Fundamentally, securing your WordPress website is not about achieving a perfectly secure system. When it comes to website security, “perfection” is an impractical or impossible ideal to achieve or maintain. We’d all like to believe it’s possible to eliminate every possible security risks with our website, but it simply isn’t. Good website security is risk reduction, not risk elimination. It boils down to implementing the most appropriate and reasonable security controls that will reduce the risk of your site becoming a target and subsequently getting hacked.
This being said, securing your WordPress website requires much more than installing a security plugin and walking away. Whether you’re a Fortune 500 company, an ecommerce retailer or a small business with an online marketing presence, protecting your website from hackers should be a top priority. Truly securing your website requires that you consider and address all three components of a complete security strategy — protection, detection and recovery.
Implementing security measures to stop attacks before they start is an obvious first step. In this Part I of our 3 part series, we’ll review some common best practices for protecting your WordPress website from possible hacks.
Ensure that WordPress Core, Themes and Plugins Are Current
Keep Up With the Joneses
One of the biggest security vulnerabilities in WordPress is outdated software. The WordPress team updates core files frequently, often to patch vulnerabilities and strengthen the software against attacks. The most popular and well maintained themes and plugins are also updated periodically. With information now publicly available about fixes to security holes in previous WordPress versions, it is easy for hackers to target specific documented weaknesses. This means that an out-of-date site is even more vulnerable. It is therefore important that you update your site with regularity.
Clean Out Your Closet
Along the same line of thinking, removing any themes or plugins you don’t need will reduce the likelihood of attacks. The reality is that if you’re not using a particular theme or plugin you aren’t likely be thinking about updating it regularly. Since failing to update even unused themes and plugins means increasing your vulnerability to attack, it’s better to just eliminate this unnecessary risk by deleting such themes and plugins entirely.
Maintain a Well-Oiled Machine
In addition to increased security, updates can improve the performance of WordPress itself, a theme or a plugin you are using. For example, the WordPress 3.9 update included performance improvements for the TinyMCE and the WordPress 4.1 update included improvements to complex queries. Keeping your entire website framework up to date will help to ensure that your site’s performance is maximized.
Integrate Only Reputable, Well-Supported Plugins and Minimize Their Use
A WordPress plugin is a program that extends core functionality. Plugin development began because programmers wanted to extend WordPress functionality without altering the base framework. With that in mind, as a WordPress user, you need to understand that every time you install a plugin, you are putting your website’s health into a third-party developer’s hands. If the plugin developer is experienced and responsibly minded, the chances of running into problems are slim — but even then, cannot be guaranteed. And unfortunately, not all developers follow best practices and not all release regular updates or patches. Therefore, it is important to be sure only to use plugins that are well supported, regularly updated and that have garnered a significant number of downloads with many positive reviews. As a general rule, we typically advise NOT using any plugin for which no update has been issued in more than a year.
More Is NOT Better
To keep your site secure, minimize plugin installation. Doing so doesn’t just optimize your site’s security — it also maximizes site speed and performance. Overuse of plugins can slow your site down dramatically. The best rule of thumb? If your site can deliver without the functionality provided by a particular plugin, or if the features you desire can be implemented through simple code additions, then skip the plugin. The fewer plugins you have, the better your performance — and the fewer the opportunities hackers will have to access your site information.
Harden Default WordPress Infrastructure
Avoid Brain Damage
Brute force attacks are typically automated and can easily find the WordPress default administrative URL. Relocating or renaming your login page will make a hacker’s job harder. Change your admin URL to anything other than www.websitename.com/wp-admin or www.websitename.com/wp-login.php to ensure that hackers have a more difficult time locating and attacking.
Manage User Accounts
Ditch the Default User
The user created when you first install WordPress is automatically assigned a default identity – specifically, “user id 1.” Hackers can take advantage of this fact and deploy exploits that attempt to reset the account password of this user. You can easily prevent such attacks by creating a new user account with a role of “Administrator” and attributing all posts and pages owned by the initial user account to this new one. When you create the name for your new user, be creative and DO NOT use the name “admin.” This user name is used by many quick installers and is a favorite target of hackers. With an “admin” user present, half of the puzzle is already solved for an attacker. With a known username, only a password is needed to compromise your site. Simply removing the default user or “admin” account from your WordPress site can prevent it site from being open to automated attacks.
Strong Passwords Are Hard for a Reason
In our increasingly complex world of password management, people cringe when they’re told their new password needs to be a certain length, contain a specific mix of characters, etc. However, if your website users choose simple and easy-to-guess password like password123, changeme or other straightforward combinations, they are inviting hackers to wreak havoc on your website. Forcing strong passwords that change often for all users is a necessity for enhanced website security. Random strings of letters and numbers work best. If you can’t come up with something manually, there are password generator websites you can use, such as Strong Password Generator, to come up with something for you.
You Can’t Always Get What You Want
Sometimes, website security is compromised because one of the most basic best security practices is violated — too many people have access to the control room. Implementing this sort of restriction can be harder to do than it sounds. Many website content editors feel the need for full power and control over a site. But while giving everyone administrative permissions is quick and easy to do in the short run, it can be a recipe for trouble over the longer term.
Limit user access for website administration. Grant access only to those who absolutely need it — and even then, provide only the minimum permissions necessary for those users to complete their assigned tasks. Take the time to ensure that appropriate permissions are assigned to your website roles and that all users are granted a website role that allows them to do their job effectively.
Secure Your Administration Dashboard
Mix Things Up a Bit
SSL is the short name for Secure Sockets Layer. This technology encrypts and hides the data being transferred between Web browsers and servers. Your WordPress administrative dashboard is the gateway into your site and obtaining a username and password for access to it is a hacker’s ultimate goal. Implementing an HTTPS SSL encrypted connection for your website administration login and dashboard ensures that sensitive access information is encrypted.
Use Correct File Permissions
File permissions and ownership aren’t typically front of mind when thinking about WordPress security. But they should be. The unpleasant reality is that most website security measures can be bypassed — which means that even if you’ve done everything else right, your site could still be prone to attacks by malicious users if your file-system permissions aren’t set up correctly.
To Write or Not to Write
In a perfect world, your website files and directories would be read-only. Faced with such restrictions, hackers would find it very difficult to modify files or upload malicious scripts, thus greatly reducing the scope for attacks on your site. However, making everything read-only would result in a variety of usability issues — for example, you wouldn’t be able to upload media or add new plugins to your site, and you would likely experience WordPress errors during upgrades. With this said, it is best practice to lock down your file and directory permissions as much as possible and loosen those restrictions only when necessary.
Choose the Right Hosting Company
Start With a Solid Foundation
Your website, no matter what content management system or Web technologies you’re using, is only as secure as the hosting platform on which it runs. With that said, a good place to start when it comes to website security is in the choice of a secure hosting environment. After all, if someone can exploit a vulnerability in old software versions or other services on your hosting platform, it won’t matter whether you are using the latest version of WordPress or what other measures you have taken to secure your site.
So Many Fish in the Sea
There are hundreds, if not thousands, of Web hosting providers. With so many options, how do you pick the one that’s best for you and your website?
While any Web host may be vulnerable to an attack, you should look for a hosting company that emphasizes security. Specifically, consider the following for each candidate during your selection process:
- availability and quality of customer support
- update frequency for stable versions of all server software
- supported backup methods
- prior security breaches (and how the host responded)
- customer reviews
If you choose to deploy your site to a shared hosting plan, make sure that your host provides account isolation. This ensures that one account can’t overload the server and cause problems for your website. Good hosting companies will also offer daily internal backups, but remember that you still need to do regular external backups (we’ll discuss this in more detail in part 3 of our series).