WordPress security is a hot topic around the blogosphere right now. The recent botnet attacks on a huge number of WordPress sites has some people scrambling to recover their precious data and others acting quickly to put preventative security measures in place.
Then there are those who thought ahead and took action before it was needed. The chances are that they experienced no issues whatsoever because they made themselves a hard target.
The fact is this: while there is no such thing as a 100% secure site, one can make the likelihood of being hacked far smaller by dedicating a small amount of time to making your site more secure than 99% of others out there (as Matt Mullenweg claims). With that in mind, in this post I am going to take you through a simple five step process that will turn your site from a soft target to a real tough cookie.
Step 1: Update Everything
Outdated items on your site represent potential security risks as they can be used by hackers to weasel their way into your site’s backend. That’s why keeping everything up to date is so important.
And when I say everything, I mean everything:
- The WordPress Core
Deactivated themes and plugins should also be kept up to date — their mere presence on your site makes them a potential security risk.
A lot of people will get this far then stop but there is in fact one further step you should take: you should very seriously consider removing any themes and plugins on your site that have not recently been updated. You can easily monitor when plugins were last updated with Plugin Last Updated. This adds the Last Updated date to your plugins list on the back end (which should arguably be displayed by default).
Generally speaking, I would say that any plugin not updated within the last twelve months should be considered for deletion.
Step 2: Backup Everything Regularly
I know that it is an obvious suggestion but it would be remiss of me not to include backups. The simple fact is that few things (if anything) are more important to the safety of your site.
If your site is subject to a truly destructive hack (which is always possible), your last line of defense is a recent backup. This means that even if the worst should happen, you’ll still have something to fall back on. If you don’t keep regular backups, then to be quite blunt, you’re screwed.
There are an enormous number of backup solutions out there but my first suggestion would be to choose a hosting provider that includes automatic backups within their service. If you are victim to a hacking attempt that damages your site then you should find that your provider is quick to restore the site to its previous glory.
Beyond that the cream-of-the-crop options are VaultPress and BackupBuddy. They cost money, but my advice is to never skimp on your backup solution. Personally, I’m a VaultPress user (as is WPExplorer) — they offer a comprehensive backup solution as well as additional security features.
Step 3: Change the Default Profile
If you’re still using the default “admin” profile that came packaged with your WordPress installation, now is the time to change.
Why? Because step one for any brute force login attempt is to attempt to login with the “admin” username then run through an enormous number of password attempts in to gain entry. If you create a more unique username then you stop this hacking attempt in its tracks.
Switching profiles and everything that is potentially associated with it (transferring ownership of posts, etc) can seem a pretty daunting task, but it’s an important step in securing your site ans is a lot easier than it sounds. Checkout YouTube for tutorials if you want some extra guidance.
Step 4: Create a Truly Unique Password (and Change it Regularly)
Most people are savvy enough these days to know that their password shouldn’t be “password.” What they may not know is that brute force hacking attempts will try an astonishing number of password combinations in an attempt to access websites. If your password makes sense or is in any way predictable (e.g. is made up of recognizable words or number patterns) then your site is at risk.
In reality, there are three golden rules for best practice password generation:
- It must be truly random and unique
- It must be used only once (i.e. not across multiple sites)
- It must be changed periodically (e.g. once per month)
If you follow these three rules then your site will be a whole lot more secure. In terms of generating truly random passwords, I recommend that you sign up for a free account with LastPass and use that service to (a) generate and (b) store all your passwords.
Step 5: Install Plugin Protection
There are a huge number of plugins out there that claim to boost the security of your site. The sheer choice can be overwhelming, but I’m going to cut through the chaff and recommend what I consider to be the simplest and most effective plugin for you utilize.
That plugin is Wordfence: a popular and highly-rated free plugin. It includes a wide variety of security features, including (but not limited to):
- A firewall
- Malicious IP protection
- Backdoor scans
- Malware scans
- Enhanced login security
Although Wordfence is a freemium model and has a paid version with more options, the plugin itself and the basic service costs you nothing. Installing this on your site is a no brainer.
In reality I am just scratching the surface here. Although putting the above security measures in place will elevate the hardiness of your site above the vast majority of others, there is always more that you can do and always a chance that you could still get hacked anyway.
I’ve covered simple security solutions in this post. If you’ve implemented them all and are still hungry for more, I would advise that you start by checking out the official WordPress security page over at the WordPress.org Codex.
Now it’s your turn — I’d love to know what simple recommendations you have for increasing the security of WordPress sites. It could be simple tips and tricks, plugin suggestions or even a recommended premium service like the aforementioned VaultPress. Fire away in the comments section!