Follow Best Practices to Create Baseline Security
To prevent your site from any of the fallouts described above, what follows are tips on how to secure WordPress effectively. We will start with the absolutely must-do, bare minimum WordPress security measures everyone should take, then move on to more advanced and technical procedures. If you just follow the tips in the first part, your site will already be more secure than 99% of websites out there.
1. Protect Your Computer, Avoid Being a Risk Factor
You might be wondering, what does your computer have to do with your website? Easy: If your computer is infected with a virus or other malware and you access your site or upload files to it, those files can infect your website as well. To avoid that, make sure to:
- Refrain from using public wifi networks to access your site or use a VPN
- Install antivirus software and a firewall and keep them up to date
- Regularly run virus and malware checks on your operating system
- Update your operating system and other important software (such as your web browser)
2. Build a Safe Foundation With a Trustworthy Host
Your hosting company is usually the first wall hackers have to break through to access your site. For that reason, the first step towards securing your WordPress website is to invest in a hosting company that implements proper security measures. This includes support for the latest version of PHP, MySQL, and Apache as well as a firewall and 24/7 security monitoring. In addition, look that they offer SFTP or SSH connections instead of the less secure FTP.
In addition, choose a hosting company that performs daily backups and regular malware scans (like SiteGround for example). You can even find hosting companies that employ various DDoS prevention measures. Also, be sure to check out what your hosting company offers in terms of help to recover compromised websites. When in doubt, always ask your host what security procedures they have in place.
3. Use Strong Passwords to Close Off Points of Entry
Passwords are one of the weak points of every website. Luckily, they are also something you have control over. In order to keep your WordPress website secure, be sure to use strong passwords for:
- Your user account
- FTP accounts
- The WordPress database
- Your hosting account
- Email address
- Everything else that is connected with your site
WordPress also proposes secure passwords to you and has an indicator that shows you your password’s strength.
4. Apply Minimal User Permissions, Reduce Third-Party Risk
However, it’s not just about your own passwords, but also about those of other people on your site. To minimize the risk they pose, first make sure everyone only has permission to do what they need to do. For that, it makes sense to get familiar with WordPress user roles to understand what they do and what each role is capable of.
For example, you don’t want to give a one-time guest blogger admin access. A Contributor role is likely a lot more appropriate. In fact, you may want to set your default user role to Subscriber (under Settings > General > New User Default Role) to be on the safe side.
In addition, it is good practice for WordPress security to give out temporary permissions and revoke them later. You can easily do that by changing user roles in the Users menu and then switching back when the person has done their job.
Also, delete all user accounts you no longer need or that aren’t in use anymore. In addition, there are ways to force other users on your site to also use strong passwords. Many WordPress security plugins include this functionality and there are also paid products like Password Policy Manager.
5. Get Rid of the admin Username to Address a Common Loophole
WordPress used to set the default username as admin and many website owners never bothered to change it. As a result, admin is usually the first username hackers will try when they launch an attack against your site. If that name is present, all they need to guess is the password.
As such, you should never use that particular username for your WordPress website.
6. Obscure Your Administrator Account: Post as a Contributor or Editor
Consider creating a contributor or an editor account to add new posts and articles to your site.
How does this help? Well, WordPress automatically creates an author archive for every author profile who publishes something on the site. It’s usually located under something like yoursite.com/author/authorname.
The problem is that this gives potential hackers one part of the login information since the author’s login name is written out in plain text in the URL. Again, now all they all need to do is guess the password. For that reason, it’s better if the authors that are visible on your site are not the ones that have administrator rights.
7. Log Out Idle Users and Prevent Third-Party Screwups
The next tip is to log out idle users after a period of inactivity. You probably know this feature from banking websites. It prevents you or someone else from compromising your site by accidentally staying logged in on a public computer or when they walk away from the screen for a while.
This is necessary because your session can be hijacked and hackers can abuse the situation for their gain. It’s even more important to terminate inactive sessions if you have multiple users on your website. Plus it’s easy, you can use a plugin like Inactive Logout to automatically do that.
8. Minimize Security Risks by Keeping WordPress and Its Components Up to Date
Outdated files pose a security risk because they leave your site vulnerable to exploits. This goes both for WordPress itself as well as components like themes and plugins. They receive updates for a good reason, often including security bug fixes. In fact, vulnerable plugins are the number one source of site hacks according to WordFence.
You can manually update your website via Dashboard > Updates. Always remember to back up your site beforehand. Better yet, apply the updates on a staging or development site first, check if everything is alright, then apply them to the live site.
9. Only Use Themes and Plugins From Trustworthy Sources to Avoid Compromising Your Site
As we have already settled, unreliable themes and plugins are one of the main ways WordPress websites get compromised. In order to reduce the risk of that happening, step one is to use only extensions from reputable sources.
That means staying away from nulled, torrented, “free” versions of plugins and themes. Besides cheating developers out of the fruits of their labor, you never know what kind of code might be hidden inside. By uploading them to your site, it’s possible that you are opening backdoors for hackers all by yourself. So, stick with reliable sources such as the theme and plugin directory on WordPress.org or trustworthy premium vendors.
When you consider downloading a theme or plugin, to be on the safe side, check:
- Its number of users
- Reviews and rating
- Is it actively supported with regular updates?
- Compatibility with your WordPress version
10. Use a Backup Service or Plugin for Much-Needed Insurance
If you’re not backing up your website yet, you need to start right away. A backup system will help you restore your site if the worst happens and your site ends up being hacked. Here are some plugins and services for that purpose:
Things to keep in mind:
- Back up both your site files and database — WordPress websites consist of two parts. Make sure to save both of them or you’ll regret it.
- Create a regular schedule — Set your backups to happen automatically at regular intervals. How often depends on your site and how frequently you change things or publish content. For a simple brochure website, once a week is enough. For an active blog, once a day or even more often can make more sense.
- Store the backup files offsite — Make sure your backup files go to Dropbox, Google Drive, or a similar service, not your own server. Otherwise, you risk having your backups infected as well or losing them together with your files if the server breaks.
11. Use Safe Server Connections, Keep Your Traffic Protected
Finally, as part of WordPress security basics, be sure to connect to your server safely. One of the most common ways to manage a server is to use FTP. We will also mention it a few times in this guide.
However, FTP has a much more secure cousin called SFTP, which automatically encrypts traffic between your computer and server. Whenever you can, use this instead of the unencrypted FTP protocol. Otherwise, you risk having your traffic intercepted and spied on. A good FTP client like FileZilla will allow you to do so.