How to Keep WordPress Secure

WordPress is the most common content management system for websites. This makes it an attractive target for hackers. By following these steps you can greatly improve the security of your WordPress website.

The biggest vulnerability to any website built on WordPress are outdated versions of plugins or an outdated version of the CMS itself. It is essential to update these as soon as new versions are released. We suggest you install additional security plugins and take regular back ups of your site.

How to Update Plugins in WordPress

Updating everything protects you from the latest exploits like SQL Injection and Cross Site Scripting. WordPress will notify you about new software versions on your dashboard. Updates can be done through WordPress itself with the click of a button. We recommend doing a backup before.

1. Log into your WordPress admin area

2. Go to the ‘Updates’ section of your administration panel.

3. If there are plugins or themes that can be updated, they will appear here, right below the part which tells you if a new version of WordPress is available or not.

4. To update your plugins, select them and click on the ‘Update Plugins’ button.

Security Plugins for WordPress:

The two most popular security plugins are iThemes Security and Sucuri. We highly recommend both, they’re easy to use, easy to update and great at protecting WordPress websites.

General Security Measures

Regular Backups

Backup your site on a regular basis, as well as before and after doing major changes to content or the backend. This way you can roll back to the latest functioning version without losing much content in the case of an attack or some form of data loss. Because WordPress uses files and a database to store content, you need to back up both.

To back the site up, you can either download all files in the directory where WordPress is installed and download an sql dump from the database or you can use a plugin. We recommend WP Clone by WP Academy to make a full backup of a site. You can also use this plugin to easily move a WordPress installation to another server.

Use Different Usernames

The standard administrator username used to be admin in WordPress. Now it can be changed, but many new installations still stick with it. Because of this, hackers try this username first. But other usernames like webmaster and root are next on their list. If a hacker has personally targeted your business and it’s not just a bot, he might also try your actual name. Try to come up with something that other people will not relate to your business! This gives you an additional layer of security against Brute Force Attacks.

Strong Passwords

The next step is (of course!) having strong passwords. Unfortunately, lots of people still use password or 123456 as their password. Dictionary attacks, which try out as many words as possible, try those first. Safe passwords should contain upper and lowercase letters, numbers and special characters. Some plugins can also require the users to change their password on a regular basis, just don’t write it down to stop you forgetting the new one!

Unsecure Hosting and Clients

Unfortunately, you only have limited control over this. But it is crucial to mention, since many sites get compromised because hackers take over the entire server with all files on it. Choose a hosting company that is well established in their business and look for independent reviews. The cheapest option might not offer the service and support you require. Use an antivirus software for your personal computer.

File Permissions

Some plugins change the file permissions on the server upon installation or updating. WordPress works fine with the directory permissions set to 755 and file permission set to 644. You can either change those permissions via FTP or with those commands if you have shell access to the server: find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Disable File Editing

PHP files can be edited from the WordPress backend by default. This can be disabled if you have FTP access anyway and other users don’t have to change anything in those files. Place this line in wp-config.php:
define(‘DISALLOW_FILE_EDIT’, true);

iThemes Security Plugin

Following all steps in the previous section makes your site safer than the majority of the WordPress installations out there. This plugin helps you to increase the security even more. The basic version provides all these functionalities. The professional version also includes two-factor authentication, extended logging and extended support.

Brute Force Protection

As mentioned above, guessing passwords by trying out lots of passwords is a common way to hack a website. You should still set a strong password, but this plugin helps by locking out users after too many failed login attempts. This is done by banning the attacker’s IP for a set amount of time.

Hide the Login

By default, the WordPress backend can be found at domain.com/wp-admin. This can be changed with this plugin, which makes it harder for attackers to find the actual login page. Also it will instantly turn away most of the bots that try to hack sites, because they only look in the default place.

File Change Detection

The iThemes plugin can detect if files on the server are changed and will send you an email. This notifies you about a potential security breach on your website.

Bot Detection

When a bot is scanning your website for potential vulnerabilities, it usually generates quite a lot of 404 Page not Found errors. The plugin can detect this and temporarily block the IP address after a set amount of errors.

Other Tools

The plugin can rename the admin account, enforce strong passwords, lock out blacklisted users and does database backups. The official website of the plugin lists all tools and offers a detailed comparison between the basic and the professional version. Visit www.ithemes.com/security for more information.

Sucuri Security

Sucuri offers a variety of solutions and software to protect your website against hackers. Pre-emptive and after an attack. Visit www.sucuri.net for more information.

Website Firewall

By using Sucuri’s network as a proxy in front of your website, they are able to filter out traffic, used for Denial of Service attacks. They block requests which are not necessary for a webserver and try to limit the traffic during an attack by using heuristic algorithms. The website firewall also protects against common hacking attempts like SQL Injection, Cross Site Scripting and brute forcing passwords.

Website Antivirus

The antivirus package includes all features of the firewall. Additionally security experts will monitor your site for malware and spam and perform a cleanup if anything is found.

Blacklist Removal

If your website gets hacked and sends out malware or spam to users, Google or other authorities might flag it as infected. This is very bad for you because it will turn many visitors away. After cleaning up your site, Sucuri can use their connections to web authorities to get your website removed from blacklists quickly.