WordPress | Tips to Improve Security
Having your site hacked is not fun. You, the website owner, need to pay attention to potential security risks, in order to keep your website safe. Here are a number of things you can do to improve your WordPress security.
1. Use secure hosting
Not all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked.
When choosing a web hosting provider, don’t simply go for the cheapest you can find. Do your research, and make sure you use a well-established company with a good track-record for strong security measures. We spend a lot of time and effort to ensure our servers are fast, secure and up to date. We also offer a range of Scripting versions. In your hosting control panel under "Hosting Settings" you can select the version of PHP. We recommend running the most recent your website will support which can be selected per site via a drop down box. In general the most recent versions are more secure and will also allow your site to run faster.
We also perform nightly malware scans and monitor the servers for other suspicious activity, in the even a site is found to be compromised we will password protect it and contact the owner to minimise damage to the site and prevent further abuse and inconvenience to other clients.
When you install Wordpress from our hosting control panel we automatically harden it by setting correct permissions on files and directories, removing version information from your active theme and the readme file, loading a proper SALT key and setting a random database prefix.
You also have access to Cloudflare web application firewall via the Server Shield link on the right of your hosting control panel. For most sites without a shopping cart its free and well worth the effort to deploy.
It’s always worth paying a bit extra for the peace of mind you get from knowing your site is in safe hands.
2. Install all updates
Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
Alternatively you can also enable automatic updates in your hosting control panel via our Wordpress Toolkit (top right). This will install updates to themes, plugins and the Wordpress core as soon as they become available.
3. Remove unused themes and plugins
If you don't use a theme or plugin remove it to reduce the surface area open to attack. Even if a theme is not active it can still be used to hack into your website. Hackers actively probe websites for common themes and plugins with known vulnerabilities. It's also a good idea to limit the number of plugins active on your website as each increases your chances of being hacked through an undiscovered vulnerabilities and often sits with many plugins will run very slowly.
4. Strengthen up those passwords
Many WordPress website hacks are down to weak passwords.
If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.
Try to use an acronym or formula to make a memorable yet strong password. If you’re feeling lazy, you can also use a password manager like the ones built onto most browsers. There are also other options like two factor authentication and Clef (paid product) which can almost eliminate password based hack issues.
5. Never use “admin” as your username
This is a common mistake and is only giving hackers a big helping hand in breaking into your website.
If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.
If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.
6. Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your profile so its different from your login.
7. Limit login attempts with Fail2Ban plugin
In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
We recommend use of a plugin called WP Fail2ban which integrates with our server systems and allows us to block people who repeatedly attempt to guess your login.
There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.
8. Disable file editing via the dashboard
In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
9. Try to avoid free themes
We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
10. Keep a backup
I can’t overemphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late.
Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.
If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory.
You can use a plugin such as WordPress Backup to Dropbox to schedule regular automatic backups. There is also a Backup Manager in the hosting control panel, top right, which can securely backup the entire website on a schedule of your choice. We also have nighly disaster recovery backups which can restore a site or a file to its state at any time in the last 30 days, but we caution this is a last resort and fees typically apply for the time to extract your data.
11. Use security plugins
As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
Here are a handful of popular options:
- http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
- http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
- http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
- http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
- http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
- http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
- http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
This may all sound pretty intimidating, especially if you’re a beginner. I’d like to point out that it’s not intended to scare anyone, it’s just important to discuss the topic of security regularly, as we want to make sure you stay one step ahead of the hackers!
You don’t have to do everything on this list (although it certainly wouldn’t hurt). Even if you just remove the ‘admin’ username and start using stronger passwords, your site will be that little bit safer.