According to the latest statistics, a cyber attack takes place every 39 seconds. WordPress is an incredibly trusted content management system. However, as with all open-source software, a robust approach to your WordPress security is still essential.
With so many WordPress installations and plugins out there, some can be poorly protected and it can be difficult to determine which ones are safe to use and which ones aren’t. Many security problems, WordPress or otherwise, are not caused by the base software, but by poor installation, configuration errors and/or a lack of maintenance.
Those affected by WordPress security issues, malware and vulnerability exploits are often surprised to learn that their websites had been left so open to attack because of simple, rectifiable things. These include things like poor plugins or weak passwords. WordPress security problems like this could have been avoided with some small steps and measures.
Related Read: Why Use WordPress?
The expert team at KIJO have put together 8 WordPress security tips to help you keep secure on site.
Good WordPress security starts at the installation stage. By default, when you install WordPress, the administrator user will be created with a username of ‘admin’. All database tables will be prefixed by ‘wp_’.
WordPress hackers know this, so they have a head start when looking for ways to attack a site. By changing the admin username to something less obvious during the installation process, and also setting the database prefix to something else, you can take the first steps to protect your site.
Make sure that the admin password is as strong as possible. Never be tempted to use an easy to remember password; easy to remember means easy to guess.
A strong password should:
Just before you install WordPress, there are a few changes that are needed in the wp-config.php file. These are highlighted in the WordPress installation guide. However, it is easy to overlook the security aspects of these changes.
Firstly, make sure that the database password you create is as strong as possible. You should follow the same principles as mentioned above for the admin user.
Also in the wp-config.php is a set of salt keys, which look similar to this:
define(‘AUTH_KEY’, ‘3`l-4w`1w.lw}e3,nmK fY,1X4y8|(hm4TA@4ew9cA:cdd}*UXop4_;=ylu9#&H,’);
define(‘SECURE_AUTH_KEY’, ‘rJ&e%mdlwS)*:^Xd![W-2HdC]L+wG^K-m9;>AUU//wEAO$tCai7w]4P(fY ,-ye)’);
define(‘LOGGED_IN_KEY’, ‘hRnQ$y2tnD$&-}!im}{%,|&B1;R@sP2ZA;%-iXuIAdNd2ND,6y{7OX2WmpUqWgT}’);
define(‘NONCE_KEY’, ‘&GH1rfn+6{ `TgOJ=5[<n_Hb$g?$CxTf_QZsy(~n-r-@QYrQ@5YA~)6l#@ -OAx|’);
define(‘AUTH_SALT’, ‘daM)lQ5<aqFgp<2!0hRaJDU*sG#<3N[2F4Nf.>Ed5lCMV7(GBKjhiGHQo-3upzwg’);
define(‘SECURE_AUTH_SALT’, ‘4;-4<:jC<!+>h|Z.BS2#cjLJShG#RgCe}K<w+.H<!)HD^yev=|/CBaSBs,`X|>%z’);
define(‘LOGGED_IN_SALT’, ‘I-{kHk::ZxdZ$j5#FT4EjY]|>wGRP*o]Ly1&;->+P>1JSt:zKVS^zHol2IQ?JNnz’);
define(‘NONCE_SALT’, ‘yUwKs|A?sJ($w0x^AT|Lmx>))i8uKHM6<zV>b{[@l7[kFJi6<VrK[5xq<+*U@aA&’);
These salt keys are used as part of the encryption process within WordPress. They help to protect sensitive data such as usernames and passwords.
Despite the clear instructions given by WordPress in the installation guide, so many website owners don’t visit the WordPress Salt Key Generator to create their own unique salt keys. They simply leave the example keys in place. The implications of this error should be obvious to all.
Having added all of the other required information into the wp-config.php file and uploaded it, it’s good practice to then move it up a level, out of your public HTML directory. It’s also wise to lock down permissions on the file itself, to prevent unauthorised access. You can do this by SFTP or by using the chmod command in Linux-based hosting setups. Changing permissions to 400 will lock the file down as much as possible, whilst still allowing WordPress to work.
When it comes to WordPress security, it’s good practice to disable directory browsing. This means visitors can’t peruse the contents of your website’s directory structure simply by typing common directory names into their web browser. This is a quick, easy fix, and all it involves is adding the following line to your site’s .htaccess file:
Options All -Indexes
Once a new vulnerability or exploit is identified, hackers often go out looking for websites that are using the theme, plugin or WordPress version that’s affected. If your website allows access to version number information and you are using affected code, the chances of your site being attacked are much higher.
Hiding the WordPress version number from hackers involves adding a short script to your theme’s functions.php. WPMU DEV has a great tutorial on how to do this. However, if you are unsure, it’s wise to seek expert help with this. An error in the functions.php file can cause your website to crash, so do make sure you’re confident before implementing.
It can be tempting to consider manually changing theme and plugin names to conceal what code your site is making use of. However, this could have important repercussions. If you do this, it’s possible that you will not receive automatic notifications when updates are available for those themes and plugins. Then, your site could then become out of date, with vulnerabilities left unfixed.
A better approach is to use a plugin such as Hide My WP. This provides dynamic random names for themes and plugins, and also offers many other WordPress security hardening features.
It’s all too easy for website owners to assume that hacks are planned and orchestrated by code-obsessed, tech geniuses from their bedrooms with a wall of screens and advanced tech. The reality is a lot more ordinary than that.
Whilst those skilled hackers do exist, the fact is that WordPress security tends to be compromised via access through the login screen. We’ve spoken already about the need to change the default admin username, and to use strong passwords, but there are other steps you can take to beef up login security.
Firstly, you can password protect your login page using your .htaccess file. This forces users to enter a username and password before the WordPress login screen is displayed. If you have a fixed IP address and limited users, you could also restrict access to wp-login.php to only that IP address. This locks it down even more tightly.
Finally, you can limit the number of logins allowed, before a user or IP address is blacklisted. This prevents user enumeration or brute force guessing. This is perhaps one of the simplest ways for attackers to gain access to your site.
All of these protection measures can either be accomplished via bespoke code. Alternatively, you can use a third-party plugin such as Hide My WP or WPS Hide Login.
It’s also worth pointing out that if multiple people need access to the back-end of your WordPress site. So, you should ensure that they use secure passwords at all times. Access levels should be strictly limited too, to allow each user to achieve just what they need to do. If anyone leaves your organisation, make sure that their WordPress account is disabled or deleted ASAP.
Unfortunately, no code can ever be 100% secure, as new vulnerabilities are discovered all the time. However, keeping all code as up to date as possible means that security patches and functional improvements are loaded onto your website at the earliest opportunity. After all, many updates are released precisely in order to patch a vulnerability. So, it makes sense to apply those updates as soon as possible.
WordPress now comes with the option of automatically updating itself whenever a new version is released. It’s recommended that this approach is adopted. Themes and plugins should also be checked regularly, and updates applied promptly. If you have themes or plugins which are not in use, it’s advisable to delete them entirely from your site. This is because code can still be vulnerable to attack, even if it is not active.
Thankfully, staying on top of WordPress security updates is fairly easy, as your website Dashboard will always notify you when there is one available. However, in order not to fall behind with the task of WordPress updates, it’s worth either scheduling a weekly reminder to yourself or assigning the task to a member of staff. This will ensure that they are given sufficient time to complete it regularly.
Whenever a web server responds to a request for content, it delivers that content along with response headers. These response headers pass various bits of information back to the requesting client. Unfortunately, some of that information can be valuable to would-be hackers.
Secure response headers can prevent issues such as XSS attacks, clickjacking, and MIME Type sniffing. Many hosts will permit you to add secure response headers at the server level. However, if this isn’t possible with your web hosting setup, you can also achieve the same result using code added to your functions.php file.
Another way to boost WordPress security is to switch to using SSL for all content delivery on your site. At one time, websites restricted SSL usage to checkout pages or pages containing sensitive data. But, in 2014, Google announced that it planned to use SSL as a ranking signal. This means that SSL-protected sites could get a ranking boost over sites using standard HTTP.
Adopting SSL across your entire site, therefore, has a twofold benefit. All content is protected and your site could move up the organic search results on Google because of it.
When building a new website with WordPress, you should always keep security in mind from the outset. A good hosting platform should provide stable server software and reliable backup and restore options.
However, a common misconception is that a great host will do all the security legwork for you. Unfortunately, this isn’t the case. It is important to remember that hosting services are concerned with the security of their own infrastructure. Their priority is maintaining the integrity of their servers. That said, some, like Kinsta (the server hosts KIJO work with) have a more active approach. Kinsta email you with any plugins that are showing security vulnerabilities. Kinsta also provides a guarantee to fix any hackings.
However, even when working with a more active hosting provider, it’s still primarily down to you to keep your website software, plugins and themes secure.
If you have had your website developed by a freelancer or an agency, you should never assume that all security measures have been put in place. Ask your developer or agency to walk you through the steps they‘ve taken to keep it secure on site.
If in any doubt, it’s worth talking to an experienced web development agency. They can undertake a full security check for you. They’ll correct any vulnerability issues and advise on further measures to tighten up your WordPress security across the entire site.
Once the basics are in place, one of the easiest ways to ensure that good security is maintained is to make use of one or more security plugins. There are quite a number of security plugins available, each handling different elements of security. Always only use plugins that have lots of active users, plenty of positive reviews and a recent update history.
Here are a few of the best security plugins available:
At KIJO, we work with SolidWP. SolidWP has a good cross section of useful features, from two-factor authentication, brute force protection, file change detection and backend hiding. These latter two features are most useful due to the techniques advanced bots use to hunt out WordPress sites and attempt to guess the user’s passwords.
Always ensure that you understand what any WordPress security plugin offers you and that it meets your particular needs. Of course, installing a plugin doesn’t mean that you no longer have to think about WordPress security. You should adopt a security-focused approach at all times, to give you the best possible chance of avoiding the problems so often caused by hacking and malicious code.
Are you in need of help with security on your WordPress website? Interested in switching up your hosting package for a more secure one? Whatever web development you may need support with, contact KIJO for a no-obligation chat about how we can help you.