WordPress security has always been food for thought. Even though most of the latest updates including WordPress 4.0 deal with WordPress security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. In this article, I’d like to enumerate a number of suggestions on how to improve security on your own WordPress website.
WordPress itself has a list of WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below. I prefer a more hands-on list and direction, that’s why we decided on this article.
Don’t use ‘admin’ as a username
Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the installation makes it really easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some passwords. Common sense would dictate that if you remove admin you’ll also kill the attack outright.
Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember though, like our friends at Sucuri like to say, Security is not about Risk elimination, it’s about Risk Reduction.
For the everyday, automated, Brute Force attack, removing the default admin or administrator username will suffice. For the sake of clarity, understand that when we say ‘admin’ we are speaking specifically to the username only and not the role.
Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the ‘admin’ user. Don’t worry about the posts or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.
Employ Least Privileged Principles
The WordPress.org team put together a great article in the Codes regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to this step.
The good news is you don’t have to do much here, other than employ best practices. You see, the principles of Least Privilege state that you give permissions to those that need it, when they need it and only for the time they need it.
This means that not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.
Use a less common password
An easy thing to remember is CLU: Complex. Long. Unique.
This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set the length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘trustno1’; seriously? Shame on you. Remember, you’re never as unique as you think you are…
Hide wp-config.php and .htaccess
No, thou less tech-savvy WordPress website owner, that is not hard to do. It’s actually really simple, especially when you are using WordPress SEO > Edit Files to edit your .htaccess.
For better WordPress security, you’d need to add this to your .htacces file to protect wp-config.php:
order allow,deny deny from all
That will prevent the file from being accessed. Similar code can be used for your .htacces file itself, by the way:
order allow,deny deny from all
You can do it. It’s no rocket science.
Change table prefix
By default, the WordPress table prefix is wp_. You must have noticed by now that WordPress security is also about replacing all defaults, and this is no exception. If you use zr37tm_, that will be much harder to guess and therefore your database will be harder to access.
I hear you: “But how! Tell me how!”. If you have a new site, you’ll be asked to add it in the 5-minute setup when entering database details (see image):
It’ll end up in wp-config.php at:
$table_prefix = 'wp_';
Another reason to secure that file.
This action is best taken early in the installation process because once it’s installed things get incrementally harder and can cause a lot of issues depending on the site. Changing the table prefix for better WordPress security can also be done using plugins like Sucuri Scanner or All in One WP Security & Firewall, plugins I install by default on smaller websites when I’m not sure about how secure the hosting is, for instance. These plugins do a lot more than just changing the table prefix and are actively maintained by the makers. You should check what both can do for your WordPress security.
Please remember, once the attacker has access to the environment, doesn’t really matter what the prefix is anymore.
Use WordPress Security Keys for Authentication
Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically a set of random variables, used to improve the security (encryption) of information in cookies. Changing this in wp-config.php can be simply done by getting a new set of keys here and adding these. These keys change on the refresh of that page, so you’ll always get a fresh set.
Syed Balkhi at WPBeginner did an article on these WordPress security keys, in case you want some more background information. The Sucuri plugin mentioned in the previous chapter can help you with these keys as well.
Disable file editing
If a hacker gets in, the easiest way to change your files would be to go to Appearance > Editor in WordPress. To lift your WordPress security, you could disable the writing of these files via that editor. Again, open wp-config.php and add this line of code:
1 | define('DISALLOW_FILE_EDIT', true); |
Of course, you’ll still be able to edit your templates via your favorite FTP application, you just won’t be able to do it via WordPress itself.
Limit login attempts
Attacks like a brute force attack, target your login form (as mentioned earlier in this article). Specifically for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form. Next to that, you could also limit the number of attempts to log in from a certain IP address.
A plugin that helps a lot in protecting your site against these attacks, is BruteProtect. That plugin has recently been acquired by Automattic, the people who created WordPress. The plugin will automatically take care of protecting your login form from IP addresses that fire a multitude of login attempts your way.
Add two-step verification
Oh, the hassle of two-step verification is. But for now, it’s your Fort Knox. The essence of two-step verification for WordPress security is exactly as implied in the name, two forms of authentication. It’s the recognized standard today for enhanced security at your access points. You are already using two-step verification for Gmail, Paypal, and the Works (at least you should be), so why not add it to your WordPress security toolkit as well? Ipstenu (Mika Epstein) did an article on the subject you might want to read: Two Factor Authentication.
There is a plugin for that: Google Authenticator. An alternative that takes a slightly different approach for the same purpose is the Rublon Plugin.
Hosting & WordPress security
In the past years of website reviews, we have had our share of website owners stating that their hosting company couldn’t help with this, or knew jack about that. Hosting companies simply see your website differently. There is no simple rule to decide on your WordPress hosting company. However, the choice of a hosting company does matter when optimizing your WordPress security. Every article written on the subject seems to start by telling you that the cheapest one is probably not the best one. Most cheaper hosting plans won’t have support to help you out with a hacked site. These plans include little to secure your website, like for instance setting up a Website Firewall (more on the Sucuri Website Firewall later). Shared hosting for instance does imply that your hosting server is also populated with other websites. These might have security issues of their own, which in turn might affect your own website’s security as well.
WordPress security seems to be one of the main USP’s offered in specialized WordPress hosting products, like the one offered by XeonBD. They offer backups, redundant firewalls, malware scanning and DDoS protection, and automatic WordPress updates for very reasonable pricing (understatement).
(Free) plugins & themes
Most WordPress users tend to apply themes and plugins at will to their posts. Unless you are doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless you have a solid business model to accompany these free giveaways. If a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.
Sucuri (more on Sucuri later), to make sure every plugin is checked for security before release, and we have an agreement with them for ongoing checks as well. If you are creating a free theme or free plugin, you might not have the resources to add solid checks like that.
How to pick the right plugin
If you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.
Let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin. WordPress.org shows ratings, but one five-star rating won’t tell you anything, so also check the number of ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you could decide to use it too.
There is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. That doesn’t mean it’s a bad plugin, it could also mean there hasn’t been a need to update, because the plugin simply works. The ratings will tell you that, and the compatibility with the current WordPress version, which is also listed on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.
Based upon these ratings and compatibility, you could pick your plugins less randomly and have a larger chance of some kind of security being added.
Contact Sucuri
Sucuri is a globally recognized website security company specializing in bringing peace of mind to website owners, including us here at Yoast. We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. What Daniel and Tony have built is a product/service that lets you get back to running your business.
Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, google blacklists, and possibly have huge impacts on your SEO (something dear to our hearts). Because of this, we turn to them for our needs, as they turn to us for website optimization.
A lot of the suggestions in this article can be dealt with by installing and configuring their Sucuri Scanner plugin for WordPress (see video) or hiring them to monitor your website(s) for vulnerabilities. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.
Special offer for our readers
Because of our close relationship with Sucuri, they are willing to provide all our readers a 25% discount if they purchase a complete security package of Website AntiVirus & Firewall (basic) and pay for a year upfront (currently ~ $220 / year). They will extend this to any of the higher Firewall plans as long as the payment is made for the year upfront.
If you are serious about your website, you are serious about your security. Get the complete security package of Website AntiVirus & Firewall now:
Get the complete Sucuri Website Security Package now.
Closing thoughts
If you have come this far in this article, you will have no excuse not to improve the WordPress security for your website. Like adding posts and pages, WordPress security should be a regular routine for every WordPress site owner.
This isn’t the full list of all the things you can do to secure your website. I am aware that one should for instance create regular backups. And that WordPress has a number of plugins for this as well. But backups are not part of WordPress security per se, I think these are part of having a website in general.
I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Why make it easy for hackers to access your website, when it is so easy to harden your WordPress security?
