5 Easy Ways to Harden Your WordPress Security
WordPress security is a hot topic around the blogosphere right now. The recent botnet attacks on a huge number of WordPress sites has some people scrambling to recover their precious data and you should be acting quickly to harden your WordPress security.
Then there are those who thought ahead and took action before it was needed. The chances are that they experienced no issues whatsoever because they made themselves a hard target.
The fact is this: while there is no such thing as a 100% secure site, one can make the likelihood of being hacked far smaller by dedicating a small amount of time to making your site more secure than 99% of others out there. With that in mind, in this post I am going to take you through a simple five step process that will turn your site from a soft target to a real tough cookie.
Step 1: Update Everything
Outdated items on your site represent potential security risks as they can be used by hackers to weasel their way into your site’s backend. That’s why keeping everything up to date is so important.
And when I say everything, I mean everything:
- The WordPress Core
Deactivated themes and plugins should also be kept up to date – their mere presence on your site makes them a potential security risk, so you should keep them up to date to harden your WordPress security.
Don’t log in very often? No worries – you can use a plugin like the Easy Updates Manager to enable automatic updates for your WordPress core, theme and plugins. There are also tons of built-in advanced settings to customize your updates, and logs to view what’s been updated and when.
A lot of people will get this far then stop but there is in fact one further step you should take: you should very seriously consider removing any themes and plugins on your site that have not recently been updated. You can easily monitor when plugins were last updated with Plugin Last Updated. This adds the Last Updated date to your plugins list on the back end (which should arguably be displayed by default).
Generally speaking, I would say that any plugin not updated within the last twelve months should be considered for deletion.
Step 2: Backup Everything (And Regularly)
I know that it is an obvious suggestion but it would be remiss of me not to include WordPress backups. The simple fact is that few things (if anything) are more important to the safety of your site.
If your site is subject to a truly destructive hack (which is always possible), your last line of defense is a recent backup. This means that even if the worst should happen, you’ll still have something to fall back on. If you don’t keep regular backups, then to be quite blunt, you’re screwed.
There are an enormous number of backup solutions out there but my first suggestion would be to choose a hosting provider that includes automatic backups within their service. If you are victim to a hacking attempt that damages your site then you should find that your provider is quick to restore the site to its previous glory.
Beyond that the cream-of-the-crop options are VaultPress and BackupBuddy. They cost money, but my advice is to never skimp on your backup solution. Personally, I’m a VaultPress user (as is WPExplorer) — they offer a comprehensive backup solution as well as additional security features.
Step 3: Change Your Default Username
If you’re still using the default “admin” profile that came packaged with your WordPress installation, now is the time to change.
Why? Because step one for any brute force login attempt is to attempt to login with the “admin” username then run through an enormous number of password attempts in to gain entry. If you create a more unique username then you stop this hacking attempt in its tracks.
Switching profiles and everything that is potentially associated with it (transferring ownership of posts, etc) can seem a pretty daunting task, but it’s an important step in securing your site and is a lot easier than it sounds. Checkout YouTube for tutorials if you want some extra guidance.
Step 4: Create a Unique Strong Password (and Change it Regularly)
Most people are savvy enough these days to know that their password shouldn’t be “password.” What they may not know is that brute force hacking attempts will try an astonishing number of password combinations in an attempt to access websites. If your password makes sense or is in any way predictable (e.g. is made up of recognizable words or number patterns) then your site is at risk.
In reality, there are three golden rules for best practice password generation:
- It must be truly random and unique
- It must be used only once (i.e. not across multiple sites)
- It must be changed periodically (e.g. once per month)
If you follow these three rules then your site will be a whole lot more secure. In terms of generating truly random passwords, you can use a free online generator such as I recommend that you sign up for a free account with LastPass and use that service to (a) generate and (b) store all your passwords.
Step 5: Install Plugin Protection
There are a huge number of plugins out there that claim to boost the security of your site. The sheer choice can be overwhelming, but I’m going to cut through the chaff and recommend what I consider to be the simplest and most effective plugin for you utilize.
That plugin is Wordfence: a popular and highly-rated free plugin. It includes a wide variety of security features, including (but not limited to):
- A firewall
- Malicious IP protection
- Backdoor scans
- Malware scans
- Enhanced login security
Although Wordfence is a freemium model and has a paid version with more options, the plugin itself and the basic service costs you nothing. Installing this on your site is a no brainer.
In reality I am just scratching the surface here. Although putting the above security measures in place will help harden your WordPress security above the vast majority of others, there is always more that you can do and always a chance that you could still get hacked anyway.
I’ve covered simple ways to harden your WordPress security in this post. If you’ve implemented them all and are still hungry for more, I would advise that you start by checking out the official WordPress security page over at the WordPress.org Codex.
Now it’s your turn — I’d love to know what simple recommendations you have to harden your WordPress security. It could be simple tips and tricks, plugin suggestions or even a recommended premium service like the aforementioned VaultPress. Fire away in the comments section!
Security is very important to a website / blog that deserves all the attention this articol.Thanks for advice.
Security on our WordPress sites is of utmost importance to us. We find Wordfence invaluable, but the other security plugins we ALWAYS use are: Bulletproof Security (with added .htaccess code), Bad Behavior, and WordPress File Monitor Plus. TAC and AntiVirus are useful when first installing a theme too if you have downloaded it from somewhere else than the WordPress Repository.
Cheers… Nice article, and very useful to those that are new to WordPress. Change that ‘admin’ username NOW!
Thanks for sharing these plugins Paul 😉 I also really like Security Ninja, you can checkout our Security Ninja Review to learn more!
Solid tips to improve the security of WordPress sites. I use limit login attempt plugin and a firewall to minimize the risks.
Wordfence is a good option that compiles those options inside. There are also BulletProof Security and Better WP Security.
Which is your experience between Wordfence compared to BulletProof and Better Security?
I’ve read mixed results, e.g. with Better Security that is a good complete plugin, but at the same time, sometimes it “touches” several stuff that require expertise to fix later.
To be honest I wouldn’t say I know enough about security to say that one plugin is better than the other, but I use Wordfence.
Really nice article.
One thing though: In “Step 3: Change the Default Profile” you refer to a video… where’s the link?
Hm…it seems to have disappeared! I’ll try and get it back up.
Use the Cloudfare which is a security service highly recommended and is within my hosting plan, do not pay anything extra to use it. Worth.
Yes, CloudFlare is nice. We used to use it before switching to WPEngine.
I was recently hacked, and as you say, I was “screwed up”. I resorted to BAckWPup, and it works soooo… well for me.
A recent hacking on my church website got me researching on the issue of recovering the website. Thanks for the helpful website and comments!
Nice post Tom.
Being a WP user for very long; I do know the importance of security and stuff. I have personally experienced couple of my sites getting hacked. So the first thing that one need to do is to secure their site. I was not aware of Wordfence plugin and it works like charm.
Thanks for the share bro
Great help here.
I am a website owner. I had installed an SSL Certificate that I allowed to expire as I didn’t require it. Now, when I access my website WordPress Admin area, how can I be sure it is actually my admin area and not some phishing front?
I ask this as I had a jpeg set up to appear on my login page but it doesn’t appear anymore.
Any tips and tricks?
You should be able to tell pretty easily if you view your page source. If it’s been hacked most likely it would be showing an iFrame in your source code rather then actual HTML from your site. You could always go to Updates and do a re-install of WordPress if you are concerned and it will re-install all the core WordPress files so if any were hacked they will be replaced with clean ones. But basically if the admin was hijacked I don’t believe you would even be able to make any edits such as adding posts, menu items, changing settings…etc. Also if you have any concerns of the site security the first thing you should do is change the password. Use the lost password function or reset it via the database if you manually reset the password and can still log into your site, most likely everything is fine. And if you have any concerns about the integrity of the site changing the password is a good place to start.