Basic Tips for Better WordPress Security
If doesn’t matter what type of website you own, you should always be vigilant about security.
It will be pretty damn frustrating and annoying to find that a hacker injected malware into your website’s files. It can also be very costly to clean it up.
If you feel overwhelmed or intimidated about implementing better security, remember that you’re not alone.
Everyone is susceptible to attacks. And don’t worry, it is actually easier than you think to harden the security of your website.
In this post, I’ll specifically give advice for beefing up security for WordPress sites. WordPress is the most popular blogging system in use on the web so it is also one of the most popular targets among hackers. Fortunately, there are some pretty simple and basic things you can do to improve or harden the security of your WordPress website. Below is a list of things I highly recommend you do.
1. Create strong passwords
This is the easiest, but probably most overlooked aspect of security. You should take this seriously.
A strong password should have at least 10 characters that include numbers, capital and lowercase letters, and symbols. Awhile back, I wrote a blog post with tips on how to create strong passwords.
If given enough time and computing cycles, hackers can work through different combinations of characters to retrieve your password. With this in mind, it is good to create a password that would be difficult for a computer to determine, but it still isn’t enough to protect your site…
2. Keep everything up to date
WordPress makes it super easy to update the software — it literally takes 2 clicks. When an update is available, you’ll notice the yellow bar at the top of your admin page. Don’t overlook this. These releases include bug fixes, new features, and patches to security holes. Remember, online security is constantly changing. That means you also have to keep up with the changes and stay up to date.
In addition to the WordPress software, you should also keep your plugins up to date. Only get plugins (and themes) from reliable sources! Even plugins from reliable sources can be susceptible to attacks. A good plugin is when a developer updates it regularly. Before you download and install a plugin, take a look at their star ratings and take a look at the date it was last updated. This can say a lot about a plugin.
3. Keep it clean
One way to stay “clean” is to delete everything you don’t use. Don’t just deactivate unused plugins, delete them. This also goes for themes. Deleting unnecessary user accounts is also wise. Your user account password may be awesome, but another user’s password may be weak — this will still open the doors for hackers.
Keeping it clean doesn’t just mean deleting stuff you don’t use. As I mentioned above, it would be wise to only use plugins and themes from reliable sources. For example, every theme from StudioPress can be trusted. These guys are well known in the WordPress community and their support is hands down the best. If you choose to use ThemeForest, you can find many gems! But beware, there are also some non reliable themes as well. Do your research before you choose a theme or plugin.
4. Use reliable hosting
Start smart from the ground up! Choosing a reliable web hosting company is probably one of the most important things you can do for your website. Getting your own VPS host is probably the best option, but for most people, it may be too expensive.
If you must use shared hosting, find a company that will scan for malware and clean it up if they find it. 24/7 support is also a plus in case you find a problem anytime of the day. If your business relies on your website to make you money, you know how important it is to always have your site up and running.
A reliable hosting company keeps their servers up to date, provides exceptional service, and evolve with the ever-changing landscape of technology and the threats that come with it. I personally use InMotion Hosting — they have taken good care of me and my sites for years. If you have a bigger budget and are looking for a dedicated WordPress host, I recommend WPEngine and Synthesis — both are very well trusted and well known in the WordPress community.
5. Install Akismet
This one is easy. All WordPress installs are already packed with Akismet, you just have to get an API key. Akismet is a very effective plugin that protects you from web spam. Because WordPress is so widely used and popular, it also means that there are a lot of auto-bot spammers that like to leave weird comments on your blog. Akismet will stop most of those from coming in.
6. Install CloudFlare
CloudFlare is a CDN (Content Delivery Network) and they will automatically cache your static files on their servers located around the world. This means faster load times! CloudFlare also has built-in security that will protect you from a range of threats: cross site scripting, SQL injection, comment spam, excessive bot crawling, email harvesters, and more. The basic service will satisfy most people’s needs and it is FREE!
It is pretty easy to set up if you have basic tech skills, but if you aren’t confident in setting it up yourself, we would be happy to help!
7. Install iThemes Security plugin (formally Better WP Security)
iThemes Security is a VERY robust plugin that will cover many of the security recommendations you should implement. It is WordPress’ #1 security plugin averaging at 4.8 stars out of 5 (from 2000+ votes)! This plugin can do a lot to protect your website, but keep in mind it does make some significant changes to your files. Without a proper backup, it can cause problems if something happens to go wrong. Get your developer to help if you don’t feel confident in setting this up on your own.
Here are some of the awesome features of this plugin:
- Obscures common vulnerabilities to keep hackers away from areas like login, admin, etc.
- Protects your site by scanning it and showing you vulnerabilities. It also bans troublesome bots and user agents, detects and block numerous attacks to your filesystem and database, and much more.
- Recover your site if something should happen — the plugin will create database backups on a customizable schedule.
Many of these features are covered separately below.
8. Configure your .htaccess file
The .htaccess is short for Hypertext Access and it is a configuration file that controls the directory of your files. This simple looking file is very powerful and through it you can control major aspects of your site. It is highly recommended that you use your .htaccess file to do the following:
1. Protect wp-config.php file
2. Prevent directory browsing
3. Disable hotlinking
4. Lock down WordPress admin access
5. Protect the htaccess file itself
Configuring your .htaccess file can really make a difference in providing better security for your site and preventing attacks.
Warning: Be very careful when making changes to your .htaccess file. If you aren’t extremely comfortable with code, it’s best to let your developer configure it for you. Even though configuring your .htaccess file can be pretty complex (some hosts don’t even let you edit it), there are great plugins that can help you achieve what you need. There are 2 wonderful plugins that I recommend that can help you configure your .htaccess for better security, just choose one: iThemes Security or WP htaccess Control.
9. Enable login attempts
Recently, there has been a ridiculous scale of brute force attacks coming from a large amount of IP addresses spread across the world. There are botnets that attempt to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin.
Everything mentioned in this blog post will help prevent a brute force attack from happening on your site. Another very simple measure you can take is to limit login attempts for your site. Fortunately, this is actually very easy to do! You can enable login attempts by installing iThemes Security as I mentioned #7 above. If you don’t use iThemes Security, I highly recommend Limit Login Attempts.
10. Create regular backups
It would be a tragedy to have something happen to your website and you didn’t have a backup to restore it. I’ve heard of it happening before and it’s not pretty. If you are with a good hosting company, they should already provide you with automatic backups for your site. But it doesn’t hurt to take a step further by creating your own back up, especially when it doesn’t require any labor or thinking. I highly recommend Backup Buddy by iThemes. Backup Buddy provides the easiest and most efficient way to backup your website. I personally use it for every single one of my websites… it allows me to sleep easy. In case you need more reasons to back up your website, check out this page: Why You Should Backup Your Website.
Everything I listed above will take your security to another level. Prevention is the cure. It is important that you also stay vigilant after implementing security measures. Everything is always evolving.
I use Sucuri regularly to scan and check sites for potential issues. I also recommend using Google’s safe browsing for your domain — they will give you a quick diagnostic on your site. Copy and paste this link and replace what is in red with your domain name:
I hope these tips helped you! Let me know your experience and if you have any issues and suggestions. I am here to help if you have any questions. Good luck and stay strong!
Here are other other posts that you may interested in: