It’s always all fun and games until you can’t login to your beloved WordPress website because the bad guys took over. All fun and games until somebody gets hacked, loses access to the WordPress admin dashboard and hell breaks loose.
Your moods take the first hit. They quickly dampen when you discover you’ve been dethroned. It’s hurting and frustrating to say the least, because, well, some guy out there is messing with your livelihood, meddling in your business and spitting in your face.
And boy will you spring into action, running about frantically trying to reinstate your WordPress site, hence your business, to its former glory. Trust me, you don’t want to be hacked, nobody does. But still, it happens to all and sundry on a day to day basis.
However, we always have your best interests at heart, and as such, we’ve put together several measures you can use to bolster WordPress security and reduce the chances of hosting uninvited guests.
With these WordPress security best practices, we want you to have the most secure of WordPress sites. We will do our best to break down the points, but should you need help with anything, ask your questions and/or share your opinion in the comments.
That out of the way, let’s harden your WordPress site.
Start With Quality WordPress Hosting
Surely, you can’t expect top-notch security from a web host that charges a buck per month. We’ve all seen those ‘we-have-it-all-for-a-penny’ hosting plans. Those shady plans by shady hosting companies promising heaven for as little as $2 to $4 bucks a month. Oh, aren’t they so enticing?
They are mainly shared hosting packages that will have your website, hence your business, living on the same server with a million and one other sites. All manner of sites – good and bad. They are usually less secure as opposed to say, managed WordPress hosting that costs about $30 a month.
If or/and when one of the websites is compromised, you’re at a higher risk of getting compromised as well. In fact, you will be compromised even if you are as vigilant as the next guy. The only way to mitigate web-host related attacks is to go with a trusted host and secure hosting plan from the start.
Choosing the best WordPress hosting for your business needn’t be a challenge, considering there are only a few factors to look out for. They include cost, quality of support, policies on backups and data management, updates to the server and software on it and everything else in between.
Check out the article linked in the paragraph above, and be keen to choose a gracious WordPress host based on security features among other things. If you would like to skip the research and go straight to hosting your WordPress blog on secure servers, we use, love and recommend WPEngine. They provide top-notch WordPress hosting full of security options that will blow your mind. All at a great bargain. Media Temple and Siteground are other great WordPress hosting choices as well.
Bluehost shared hosting is a great choice too for the beginner testing the waters, but if you need secure hosting for your WordPress site, you will need to upgrade from the shared hosting package to one of the other packages.
Why is your host so important? I have been hacked thrice (yes, thrice) on their shared package. Well, it was partly my fault as I had neglected the victim sites, which gave hackers a field day to play as they wished. I have since pulled those sites down as they were potential risks to other websites on that particular server (stick around as we will mention a thing or two how neglecting your site can lead to nasty run ins with the scum of the internet aka hackers. Stay focused; pay attention or you’ll pay with your site).
Back to choosing high quality WordPress hosting, how do you go about it? A simple phone call to your web host of choice should suffice. You should aim to see whether they run the latest servers. Ask about their server versions, security of said servers and the software they run on these servers.
Then carry out a quick Google search to check (or confirm) the release dates of the server software. This should give you a clue whether or not they are running the latest software. It will also help you to determine how frequent they update their servers. If they go for long periods without updates, you shouldn’t trust them with your online business.
Be vigilant, and ask other related questions and never stop until you’re satisfied yours is the most secure web host money can buy.
Make Hay Whilst the Sun Shines, And Be Prepared
While it might not stop the bad guys from breaking into your WordPress blog or online store, preparedness can lessen the impact of the attack. I’m talking about data backups here my friend; regular backups that will shield you from losing important data.
A backup gives you peace of mind so you can sleep better at night. A backup is the quick fix you want when things go South. When your awesome recipe site starts retailing Viagra on all pages, you can only count on a backup to recover from such an attack.
You should aim at backing up your entire WordPress installation; core files, databases and everything else. Experts further recommend encrypting your backups and storing a copy of the same on read-only media.
- Backup WordPress to Cloud with BackWPup – A Comprehensive Guide
- Backing Up Your Database
- Restoring Your Database from Backup
Just the other day, Ryan Dewhurst of WPScan discovered (and reported) a Blind SQL injection vulnerability in WordPress SEO by Yoast. Now, WordPress SEO by Yoast is a popular SEO plugin, what with over a million active installs. This means if a hacker were to exploit this security hole, they would have had more than a million WordPress sites at their mercy. A million plus websites!
Oh no please, don’t be alarmed. Yoast released a security fix same day the vulnerability was discovered. There’s only one problem though. Unlike WordPress, plugins don’t auto-update, which means you’re still vulnerable if you haven’t updated to the latest version of WordPress SEO.
You might as well argue you knew nothing about this, but hackers have all the details since the info is in the public domain, where it is readily available to all. What the hell are you waiting for? Hit that update button already. Update all your other plugins too.
Still on this WordPress plugin business, you should only buy or download WordPress plugins from trusted sources. To be on the safe side, source your plugins from the extensive WordPress Plugin Repository or from reputable vendors such as CodeCanyon.net.
There are hackers who will masquerade as legitimate plugin developers in a bid to serve you plugins that are lined with malicious code. Don’t fall for their cheap tricks, get your plugins from trusted websites. In addition, don’t leave inactive plugins lying around – delete all unused plugins because they are a favorite entry point for hackers. Yes they are, even when they are deactivated.
By the way, unless you’re with the likes of WPEngine and Siteground, don’t count on your web host to keep you safe where plugin vulnerabilities are concerned – take responsibility and bite the bullet.
If hackers won’t force their way in via outdated, compromised or poorly coded plugins, they will find loopholes in your themes. In fact, most attacks happen via themes and plugins, so yeah, you have to be extra vigilant here.
Firstly, just like with WordPress plugins, you can’t afford to run around picking up themes from wherever. You will catch a virus, malware or worse and then cry foul when sh*t hits the fan.
If you’re operating on a very tight budget or just starting out, you can check out some of our free but professionally coded WordPress themes or the thousand of free themes at WordPress.org. Currently, I use the free Elegant Theme from our very own stable, and it has been working wonders. See? No preaching water and imbibing wine here 🙂
Onto premium themes, a great theme will set you back $60 bucks or so on some of the best theme marketplaces such as Elegant Themes and Themeforest. You get a great product, top-drawer support and security updates among other things. If you need pointing in the right direction, I would love to recommend the gracious Total WordPress theme that’s nothing short of beautiful and secure.
You should endeavor to keep your theme(s) updated at all times lest you court trouble. That said, delete all unused themes for obvious reasons.
If you have some extra green to spend or are a WordPress developer yourself, you can look into creating your own custom themes. This is the only surefire albeit pricey means of getting secure WordPress themes.
Of course, you (or your developer) must follow the best web coding standards and update the theme(s) if need be. If you hire a web developer to build you a theme, ensure they are reputable first. You can also check whether your theme meets the latest WordPress theme standards using a plugin such as Theme Check. Moving on…
You should always run your online business on the latest version of WordPress that’s a no brainer. You should think it’s obvious that everybody would update WordPress regularly, considering we all receive notification in the dashboard.
However, this isn’t always the case, as you will often catch online entrepreneurs who don’t update to the latest version weeks and even months after the update was released.
Updating your WordPress installation is easy peasy work – just a matter of point and click. You are, however, advised to backup your site before any update should anything break in the process. On top of that, you will lose all changes you had made to core files as the upgrade process affects all WordPress files and folders.
The auto-update feature was introduced in WordPress 3.7 to take care of minor security fixes and make the entire update process easier for developers and end users alike. Now, you just need to concern yourself with major version updates, so yeah, your work ought to be easy. You just need to turn auto-update on.
Update, update, update or get ready to regret, regret, regret.
Clean Your Computer
After high school some ten years ago, I worked at a cyber cafe briefly. It was pretty much interesting as I met so many people and made my break into the world of digital marketing.
But it wasn’t always fun thanks to worms, trojan horses, viruses, malware et cetera. I remember at times I had to close the cafe for the day just to format the computers. It didn’t matter I had antivirus programs installed and running on all computers. But I digress.
If some hacker manages to get a key logger on your machine as a trojan horse (meaning the key logger is hidden in another program to mask the fact the hacker is registering every key stroke on your PC), you will never secure your website no matter what.
Your site will be hacked over and over, since you are just feeding your login information to the bad guys. And since they can see all your keystrokes, they will have access to your online accounts – all of them. Speak of email, Facebook, Twitter, YouTube etc.
Key loggers aide, there are worse things on the dark side of the internet. For instance:
There are actually viruses in the wild that will infect your local computer, and then look for open FTP connections and automatically upload a hack file to your web host using that connection. – Brad Williams, Locking Down WordPress
Cyber cafe computers aren’t exactly how you want to be accessing your WordPress admin dashboard. Perhaps it’s unavoidable, but always ensure all computers you use don’t habor malware, viruses and spyware. Otherwise, you will be handing hackers your login info and more on a silver platter.
Ensure your operating system and programs on your computer are up to date. Then turn on your firewalls and get the best antivirus program. I got tired of formatting the computers all the time, so I went on a voyage to find the best antivirus program. And I found it. Since then, I have used and loved Eset Nod32.
Create Stronger Passwords
It’s story time. This one time I had one coffee too many and I created a WordPress site that I “creatively” christened #YouCan’tHackThis. Creatively is in quotes because I was riding the waves of a coffee high. Perhaps I had had a drink or two before the coffee; I just can’t remember. I create many WordPress websites just for fun.
My username was…wait for it…Unhackulture (we will blame the coffee) and my password was, well, I don’t remember. It was a shamble though, the password, and for this very reason, it never held ground when some rude internet person (or thingy) hit the login page with ‘brute force’.
Long story short, my defenses caved in and #YouCan’tHackThis fell like the walls of Jericho. Google sent me the dreaded “Hacking Suspected” email with a sample URL, and on further investigation, I found plenty of garbage.
The hacker had the audacity to post a screenshot of their desktop on my beloved #YouCan’tHackThis as if to taunt me. He/she/it had guts I tell you, because on top of the screenshot, there were pages and pages of fluff, filler content that had no direction.
I pulled down the entire site, and beefed up security on my other websites. I installed iThemes Security, and today all I get are “Site Lockout Notification” emails. If anyone tries to force their way into any of my sites using brute force, they are locked out for a century! Yeah, that’s 100 years in the bin hacker. Haha, I’m getting carried away.
Weak passwords will get you hacked. Similarly, that admin username you hold onto so dearly will make it easy for hackers. Create personalized usernames when installing WordPress, and use the strength indicator when creating your password. That should be enough, but if you’d like to go the extra mile, you should checkout the 1Password and KeePass tools.
Report Security Vulnerability
It’s your responsibility as a WordPress user to report a security vulnerability as soon as you discover it.
First, it’s good karma. Second, what goes around comes around. Third, if the vulnerability is in a plugin or theme you use, you get security updates and a big thank you. Your site is not compromised as a result and you build a good rep while making the world a better place.
It’s our collective responsibility as WordPressers to point out all security holes we come across. After all, it is for our own good.
Tighten File/Folder Permissions
We are now getting into the thick of WordPress security. As an absolute beginner, I would hate for you to freak out. I will shake it and serve it chilled just the way you like. Here we go.
If every Tom, Dick and Harry who gains access to your server can edit (aka write to) your files and folders, then there’s so little you can do to stop the damage that will ensue.
But what if we made certain files and folders only writable by you? Well, the hackers won’t know what to do. They might break in alright, but the damage they would cause when your files aren’t editable/writable is minimal. Locking down your file permissions is a security measure you want to implement, more so if you’re on shared hosting plan.
But how do you go about this file/folder permission business? Here’s a possible scheme to follow:
- All files in the root folder should be writable by you only
- /wp-admin/ – all files should be writable by you only
- /wp-includes/ – all files should be writable by you only
- /wp-content/themes – all files should be writable by you and the web server
- /wp-content/plugins – all files should be writable by you
How Do You Set File/Folder Permissions?
To satisfy the scheme above, you need to set permissions to 755 for folders and 644 for files. How? That’s the easiest part. You can use your FTP client (such as Filezilla) or login directly into your File Manager via cPanel.
After you login to your web server via FTP, locate the directory/file you want to set permissions, right-click on it and choose ‘File Permissions’. In the popup screen that appears, select the permissions as you deem fit. The popup might look something like this:
And here is the full list of file permissions from 000 to 777.
Using File Manager
Login to your cPanel, and navigate to File Manager. When that loads, select your directory or file, and click “Change Permissions” on the menu at the top. Alternatively, you can select your folder or file, right-click on it and select “Change Permissions” on the drop down menu that appears.
Here’s some guidance:
The right-click option…
The “Change Permissions” popup:
The best way to protect your online assets is to make it incredibly hard for the bad guys to login. If you can keep them out, you’ve won half the battle. This is where two-step (or two-factor) authentication comes in.
When you combine strong passwords and two-factor authentication, you add a layer of protection to your website. You improve the security of your WordPress site two-fold.
And since we have plugins such as Google Authenticator, WordFence, Authy and Duo, implementing two-step authentication ought to be the easiest WordPress security measure you can put in place right this minute.
SSL is acronym for secure sockets Layer, which according to SSL.com is “…the standard security technology for establishing on encrypted link between a web server and a browser…”
At times, instead of trying to break down your website defenses, hackers might decide to hijack the packets of data that you send from your browser to the web server. When they open these packets, they easily gain access to your login information et cetera.
What to do? You need to utilize SSL encryption which protects the privacy and integrity of all the data that passes between your website and the server. This is exactly why you will find all major sites using HTTPS as opposed to HTTP in their domains.
It’s easy to implement, and can save you a lot of time and frustration. Just check with your domain registrar or web host, and they will be glad to install SSL for you. SSL certificates are usually cheap as well, so you get to save a buck or two.
Disable Unused User Accounts
Think of user accounts on your WordPress sites as seats on a bus. If there is an empty seat, someone will get on. If the seat is otherwise occupied or doesn’t exist, well, no one will take that particular seat.
If you’ve enabled user registration on your WordPress website, comb through the user accounts once a while and eliminate unused accounts and all accounts created by spammers. If you leave these around, you’re just asking to be hacked – and hacked you will be.
Alternatively, you can disable user registration altogether by going to Settings -> General and deselecting ‘Anyone can register’ where you have Membership. You can see all user by navigating to Users -> All Users on your WordPress Admin Menu.
At the same time, you can limit permissions on new user accounts. You do this easily by navigating to Settings -> General – New User Default Role and setting the option to ‘Subscriber’. Other roles include Contributor, Author, Editor and Administrator. You definitely don’t want new users to have administrator privileges. Best to assign users only the privileges they need to do their job.
There’s so much about WordPress security that we won’t cover in this post, but we’ve done so (and in much detail) in our previous posts such as:
- WordPress Security: Is Your WordPress Site Really Secure?
- Best .htaccess Snippets to Improve WordPress Security
- 20+1 WordPress Security Tips
- How to Fix WordPress Security Holes for a Safer Shopping Experience
- Best BackUp Services & Plugins For WordPress Websites
- Top 10 WordPress Profanity Filters and Spam Blocking Plugins
On top of that, we’ve put together a great list of resources and tools to get you started on the right path:
- Login Lockdown
- Bulletproof Security
- Exploit Scanner
- Lock Down WordPress eBook (featuring WordPress heavyweights Rachel Baker, Brad Williams and John Ford)
I could keep going and going, but I will just overwhelm you with plenty info, which is definitely never my intention. We would love for you to have actionable tips that you can start implementing right this minute, but that will be a pipe dream if I drowned your attention in a dam of factoids and whatnot. So, this is where I take my bow and let the curtains close.
Back to you, please start working on the areas we’ve mentioned right now, because the longer you wait, the easier will it be for the bad guys. Just start with one area, and move on from there, and if you’re stuck or in doubt, bring your concerns to the comment section below. Or if you have a tip to add let us know – we will be waiting, and that’s a solemn promise. All the best amigos!