Here at Old Town Media, we use WordPress for the majority of our websites. We’re not alone – WP is used on 23% of the sites on the whole Internet which make WordPress a very, very juicy target for hackers and those looking to exploit issues. Luckily, WordPress has a lot of features that you can use to secure your site and keep it from being hacked.
And let me tell you, it is no fun to have your site hacked – you will be out money, time, and the pain of fixing the site. Preventative measures are far cheaper to implement than to have your site cleaned up from a hack and today we’re sharing the best ways that you can keep your WordPress site secure.
It All Starts at Home
Keep your local machine clean
The beginning of keeping your website clean is keeping your computer clean – if your machine is infected than a hacker can easily watch for keystroke inputs, websites visited, etc and gain access to your website and hosting using your own credentials without you ever knowing. Keeping your machine clean with antivirus software and being careful about the sites that you visit and download from will keep your website from getting hacked due to viruses.
Server Side
Quality hosting
Hosting is the servers where your website is stored and pulled from every time someone views your site. Hosts will often group multiple websites on the same machine, which is just fine until one of them – maybe yours or maybe someone else’s – gets infected and opens up the whole machine to infection. Add to that the possibility of old, outdated server software or a host who doesn’t properly take care of their server and you have a recipe for a really bad infection.
Premium, reputable hosts won’t let any of this happen to your website. They will have up-to-date software, siloed installation of accounts, and a team of professionals watching the server. You want to host with those guys. Heck, if you’re really serious about security and performance you can get your own managed server and further reduce to risk of infection due to someone else’s lack of care.
Secure wp-config, .htaccess & wp-includes
Wp-config.php holds all of your website’s database access credentials as well as other information about your site. If a hacker gains access to this file and can read its contents they can easily gain control over the rest of your site’s files. Your htaccess file handles appropriate re-directs on your site, configures performance data, and is even an important part of your security plan. The wp-includes directory is where all of the resources (js, css, libraries, etc.) for the WordPress CMS are stored and is particularly open to attack and infection. Locking down all of these files and folders will keep someone from using your core files against you. You can lock them down using your htaccess file or the plugin that we will recommend below.
Change Your database table prefix
WordPress comes standard with the table prefix of “wp_” prepended to all of the WordPress database names. This means that when a vulnerability is found on your site where the hacker can submit SQL queries a hacker is going to first make an attempt using this prefix to gain access to more of your site. If you have renamed this prefix to something random or a meaningful acronym then they will have a much, much harder time gaining access to sensitive data.
Login Security
Rename admin user to something else
WordPress was originally automatically installed with the “admin” username as the main user with all permissions to the site. While you can now set a custom name on installation, most people still install their site with “admin” being the main user. This makes the username a popular target to DDOS attacks and bots trying to figure out the credentials to your site.
Having a user named admin increases the likelihood of an attack succeeding by reducing the possible number of username/password combinations. What most bots will do is target your login page and repeatedly try to login using a particular username and a password that they’re guessing at. They will do this tens, hundreds, or even thousands of times in some cases until they’ve found the right combination and can login. If you don’t have a user named admin and someone tries to log in using that name, you can immediately target them and stop them in their tracks.
Strong passwords
This one is down the list, but is probably the single most important thing that you can do to secure your website. You might think that your password is clever, but it’s probably not if it’s related to your content or has anything including “pass” or “123”. If your password is ANYTHING like this list – you need to change it immediately. You want to have a password that’s easy to remember, but not related to your content and has a combination of uppercase and lowercase letters, numbers, and special characters. One of our favorites is DinoPass – the passwords are silly, but still random and easy to remember. If you’re looking for a step-up in security from DinoPass, check out Strong Password Generator – it will generate a completely random string with all of the characteristics of a strong password.
Modify the login url
Remember the bots attempting to login using a username and random password? They’re all hitting www.yoursite.com/wp-admin or www.yoursite.com/wp-login because that’s where the login page always is. However, using a security plugin you can change the URL of your login page which makes it significantly more difficult for a bot to find and attack the page. You’ll even find that it might be a performance boost for your website because DDOS attempts are harder to execute and if you cut out the bot traffic hitting your expensive login page, server loads will go down. Just don’t lose the new login url.
Limit login attempts
Limiting the login attempts works by tracking the IP address of every login attempt to your site and restricting that IP to a certain number of failed login attempts. That means that someone sitting at home can’t keep trying to log in until they guess your password – they will only have say, 5 attempts to get the password right before they get blocked from your entire site. This is one of the more effective measure to keeping someone from logging into your site. Be careful when logging in yourself however, it’s easy to get yourself logged out from a few missed keys.
WP Admin
Keep everything updated
The number one measure from the admin perspective that you can do is keep your core, plugins, and themes up to date. In several studies out-of-date core, plugins and themes can account for over 50% of WordPress sites getting compromised. Vulnerabilities in plugins and core do happen – even the best developers are prone to error but the good ones will immediately fix any vulnerabilities and release an update to their code. Since WordPress has a great update mechanism built in place, it’s super easy to keep your site up to date and an potential vulnerabilities patched. If you have a little update icon in your admin bar, look into hitting update or having your developer handle the update.
Delete all unused installs, themes, and plugins
Unused old plugins, themes, installations of a CMS, or backups lying around on your server can be huge bait for a hacker to exploit. It’s good practice to look through your server directories and delete anything you no longer use, get rid old themes (even the base WP ones like twentythirteen and twentyfourteen) and plugins that you no longer use. Odds are you aren’t keeping them updated and they’re just taking up valuable space on your server.
Install a Security Plugin
Security plugins are great because they can do almost everything that we’ve mentioned above automatically. A good plugin will enforce your passwords, keep htaccess, wp-config, and wp-includes locked down, limit a user’s login attempts, and much, much more to keep your site safe from compromise. A good security plugin will be easy to use and handle everything automatically. We recommend iThemes Security and it’s completely free! Stay away from some of the lower quality plugins like Wordfence as they will actually make your site less secure.
Further Steps
Keep backups
Regular backups of your site help you sleep at night knowing that if your site is compromised or you accidentally delete an important post or your host goes belly up over night you can simply start over with (almost) everything working right away. A backup plugin will automatically make a full site or database backup on a schedule and then either store the backup locally or push it onto another server or a service like Dropbox. We recommend minimum a monthly schedule for full backups with offsite storage. Backup Buddy is our preferred backup plugin, but there are also several free options.
Install a monitoring service
A security monitoring service is your active defense against hacks. A quality monitoring service will install a small file onto your server and go through all of your files on a regular basis to see if they have been compromised. If they have, you can submit a request to have their team clean up your site for you. This kind of service is a God-send if you have been compromised. Some attacks infect your files so deeply that you can’t go through and clean them up one by one – you have to either upload a completely fresh set of files and hope it didn’t infect anything else or you need some tools to programmatically track down and squish the bug. Services like Sucuri have those programs and they will clean your site in blazing fast time – we’ve seen as low as 4-6 hours for a completely cleaned site.
2 step authentication
Last but not least, 2-factor authentication is a great tool to help you lock down your login page. 2-factor authentication is a tool that allows you to locally verify your identity – usually through an app on your phone that feeds you a 6-digit code. Nothing but your local phone can generate that code which means that neither bot nor hacker can even attempt to login. There are lots of great options out there but Google Authenticator is one of the easiest to configure and use
Securing your site can seem like a bear of a task but it will save you money, hassle, and sleep in the long run. It’s well worth the time to invest into the tools that we’ve mentioned above. As always, if you have some questions or would like us to help you with the task of securing your site give us a shout!