Let me just say it: WordPress is awesome. Millions of people have flocked to the platform and use it in their daily business.
However, there’s a dark side to the growing popularity of WordPress: Because it powers more and more websites, the number of hackers and other shady individuals who target WordPress is also steadily growing.
As a consequence, security is an increasing concern for all WordPress users. Yet, at the same time, it is a much neglected topic, because, quite frankly, many find it boring.
You know what else is boring? Health insurance. But just like WordPress security measures, you are glad it is there when you really need it. That’s why we will now take a look at how to keep your precious website safe and sound.
General security measures for WordPress
WordPress is, by nature, pretty sound in terms of security. Safety concerns are addressed regularly by the community; however, relying on others to do the work for you isn’t always enough. There are additional steps you can (and should) take to lock down your website.
1. Use a reliable hosting company
WordPress security is much more than having a good password. In fact, according to WP White Security, only 8% of hacked WordPress sites get hacked due to weak login information.
So, how did attackers get access to the other 92% of hacked WordPress sites? Vulnerable plugins and themes? Partially yes. Hacks of this kind account for 22% and 29% respectively. Yet, it’s still not the biggest culprit.
As it turns out, 41% of successful attacks on hacked WordPress sites happen through insufficient security on the server side. Therefore, it should come as no surprise that the first order of keeping WordPress safe is to use a reliable hosting provider that regularly updates their infrastructure and keeps security up to date.
2. Improve your login information
The fact that only 8% of hacks happen through weak passwords and user names is not an excuse to overlook it. Doing so opens the door for brute force attacks. Take the following steps to secure your login information:
Don’t use the ‘admin’ username!
Years ago, ‘admin’ was the standard for the primary administrator account. It was used in every WordPress installation and many people stuck with it. Hackers know this and therefore often target this user name directly.
Consequently, if you are installing WordPress on a new site, be sure to create a different user name. If you have a site with the admin name already in existence, create a new user with full administrator rights (and a different user name), log in as that user and delete your old admin account. Don’t forget to reassign content as necessary.
Create a secure password
It’s important to have a strong password. WordPress has become much better at telling you whether your password is sufficient or not, so heed its advice.
If you can’t come up with a strong password by yourself, there are services that can help you, such as Strong Password Generator, LastPass, or Norton Password Generator. And don’t forget to change it from time to time!
To force other people on your site to opt for better login information, use the plugin Force Strong Passwords. That way other people’s laziness does not become a security concern.
3. Stay up to date
You know this one already so I will briefly cover it: Keep your WordPress website up do date! Each new version not only brings additional features and bugfixes, but also addresses known security concerns—so don’t skip them!
This is especially true for minor WordPress updates (recognizable through the third digit in its version number, e.g. 4.1.1). These are specifically made to combat security concerns that popped up in major updates. By now, WordPress automatically implements minor updates and you are well advised to leave it that way.
4. Be vigilant about plugin and theme usage
As you have seen from the numbers above, more than half of WordPress hacks happen through plugins and themes. These, therefore, warrant special attention:
Install as few plugins as possible
Every plugin is a potential security risk in case it is poorly coded or otherwise not up to par. For that reason you should try to limit the number of active plugins on your site. If you can go without it, do so, and remove the plugin. Getting rid of unused plugins is also a good way to speed up your WordPress website.
Keep themes and plugins up to date
What’s good practice for WordPress in general also extends to plugins and themes. Keep them up to date as you do the rest of your site. Be cautious of plugins that haven’t been updated in a long time—they may contain security risks.
To speed up the process, and if your theme supports it, adding the following lines to wp-config.php will enable automatic updates for plugins and themes:
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
Don’t use anything from unknown sources
Check themes for reliability
To check whether a theme is up to the latest development standards and practices, use the Theme Check plugin. You can do this directly from the admin area of your WordPress site.
5. Back up regularly
If your website does get hacked, you will be in a much better position with a backup at hand. There are plenty of services and plugins available to help you with this:
You might also want to look into the type of backup service your hosting provider has in place. Many offer daily backups, which can really save your skin (I’m speaking from experience).
6. Limit login attempts
Since we were talking about brute force attacks earlier: A good way to avoid these is to limit the number of login attempts users are allowed to perform before WordPress shuts them down.
Plugins like Login LockDown and Login Security Solution track failed attempts by IP and prohibit further ones if necessary. This functionality is also found in many of the all-in-one security plugins below.
7. Employ two-step authentication
To make these kinds of attacks even more difficult, you can install a two-step authentication process. That way users will have to input additional credentials, for example, that have been sent to their mobile phone.
Here are some plugins for this:
- Duo Two-Factor Authentication
- Google Authenticator
- Two Factor Auth
- Clockwork SMS
- Stealth Login Page
Advanced technical trickery for increased WordPress security
Alright, now that we have the basic stuff out of the way, it is time to go a little deeper. In the following we will look at a few changes to make “under the hood” to keep your WordPress website safe.
8. Choose a custom table prefix
By default, WordPress applies the
wp_ prefix to all database tables. Since this is a well-known fact, it can help hackers gain access to your site. Consequently, if you are making a fresh WordPress install, you should change this, preferably to something difficult to guess.
You can do the same for an existing WordPress website. In order to do so, you first need to open
wp-config.php and scroll down to this entry:
$table_prefix = 'wp_';
'wp_' to your desired prefix, you need to then do the same inside your database. This can be done either via a plugin (e.g. iThemes Security) or manually via phpMyAdmin or a similar service.
If you go the manual route, make sure you rename every table in your database (core and any additional tables) as well as the usermeta and options table. Here’s a handy article on this topic.
9. Add salts to wp-config
When scrolling down in the WordPress config file, you will stumble across these lines:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
These are security keys used to improve encryption by obscuring information stored within user cookies (sometimes also called ‘salts’). To enhance security, WordPress has a handy salt generator to fill in the unique phrases with random characters that nobody should be able to guess.
Just click on the link and then copy and paste the generated code in place of the above lines. Click save, and you’re all done.
10. Set correct file permissions
By choosing correct file permissions on your server, you can avoid non-permitted upload or changing of files. Permissions can be changed via an FTP client such as FileZilla. As for what they should be changed to:
- 755 or 750 for directories
- 644 or 640 for files
wp-config.phpshould be set to 440 or 400
For additional information on file permissions for WordPress, please refer to the WordPress Codex.
11. Disable the WordPress theme and plugin editor
The WordPress editor enables users to make changes to theme and plugin files directly from the WordPress backend.
However, should some shady individual gain access to the admin area, they could use this same feature to wreak serious havoc on your entire site. To keep this from happening, you can disable the editor by adding the following line to
define( 'DISALLOW_FILE_EDIT', true );
12. Block access to your wp-config file
An attentive reader might remark that adding stuff to
wp-config.php is all fine and dandy, but what about protecting this vital file itself? Doesn’t that seem like an important thing to do?
Sure does; and luckily we can do just that by adding the following code to our .htaccess file:
deny from all
One important note: This code has to be placed outside of the # BEGIN WordPress and # END WordPress tags. Anything within those tags can be updated by WordPress and is therefore prone to get lost during updates or changes to the permalink structure.
13. Remove the WordPress version
Earlier we talked about minor WordPress updates and how they address important security concerns. Since these are public knowledge, anyone can quickly find out vulnerabilities of older WordPress versions and exploit them.
This also means that if they can find out the version your website is running on, the weaknesses in your security will be completely obvious.
To avoid this scenario, users do well to hide the version of their site. This can be done via plugin or by manually adding the following line of code to your theme’s
All-in-one WordPress security plugins
Besides the above steps, there is also a number of security plugins available to fortify your website with a few simple clicks. In fact, many of them perform the exact steps laid out above, plus offer malware scans and other useful features. Here are a few community favorites:
- More than 30 ways of improving WordPress security
- Monitoring system for bots and file changes
- Pro version available
- Checks for vulnerable user login information (e.g. the ‘admin’ user name)
- Further login protection features
- Can change the default database prefix to custom
- Checks for correct file permissions
- Login monitoring and security
- Database backups
- Database prefix changer
- Additional features in the pro version
- Most downloaded security plugin for WordPress (800,000+ active installs)
- Source code scans for malware
- Two-factor authentication
- Strong password enforcement
- Implements WordPress security best practices
- Malware scanning
- Hides your WordPress version
- Restrict file access via .htaccess
WordPress security in a nutshell
Security is an often neglected part of running a WordPress website. It’s tedious and not necessarily something that many of us want to deal with. Unfortunately, often times its significance only becomes obvious after things have already gone bad.
Taking extra precautions is well worth it, as recovering from a successful hacking attempt usually takes much more time and energy. Just following the aforementioned steps will put your site miles ahead. If you are looking for a weekend project, let this be it.
Do you have anything to add? Favorite plugins or hacks to make WordPress even stronger? Let us know in the comments.