How to Secure WordPress

How to Secure WordPress site – Different Types of Security

hqdefault

Last thing you want to see when you wake up in the morning is seeing your WordPress site hacked.  For any WordPress sites made by WebVillage, first step is always setting up security even before 1st page.  This is vital, and the most important step before doing anything.  Adding page, selecting theme or anything else comes after installing & configuring security.

Not sure why you need WordPress Security?  Check out ‘Why Do I Need Security on WordPress Site?’

So, How to Secure WordPress site?

This is definitely a subject for debate.  And 10 different experts will tell you 10 different method on how to secure WordPress.  But all experts WILL tell you that you need some sort of security.  Many security plugin companies will advertise their security plugin can do all.  In this article, we’ll explore different security issues you should be aware of and discuss how to secure WordPress site without getting into too much details.  Please keep in mind that this is based on my experience and there is no ‘Right’ answer.  If you feel like you have better answer, please share by commenting below. 🙂

Server Security

First topic in How to Secure WordPress is Server.  Server security is like front door to your house.  In many cases, if you’re in shared hosting, you won’t really have much choice in this matter but you can expect somewhat sturdy front door.  But if you’re on VPS or dedicated server, you obviously have a lot you can do to secure your server.  We won’t go in to too much details on this since this topic can open up a big can of worms…

Related: Choosing Right WP Hosting: Shared, Managed WP, VPS, or dedicated?

Brute Force

gbb6e6GBrute Force attack is very basic form of attack where typically bots will try guessing password of Admin account over and over again.  This is very basic form of attack and there are many different plugins available along with documentation from WP.org.

Firewall & DOS protection

Firewall in WordPress is like a wall for a castle.  It keeps people you don’t want from jump through the fence.  Many firewall comes with DOS protection which provides additional protection against any attacks that leaks through DDOS protection of your server.  In most cases, Firewall acts as an easy one click process with very little to do to setup using many plugins available here.

Login page – wp-login.php

wploginphpBy default, WordPress login page is /wp-login.php.  And leaving this alone is like letting hackers know how to enter the control room.  And there are two ways to secure this page.

  1. Secure /wp-login.php file from server end.  You can secure this php file so that only IP addresses that are white-listed can visit & access the site.  While this is an effective way to secure this file, this require you to constantly maintain white-list IP list.
  2. Better method is by changing where you login.  Security plugins like ‘All In One Security’ or ‘WP better security’ will help you to change login URL in order to make it harder for hacker to figure out how to login to your site.

Admin Accounts

Admin accounts are obviously important and power accounts.  In fact, if you gain access to one Admin account, you now have control over entire site.  In order to fortify Admin accounts, here’s what I suggest.

  1. Easy one first – DO NOT use ‘Admin’ as Admin username.  In fact, anyone trying to login using Admin should be banned automatically.
  2. Two Step  or Two Factor Authentication is a MUST for all Admin of the site. (we require Editor and up to use this)  This is a simple added security where Admin user must verify their identity using their smartphone, email, or text code in order to login.  This is simple yet VERY effective way to prevent unauthorized access to your Admin account.  And there are many plugins that can offer you this featureRemember, your site is only as strong as your user with weakest password.
  3. Super Admin – It is also a good idea to create super admin or admin that are protected in order to prevent a hacked Admin account taking over.  But this only applies if you have multiple Admins in your WordPress.

Database Prefix

sucuri

One of many security plugins available on WP.org

By default, all WordPress installation comes with database prefix of ‘wp_’.  And guess which database prefix hackers and spam bots are looking for?  You guessed it, ‘wp_’.  So by simply changing this to something random, you can block any attack looking for ‘wp_’ prefix.  Now that was easy!

Repository File Check & Security Plugins

Because repository file check is a function that comes with almost all plugin, these are bundled together.  Depends on which one you pick, you’ll be getting different set of security measures that are designed to protect your site.  But most of them will include repository file check feature.  This is very effective early alarm monitoring where your site will check all your files from files they have saved in WordPress.org repository.  And if there’s anything different, it’ll send alert right away.  While in some cases these are minor harmless changes, in some cases, you can catch code injection early using this feature = preventing or resolving the issue early.  Most of these security plugins come with free version for basic protection along with premium version which offers typically faster scan or additional options.  Here’s 10 Best WordPress Security Plugins of 2016.

Virus Scan

Yup, they got these for WordPress too!  And it is recommended to run this regularly to catch anything your daily scan has missed.  Looking for Anti-Virus Plugins?

Fortify & make it difficult!

Fortify & make it difficult!

When you really start digging into topic of WordPress security, it really never ends.  But this article will end with one final topic on how to secure WordPress site.

Editors within WordPress

One of convenient feature of WordPress is that it allows editing of Plugin, Theme and htaccess files using WordPress interface.  The fact that you can edit these files without using FTP are convenient way to edit and modify these files… for both You and Hackers!  Make them work for it by disabling these within ‘wp-config’.  Open wp-config and add this code.

define( ‘DISALLOW_FILE_EDIT’, true );

And it may be a little extra work to edit theme or plugin but if you can remove belt and shoes at airport checkpoint, I think you can do this.  Plus, how often do you really edit these files?

 

I have no doubt that this article will be edited over and over since topics of security is never ending and always changing.  But I hope this gives you a good sense of How to Secure WordPress site and gives you a direction.

If all fails or if this seems like a monumental task, Have us setup & monitor your WordPress security.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *