8 Things To Do Right Now To Secure Your WordPress Website
WordPress, a company powering over 36% of all websites online1, it is often the target of hackers who seek to exploit the platform’s flaws and vulnerabilities. To help secure your website and avoid being a target to potential hackers, we compiled some of our best practices when managing the security of your WordPress website (if this list sounds like jibberish, we recommend reaching out to us to learn how we can help keep your website secure):
1. Keep it updated:
WordPress is an open source CMS that is in a constant state of development. This means frequent software updates that continuously aim to improve site performance, add new features/functionality, and fix existing bugs. Therefore, our team always recommends having the latest version of WordPress Core running.
Most WordPress sites usually rely on third party plugins and in some cases purchased themes. These can also be exploited by hackers and should be updated as soon as new versions are made available by their developers.
Additionally, to reduce the risk of having vulnerable files on your WordPress installation, we recommend removing themes and plugins that are no longer active or used since these can be abandoned by their developers and stop receiving updates and security patches at some point.
For each website we manage, we make sure to run frequently scheduled maintenance checks that include all of these updates as well as an overall status of the health of your website. If you need help maintaining and updating your WordPress website, we’d love to help.
2. Secure your login (and login url):
Many websites overlook the importance of using a strong username and password. Consider this the first line of defense when it comes to securing your site and it is essential to keep the following tips in mind:
- Do not use “admin” or any common word as a username. One of the most popular attacks is trying to gain access to the backend of your website through brute force. Hackers usually attempt to most common usernames including but not limited to “admin,” “Administrator,” “user” etc…
- Choose a strong password that includes a combination of uppercase letters, lowercase letters, numbers, and special characters.
- Hide the default login URL with a custom hard-to-find URL and enable two-factor authentication for an added layer of security. If you access the backend of WordPress via a URL like this – www.example.com/wp-admin, you’re allowing the administrative login screen to be easily found by anyone looking for it.
- Limit the maximum number of login attempts to stop brute force attacks.
3. Choose the host with the most (security):
A poor hosting environment not only affects your website’s performance, but can open the door to a wide range of security threats. It is important to make sure the technology that powers your website on the server is updated to the latest version including PHP and MySQL.
Using a secure hosting platform helps mitigate potential security threats by implementing several security mechanisms across different layers such as web application firewalls, locked-down environments, automatic background updates, and regular server backups.
4. Scan for malware:
Malware scanning should be part of the regular maintenance your site undergoes. Often time, malicious code can go unnoticed for a long time and – without running a full scan – it becomes nearly impossible to detect malware.
Using a plugin to run the scan will ensure all files are thoroughly inspected for suspicious code, backdoors, and known patterns against a constantly updated database of threats.
5. Tweak default installation settings:
It is crucial to inspect your WordPress installation during deployment to ensure that no settings are left to their default state that may weaken your efforts to secure your website:
- Disable PHP error reporting:
This feature can easily be overlooked when moving from a development environment where it can be used to debug to a production environment where broadcasting a website’s errors publicly can turn into a serious security flaw.
- Deactivate XML-RPC and REST API:
WordPress’ XML-RPC feature is used to remotely interact with a website and communicate with other systems by enabling data transmission through HTTP and XML. However, this raises many security concerns and is known to have been exploited to conduct brute force attacks as well as DDoS attacks.
- Update WordPress salts:
It is recommended to regularly change Salts and Keys which are WordPress’ way of enhancing security through hashing stored passwords. This makes it harder for malicious actors to access them and reverse engineer their way into cracking your passwords. Moreover, changing Salts and Keys automatically logs out all users of the site which comes in handy if you accidentally forgot to logout on a publicly accessible computer for instance.
- Change database table prefixes:
By default, WordPress uses “wp_” as a table name prefix which makes it easier for hackers to plan mass attacks through automated codes for SQL injections. By changing this prefix to a more secure string of characters that includes letters and numbers, you are adding an additional layer of complexity and security to your database.
- Lock down file permissions and disable file editing:
It is crucial to review file and folder permissions to prevent attackers from gaining unauthorized access to editing and injecting malicious code on your site.
Moreover, disabling the ability to directly edit PHP files from the WordPress administrator dashboard will stop an attacker from modifying theme and plugin code if they break into the WP dashboard.
6. Back, back, back it up:
Although not directly related to preventing security threats, having a solid backup and restore plan guarantees access to a safe and recent version of your site that you can fall back to in case of a malicious attack or other server related issue.
7. Install a security plugin:
Implementing these security best practices might seem daunting at first but there are plenty of reputable plugins (our favorite: iThemes Security Pro) that allow you to secure, scan, and monitor your site in order to take control of your website’s security.
8. Vulnerability Scans:
Hackers are always trying to exploit newly reported vulnerabilities from the WordPress open source community, so it is important to proactively monitor and take action as soon as these vulnerabilities are discovered.
By having a combination of automatic background site scans with the help of plugins such as iThemes Security Pro as well as manually running a deep scan on each maintenance using a comprehensive scanner such as WPScan, we make sure that your site is kept safe. That means, we will update a vulnerable WordPress Core version or plugin version as soon as a patch is released, secure a theme’s codebase, or replace an abandoned plugin with an actively supported one.
At Weidenhammer, we take your website’s security very seriously. Whether at deployment or after a site is launched, we make sure to follow security best practices and help you prevent cyber threats. Learn more about our maintenance process and the importance of a regularly maintained site here.
If you have a WordPress site and most of this language sounds foreign, or are unsure of your security standings, we’re here to help! Schedule a WordPress security consultation now.
Our clients enjoy peace of mind knowing we are here to help maintain and secure their website – while being a go-to resource for all (and any) questions, updates or changes.