When launching a new website it’s easy to get carried away with crafting the perfect design and adding great content. For many, including myself, security is merely an afterthought.
However, every year attacks on WordPress websites are growing in-line with the popularity of the platform.
More worryingly, 70% of WordPress websites have vulnerabilities that hackers could exploit. With minimal protection, that means your precious website could be a hacker’s next play-thing – scary, right?
Today I want to help you boost your WordPress website’s security with ten simple tips you can implement right away.
1. Backup your WordPress website
All the security tips in today’s article will help you prevent your website from being compromised.
However, no website is 100% secure 100% of the time and, should the worst happen, you need to be prepared. This is why it is fundamentally important that all WordPress users regularly back up their website – it’s not the most glamorous thing in the world, but it’s a real lifesaver should something go wrong.
If you don’t back up your website, all of your content could be lost as a result of one successful attack – that could mean months of hard work down the drain.
However, if your website is regularly backed up, at least your efforts can be salvaged as your website can be fully restored in just a few minutes.
2. Update everything on your website
As well as adding new features, WordPress updates patch up known security vulnerabilities and other risks.
This means it’s critically important to keep the WordPress core up to date – if you don’t, those security weaknesses are still there to be exploited.
You might think that you only need to update WordPress when a major update comes along – for example when WordPress 4.0 was updated to 4.1. Sure, this is when the majority of the new features are added, making them the more exciting updates, but it’s actually the minor updates – 4.1.0 to 4.1.1, for example – that generally address the bugs and glitches that can cause security concerns.
If you want to improve your website’s security, you need to make sure the latest version of WordPress is running on your website, at the very least – even if the latest update is only a minor one.
3. Hide your WordPress version
Leading directly on from point 2, because hackers know that old version of WordPress are vulnerable – and often have well-documented problems – this makes them the prime targets for attacks.
Even if it’s not immediately obvious, a quick look through the source files of a WordPress website is enough to reveal what version of WordPress is being used.
For example:
<meta name=”generator” content=”WordPress 4.0.1″ />
After a few seconds, it is clear that this version of WordPress (taken from an anonymous website) is outdated. This means that there are security vulnerabilities to be exploited –yikes.
If you can’t ensure your WordPress website is consistently up to date, you can hide the version of WordPress you’re running, to ensure you aren’t attracting unwanted attention from the hackers.
All you need to do is add the following code to your functions.php file and you’ll erase all traces of your WordPress version from your website.
function remove_version() {
return '';
}
add_filter('the_generator', 'remove_version');
4. Choose secure passwords
When you pick simple, easy-to-guess passwords, you significantly increase the risk of your website being infiltrated by brute-force attacks – this is when hackers attempt to maliciously access your website by trying exhaustive combinations of letters and numbers to correctly guess your login credentials.
For example, it would take far fewer attempts to guess a password like “password123” than it would a secure password like “r1K!+#dVc*a?@zx,” right?
Make sure your password uses a combination of lowercase, uppercase, numbers, and symbols if you want to create something really secure – you can use a strong password generator for help.
5. Use a secure username
During a WordPress installation, you will be asked to provide an admin username. When put on the spot in this way, most of us will simply opt for the first thing that pops into our head – and it’s usually something basic, like “admin.”
Sure, this might be easy for you to remember, but it’s also the least secure username possible. It’s the first thing the bots will attempt during brute-force attacks, which essentially means that all they need to figure out is your password.
If you use a random combination of letters – or at the very least, not admin! – then you make life that much more difficult for the malicious bots: they have to work out the username and the password.
Of course, the solution to this problem is simple: when installing WordPress, just choose a more secure username.
Unfortunately for those of you already using the admin username, usernames can’t be changed from the WordPress dashboard. The easiest thing to do is to create a new account with administrator capabilities, login to this new account, then delete the existing admin account. If you’ve already published posts under the admin username, don’t worry, as these posts can be attributed to your new username after the old account has been deleted.
6. Move your login page
As well as your username and password, there is one other thing brute-force attacks need to succeed: your login page.
During a default installation, WordPress uses the wp-admin and wp-login extensions for your login page – for example, www.example.com/wp-admin. This is something few of us question, and even fewer of us bother to secure.
Knowing this one simple thing about WordPress means I can access the vast majority of WordPress website’s login pages. That probably doesn’t concern you much as I’m not going to hack your website (honest!), but if I can do it, so can the bots.
The good news: you can easily change the wp-admin URL, making it far more difficult to find your login page.
Simply install the HC Custom WP-Admin URL plugin, and you can change your login page to something more secure, say www.example.com/randomletters.
If you’ve followed the earlier advice, you’ll already have a more secure username – and definitely not an admin.
However, using something obviously isn’t the only way bots can get hold of your username to launch malicious attacks on your website: they can also use your author archive URL – this can usually be accessed by clicking the author’s name in the author bio positioned right below an article.
The author archive URL, by default, will look something like this:www.example.com/author/johnsmith.
Care to take a guess at what this author’s username is? That’s right, it’s johnsmith, and with just a single mouse click the entire world has access to that author’s username.
If the bots have access to your username – whether it’s admin, johnsmith, or something seemingly secure like dwefegrthnj – it makes it far easier for them to hack into your account; all they need is the password.
However, this URL can be changed, and it’s all down to how WordPress populates this author field. WordPress uses a field called the user_nicename from within the WordPress database, which itself is automatically populated with the author’s username – that’s why, by default, the author archive displays your username.
If the user_nicename entry is changed, this will change the author archive URL so that it no longer displays your username – unfortunately, this can’t be done from the WordPress dashboard, though, and will require you to access your WordPress database using the phpMyAdmin tool.
Talking about WordPress databases can get a little intimidating for some, so I’ll try to keep things simple – this is actually a good introductory task if you haven’t manually accessed the database before.
After accessing your database using phpMyAdmin, you need to head to the table titledwp_users. On this screen, you will see a list of users, and somewhere in the table, you’ll be able to see the user_nicename column. All you have to do is click the user_nicename, then edit it to something other than your username – note: don’t use spaces in this field, as this will cause a 404 error.
That’s all there is to it, but if you want a more detailed guide on how to manage your WordPress database,
8. Limit login attempts
ticking with brute-force attacks for the moment, there is one last thing you can do to protect your website: limit the number of failed login attempts from the same IP range.
By securing your login credentials, you make it much more difficult for malicious bots and hackers to successfully guess your credentials – however, given enough time they can cover huge numbers of character combinations to improve their chances of getting in.
If you restrict the number of failed login attempts from any single IP address – or IP range – then you significantly reduce the effectiveness of brute-force attacks. This solution isn’t perfect, though, as some hackers will use different IP addresses, but it’s definitely a positive step that can boost your website’s security.
9. Disable the plugin and theme editor
If a brute-force attack is successful, and a hacker is able to gain access to your website, what damage could they do? Potentially a lot.
One of the worst things they could do would be to add a malicious code to your website, which could potentially cause a lot of problems. Unfortunately, this is something that is really easy to do: it’s just two clicks away from the WordPress dashboard, simply by going to Appearance then Editor. With access to this area of the website, someone with an ulterior motive could seriously mess with your theme and therefore your website.
There is a simple solution, though: disable the plugin and theme editor.
This is easy enough to do, and just requires you to add the following code to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
Once the code has been inserted, even an administrator will be unable to edit your theme and plugins directly from the WordPress dashboard. If a hacker gets into your website, this will restrict the extent of the damage they can inflict.
11. Add a security plugin
There are numbers of security plugins in the WordPress directory.
You can secure your website with one of them. But I prefer BulletProof Security.
