WordPress is the most popular content management system in the world, (over 76.5 million sites are powered by WordPress, as of this posting) making it an attractive target for hackers, spammers and other unsavory types. So, just how secure is WordPress? As far as content management systems go, it’s actually relatively secure right out of the box, but with the proper steps, you can make it even more hacker-proof and go a long way towards preventing your website from falling victim to malicious activity.
While there are a variety of more complex protection measures available, we’ve put together some basic (but very effective) tips and tricks you can employ to help keep your website secure.
Don’t use “admin” or “administrator” as your username
Admin is the default username that comes with a standard WordPress install. As such, it tends to be targeted right out of the gate by hackers who are trying to gain access to your website. If you “admin” with a strong password, you might be OK, but it’s better not to tempt fate. Come up with something else and keep the bad guys guessing at both your username AND password. Once you have another administrator-level user set up, delete the original admin account.
That leads to the next point:
Delete any unused administrator level accounts
If someone who formerly managed your website or blog stepped away from that role (maybe they changed jobs, for example), you should delete their account. Aside from limiting the number of people who have legit administrative access (i.e. people you can trust), you’re also shutting down another potential opportunity for sketchy activity. Every administrator-level account is a target, so the fewer you have to keep an eye on, the better.
Install a security plug-in (or maybe a few)
Our go-to is WordFence, which is a full security suite, with IP blocking, file and database scanning, scheduled scans, email alerts, and a whole lot more. By default, WordFence is pretty well configured, so I won’t go into the nitty-gritty details on managing all of its custom settings, but here are a couple quick tips.
- When you first install WordFence, be sure to visit the options page and provide it with an email address to send alerts. It will send you an email anytime it detects something fishy, or if your WordPress install or your plug-ins are out of date. If you manage a lot of sites, this is especially handy.
- There’s an option box on the settings page that says “Participate in the RealTime WordPress Security Network.” This is checked by default (and you should leave it checked), but since the description is not so descriptive, here’s what it does: WordFence is constantly monitoring websites that use their plug-in to detect the IP addresses of computers participating in brute force hack attempts. When several sites running WordFence detect an attack coming from the same place, it automatically blocks access from that IP address on any site running the WordFence plug-in, even if that site hadn’t yet been specifically targeted. This prevents your site from even having to weather many attempted attacks. The more users who participate in this program, the more effective it will be.
In addition to WordFence, we also use a few other security plug-ins, including another favorite, Sucuri Security, which will scan your website for malware. Sometimes, if it seems like something’s gone awry and WordFence is missing it (not often), Sucuri can step up and get the job done.
Install a log-in monitoring plug-in
While this won’t do anything to actively combat a brute force attempt, it will help keep you aware of what might be going on. We use a plug-in called ThreeWP Activity Monitor, which allows you to see the last couple thousand log-in attempts on your site, showing you which users logged in successfully, and which attempted to log-in but were unable. If you see, for example, your own account with fifty log-in attempts over the course of a day, but you only logged in once, you’ll know to be on guard. Sometimes this sort of thing can slip past WordFence, often due to an origination from an IP address that hasn’t yet been flagged, or an alternating IP address, or sometimes the attempt frequency just hasn’t quite hit the lockout threshold.
A quick note: By default, the ThreeWP Activity Monitor plug-in also shows what password has been attempted for unsuccessful log-in attempts. If a legitimate user (for example, you) just mistypes a password, that will show up as well, which could be a security issue, since it might make the real password being easily guessable by someone who sees the wrong, but similar, version. You can turn this off wrong password display in the settings.
Keep your site and plug-ins up-to-date
If a security flaw is found in WordPress, or in a plug-in, how do you think it will be fixed? Magic? Yes! Wait, no. Actually, the code author will release an update. However, if you don’t follow through and install the update on your end, your site will remain vulnerable. In case you hadn’t guessed, this is bad. (Unless you’d prefer your home page to be swapped out for some Russian gibberish and a picture of a flaming skull. It sounds cooler than it is.)
When you do update a plug-in, particularly something critical to your site’s operation (for example, WooCommerce), it’s good to make a habit of reading the changelog for the latest version. You might also want to do a quick Google search for the version number, just in case there are a bunch of users complaining about some new broken functionality. It’s even more important to do this when you upgrade WordPress itself. Just to be safe.
Keep regular backups of your site
This is arguably the most important tip on this list. Sometimes, despite every effort of prevention, something bad will happen to your website. Depending on the severity of the incident, it may not make sense to attempt to repair the damage, but rather, simply revert your entire site to a better, previous state. However, if you are going to try and repair a corrupted or compromised file, it could still be useful to be able to look at previous versions to identify what may have changed. Hopefully, you’ll never need to use your backup, so consider it peace of mind. Personally, I don’t think I’d be able to sleep, if I didn’t have the comfort of knowing I have a hard drive full of website backups safely stashed away (I keep it under my pillow, along with a knife, so don’t get any ideas).
We primarily use a plug-in called BackupBuddy for all of our backup needs. It allows easy backups of both your database and your site files, as well as backup scheduling, in addition to a variety of restoration and migration tools. It has a few quirks, but in my opinion, they’re worth the payoff. If you’re looking for a free backup solution, I have also had good experiences with XCloner and WordPress to Dropbox Backup. Make your backups regularly and often.
Armed with the knowledge and tools above, you should be able to achieve a decent level of a security for your WordPress site. However, if you’re not confident in your ability to monitor, install, or configure everything we mentioned, it’s probably a good idea to call in the professionals. Considering what you have to lose, it’s worth it.
Contact us if you’d like us to evaluate your website’s security situation.