’s name in the author bio positioned right below an article.
The author archive URL, by default, will look something like this: www.example.com/author/johnsmith.
Care to take a guess at what this author’s username is? That’s right, it’s johnsmith, and with just a single mouse click the entire world has access to that author’s username.
If the bots have access to your username – whether it’s admin, johnsmith, or something seemingly secure like dwefegrthnj – it makes it far easier for them to hack into your account; all they need is the password.
However, this URL can be changed, and it’s all down to how WordPress populates this author field. WordPress uses a field called the user_nicename from within the WordPress database, which itself is automatically populated with the author’s username – that’s why, by default, the author archive displays your username.
If the user_nicename entry is changed, this will change the author archive URL so that it no longer displays your username – unfortunately, this can’t be done from the WordPress dashboard, though, and will require you to access your WordPress database using the phpMyAdmin tool.
Talking about WordPress databases can get a little intimidating for some, so I’ll try to keep things simple – this is actually a good introductory task if you haven’t manually accessed the database before.
After accessing your database using phpMyAdmin, you need to head to the table titled wp_users. On this screen, you will see a list of users, and somewhere in the table you’ll be able to see the user_nicename column. All you have to do is click the user_nicename, then edit it to something other than your username – note: don’t uses spaces in this field, as this will cause a 404 error.
That’s all there is to it, but if you want a more detailed guide on how to manage your WordPress database, WPBeginner have a great tutorial on this.
8. Limit login attempts
Sticking with brute-force attacks for the moment, there is one last thing you can do to protect your website: limit the number of failed login attempts from the same IP range.
By securing your login credentials, you make it much more difficult for malicious bots and hackers to successfully guess your credentials – however, given enough time they can cover huge numbers of character combinations to improve their chances of getting in.
If you restrict the number of failed login attempts from any single IP address – or IP range – then you significantly reduce the effectiveness of brute-force attacks. This solution isn’t perfect, though, as some hackers will use different IP addresses, but it’s definitely a positive step that can boost your website’s security.
To limit login attempts, I would recommend the free Login Lockdown plugin, which locks out IP addresses making a number of failed login attempts in a short space of time – you can configure the number of failed attempts, timeframe, and lock out period yourself.
9. Use a secure host
So far we’ve focused on things that you can do to bolster your website’s security.
However, over 41% of websites are actually hacked because of a vulnerability in their hosting service.
That’s right: your website’s biggest security weak spot could be your host. And, other than choosing the right host to begin with, there’s nothing you can do about that.
My advice is to make sure you use a reputable hosting service, rather than having your head turned by the cheapest – you get what you pay for in life.
It’s worth looking around and speaking to the different hosting providers to see how knowledgeable their staff are on security issues – particular WordPress-specific problems – and what security features they have in place.
10. Disable the plugin and theme editor
If a brute-force attack is successful, and a hacker is able to gain access to your website, what damage could they do? Potentially a lot.
One of the worst things they could do would be to add a malicious code to your website, which could potentially cause a lot of problems. Unfortunately, this is something that is really easy to do: it’s just two clicks away from the WordPress dashboard, simply by going to Appearance then Editor. With access to this area of the website, someone with an ulterior motive could seriously mess with your theme and therefore your website.
There is a simple solution, though: disable the plugin and theme editor.
This is easy enough to do, and just requires you to add the following code to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
Once the code has been inserted, even an administrator will be unable to edit your theme and plugins directly from the WordPress dashboard. If a hacker gets into your website, this will restrict the extent of the damage they can inflict.
11. Add a security plugin
If you want a final tip for improving your website’s security, consider installing an all-in-one WordPress security plugin on your site.
An all-in-one solution will protect your website in a variety of ways, and they’re an easy way to add one last layer of protection to your site.
WordPress security is a big thing these days, and that means there are plenty of security plugins out there – both free and premium ones.
My personal choice would be the iThemes security plugin – available in Lite and PRO.
The PRO version of the plugin will regularly scan and protect your website from malware, provide a list of things you can do to make your website more secure, and adds two-factor authentication to the login procedure – users will require a password and a code sent to their mobile device to login.
It’s a great plugin, and can really sure up your WordPress defenses.
Final thoughts
So there you have it: 11 simple strategies you can use today to reduce your WordPress website’s security vulnerabilities.
I know, I know: there are more exciting things in the world than dealing with website security, but that doesn’t mean it is something you should ignore – I’d hate to see any of you lose months of hard work because security was the one thing you neglected.
Tighten your website’s security as a matter of importance, then you can get back to adding great content! After all, all these tips are quick and easy to integrate, and should take no more than a few minutes each. And, the more you use, the more secure your website will be – simple, eh?
Do you have any tips for improving WordPress security? Let us know in the comments section below!
Shaun Quarton is a freelance blogger from the UK, with a passion for online entrepreneurship, content marketing, and all things WordPress.
2 Comments