WordPress security is often referred to as œhardening. Makes sense. After all, the process is like adding reinforcements to your castle. Its all about bolstering the gates and putting lookouts on every tower. But that term doesnt always allow you to realize the details that go into improving site security.
Even if youve done next to nothing to improve your sites security, its likely that you have at least a cursory familiarity with some popular tactics. Its also likely youve heard of a plugin or two that can get the job done. Were not going to be talking about those things today, however.
This article is going to focus more directly on the ways you can secure your sites admin, and more specifically than that, the ways that arent discussed over and over in every list out there. Because security is seriously important.
As WordPress continues to grow as a platform, security is not something you should neglect.
Did you know 73% of the popular sites that use WordPress were considered œvulnerable in 2013?
Or that of the top 10 most vulnerable plugins, five were commercial plugins available for purchase?
Worse yet, one of those five plugins was actually a securityplugin, which is just, well, pretty awful.
While the core installation of WordPress is very easy to use and relatively secure, the more you add on top of it via plugins, themes, and custom code, the more likely it is to be hacked. And the more users you add to any given installation, the likelihood increases further, still. Thats bad news all around for individuals and businesses, alike.
With that in mind, lets spend some time today exploring the 12 ways you can secure your sites backend to ensure your information (and that of your customers) remains safe.
What You Should Know Already
I know I just said that I wasnt going to talk about the more commonly referenced security solutions here, but just in case someone reading this isnt well-versed in WordPress, Id be remiss if I didnt at least list them out. Even if youre a WordPress pro, having this list to refer to can be helpful as you set about implementing security strategies on your sites.
Keep WordPress up-to-date. Something so simple can have a big impact on site security. Whenever you login to the dashboard and see that œUpdate available banner, click it and update your site. If youre worried about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.
Keep plugins and themes up-to-date. Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your sites admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like an open door to your personal info.
Delete any plugins or themes youre not using. Along the same line of thinking as whats listed above, getting rid of any plugins or themes you dont need will reduce the likelihood of being hacked. If youre not using them, youre not going to want to update them, so its a much better idea to delete them. Read: Deactivating plugins isnt enough; you must actually click œDelete.
Only download plugins and themes from well-known sources. When you can, downloading plugins and themes from WordPress.org is actually your best bet since they will have been thoroughly scanned before being admissible to the Theme Directory or Plugin Directory. If you want a premium theme or plugin, only download them from reputable sources like Themeforest or from a highly respected developers website.
Change file permissions. Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While youre at it, set files to 640 or 644 and wp-config.php to 600.
Dont use œadmin as a username. If youve already installed WordPress using œadmin as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin or by following the instructions laid out in our latest post on the subject.
Change your password often (and make it good). Random strings of letters and numbers are best. If you dont feel like coming up with something manually, you can use a password generator to accomplish the task like Norton Password Generator or Strong Password Generator.
Passwords have been given the special treatment for the upcoming version of WordPress 4.3 and will by strong by default.
Make sure your users establish strong usernames and passwords. Its all fine and well if you create a good username and password but if your users dont, your personal efforts wont matter and your site will be just as vulnerable.
Add two-step authentication. A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including Clef, Google Authenticator, and Duo Two-Factor Authentication.
Install a firewall on your computer. Its one extra step, yes, but easy to do. And once installed offers another layer of protection from hackers and security breaches. A few firewall software providers to check out include Comodo, Norton Internet Security, and ZoneAlarm Free Firewall.
Limit logins. The brute force attack is tactic #1 for hackers. If you let them, theyll try to login to your site over and over again until they crack your password. Thats why its called œbrute force because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time. Login LockDown is great for offering this feature but other plugins that offer a whole set of security features often include login limiting like iThemes Security and Sucuri Security.
Limit user access. Sometimes site security is run through the wringer because of something very simple: granting too many people access. A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks. Giving all of your contributors administrative permissions is just asking for trouble.
Backup your site. I dont just mean every once in a while. I mean predictably on a schedule. Scheduled backups are an essential part of any sites security strategy because it ensures that if your site is compromised, youll be able to restore it to a version prior to the damage with ease. Choose an automated solution like VaultPress, BlogVault, BackupBuddy, or WordPress Backup to Dropbox for simple backups and with built-in restore options.
Check for theme authenticity and conduct security scans. Just as you install an antivirus software on your computer to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri Sitecheck, CodeGuard, Theme Authenticity Checker, and AntiVirus.
Now that weve brushed up on the things you should already know about securing a WordPress website, we can move on to some of the more obscure things as well as those that you just might not have thought of yet.
But first, make sure you create a child theme before making any changes to your functions.php file.
1. Cut Back on Plugin Use
I know I already mentioned in the list above that you should delete plugins and themes youre not using. But its worth noting that you should make an effort to limit the total number of plugins you install in the first place. To keep your site secure, you need to be scrupulous in the criteria you use to select plugins.
How many plugins do you really need?
This isnt just about security, either. Its about site speed and performance, too. Loading your site up with too many plugins can slow it down dramatically. So if your site can function without a particular plugin, skip it. Or, look for plugins that check off several items on your must-have features list. The fewer plugins you have, the fewer chances you give hackers to access your info.
2. Dont Download Premium Plugins for Free
Though I totally get what its like to be a business person on a budget, its just a bad idea overall to try to download premium plugins from anywhere other than where they are officially for sale.
Illegal versions of premium plugins usually contain malicious code.
Its lame to download pirated plugins anyway, but if you needed more of a deterrent than that, totally legitimate plugins are often corrupted with malware by the time they hit these illegal download sites. That means what was once a great premium plugin with excellent code is now a hackers direct line into your sites backend. And for what? All because you wanted to save a quick buck.
Skip the illegal downloads and torrents, people. Just dont do it.
3. Consider Automatic Core Updates
Ive already talked about the importance of updating your WordPress installation whenever a new version is released, but it bears repeating. In fact, if youre running an older version of WordPress than what is current, all of the security flaws in the version youre running is common knowledge to the public. That means hackers have that info, too, and can easily use it to attack your site.
Though minor updates install automatically, major ones still require approval.
But updating your site might not be enough, especially if you dont make site maintenance a regular habit. In these cases, the more automated you can make these tasks, the better. While I recognize its not for everyone, automatic updates might be a good option for those who want to take a more hands-off approach to site management but want a secure site, just the same.
Ever since WordPress 3.7, minor WordPress updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically.
It doesnt get much simpler. Just insert this in the file and major core updates will happen in the background without the need for your approval:
| # Enable all core updates, including minor and major: | |
| define( 'WP_AUTO_UPDATE_CORE', true ); |
Be warned, however, that auto updates can break your site, especially if youre running a plugin or a theme that isnt compatible with the latest version. Still, setting up the auto updates might be worth the risk if you dont regularly log into your site.
4. Set Plugins and Themes to Update Automatically
Now I realize this one also isnt for everyone, but its worth mentioning anyway. Typically, plugins and themes are things youll need to update manually. After all, updates are released at different times for each. But again, if youre not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention.
Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. For plugins youll use:
| add_filter( 'auto_update_plugin', '__return_true' ); |
For themes, use:
| add_filter( 'auto_update_theme', '__return_true' ); |
5. Eliminate the Plugin and Theme Editor
If youre the kind of developer who routinely makes changes and tweaks to plugins and themes then you may want to disregard this section. But if you dont use the built-in plugin and theme editor in the WordPress dashboard on a regular basis, youre better off disabling it altogether.
Why? Because authorized WordPress users are given access to this editor and if their accounts are hacked, the editor can be used to take down an entire site just by modifying the code found there.
So you can remove this editor by inserting another bit of code into the wp-config.phpfile. Its another simple one:
| define( 'DISALLOW_FILE_EDIT', true ); |
6. Eliminate PHP Error Reporting
Beefing up your sites backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesnt work correctly, it might create an error message. This is definitely helpful when troubleshooting, but heres the problem: these error messages often include your server path.
Hackers would only need to view your error reports to get your full server path, which means youd be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, its a better idea to disable it altogether. This ones another code snippet to be added to wp-config.php.
| error_reporting(0); | |
| @ini_set(˜display_errors, 0); |
7. Protect Your Most Pertinent Files Using .htaccess
If youre into WordPress security at all, youve heard of the .htaccess file before and have likely accessed it. Still, the changes you make in this one file can have such a huge impact on your entire sites security, I cant leave it off the list.
Why is this file so important? Its at the heart of WordPress and directly affects how your site structures permalinks and how it handles security. You can insert many different code snippets into the .htaccess file anywhere outside the #BEGIN WordPressand #END WordPress tags to modify what files are visible within your sites directory. These snippets are sourced directly from the WordPress Codex.
For starters, youll want to hide wp-config.php because its a central hub for your site and includes your personal info and many other details related to security. Hide it by adding this bit of code to .htaccess:
| <files wp-config.php> | |
| order allow,deny | |
| deny from all | |
| </files> |
You can also restrict admin access by creating a new .htaccess file and uploading it to the wp-admin directory. Youll then insert the following code:
| order deny,allow | |
| allow from 192.168.5.1 | |
| deny from all |
Insert your own IP address in the appropriate spot. You can allow access to wp-adminfrom multiple IP addresses by listing them out as allow from IP Address, each on a new line.
You can restrict access to wp-login.php in much the same way. Just add the following code into .htaccess:
| <Files wp-login.php> | |
| order deny,allow | |
| Deny from all | |
| # allow access from my IP address | |
| allow from 192.168.5.1 | |
| </Files> |
If you dont want to block every IP but your own and instead wish to just block specific people attempting to access wp-admin or wp-login.php, you can do so by blocking those IP addresses individually using this bit of code:
| order allow,deny | |
| deny from 456.123.8.9 | |
| allow from all |
Another way to prevent people from viewing your sites directories is to make them non-browsable. This simple bit of code will do the trick:
| Options All -Indexes |
There are many other ways to modify .htaccess to heighten your sites security as well”weve written on them extensively here”but these are just a few of the more important ones you should implement.
8. Hide Author Usernames
If WordPress defaults are left intact, its really easy to find out each authors username for your site. And since more often than not the main author of a site is also the administrator, its also easy to find out the admins username. Which isnt good. Anytime youre giving away info to hackers, you run the risk of seeing your site compromised.
According to DreamHost, its a good idea to hide the authors username to ensure you arent making the hackers job easier. To do this, all you need to do is add some code to your site. Once inserted, this code will make it so when someone inputs ?author=1 after your main URL, they wont be presented with the administrators information and will instead be sent back to your homepage.
Just copy and paste the following into your functions.php file:
9. Keep Track of Dashboard Activity
If you have many users on your site, it might be a good idea to keep track of what theyre doing on your dashboard. Not that you suspect them of any wrongdoing, but sometimes when you have a lot of people involved in your site, a simple misstep can cause something to break. Thats why logging dashboard activity is so useful “ it allows you to retrace your users steps up to the point of site breakage. You can even retrace your own steps.
This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.
A great, free plugin option for checking over activity on your site.
Yes, WordPress logs this information automatically but its not easy to use. Its a much better idea to use a plugin to organize all of that data. So you can see if installing a certain plugin, making a specific code change, or uploading a file caused the issue youre dealing with. But even if youre not handling a site issue, being able to see what your users are doing on your site at all times can offer some peace of mind.
According to Pagely, a good plugin to check out is WP Security Audit Log. This free plugin maintains a log of everything that happens on your sites backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.
If that plugin doesnt do it for you, there are others available including Activity Logand Simple History that are well worth checking out.
10. Obscure the Login Page
Though security that focuses on obscurity isnt complete, its still an important part of your overall strategy. After all, hiding certain elements of your site wont prevent hackers from accessing them, but itll make it harder for them to get to. And thats good, right?
Lockdown and lockout intruders with this free plugin.
Relocating or renaming your login page is a quick way to make a hackers job harder. Brute force attacks are typically automated, so if your login page is anything different than www.websitename.com/wp-admin or www.websitename.com/wp-login.php then theyre going to have a really difficult time attacking. Many plugins are available that make this simple change for you including Lockdown WP Admin as well as several of the major WordPress security plugins.
11. Pick the Best Hosting You Can Afford
You can trick out your site all you want with all the latest security hacks but if you dont have a good hosting provider, your efforts arent going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. Thats edging on half there, which means you need to do something about your hosting plan, ASAP.
If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone elses site on the server from affecting yours in any way. But I think its a much better idea to use a service thats catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server thats designed for running WordPress, and a customer service team that knows WordPress inside and out.
12. Keep Your Computer Up-to-Date, Too
Sometimes hackers can gain access to your site due to security vulnerabilities on your computer. The best way to combat this is to keep your computer up-to-date. When software patches are released, install them. When a new operating system is released, do your best to upgrade as soon as possible.
Likewise, make sure you use an anti-virus software on a regular basis. You can run a free antivirus software like Avast, Panda Free Antivirus, Comodo, or AVG to see if there are any viruses or malware on your computer and to eliminate them.
Wrapping Up
Securing a WordPress site is about so much more than installing a security plugin and walking away. There are subtle nuances that fill out a complete strategy. Some you mightve known about before but it is my hope that some were new discoveries. Sometimes, its the simple things you havent thought of yet that spell the difference between a mediocre security strategy and a great one.
What are some things you do to secure your WordPress sites? Did I miss a detail here that you think is vital? Feel free to sound off in the comments below.
