Securing a WordPress Web Site

It’s no secret that WordPress is the most popular content management system available for web sites. In fact, about a quarter of all web sites are running WordPress. As a result, WordPress is a popular target for hackers, who have automated tools that search for WordPress sites with vulnerabilities. Once they get in, hackers often deface web sites or use them to host their own malicious content. A web site hack can be devastating for your business, so it’s important to keep your web site secure from the most common WordPress attacks. The steps below will help you secure your site and protect it from hackers.

Limit exposure to software vulnerabilities

1. Keep WordPress up-to-date

This is absolutely critical. I recommend using the built-in automatic updates with WordPress to make sure your site stays on the most recent version. Even with auto-update enabled, you may need to manually initiate an update to any new major versions, so keep an eye on your version number, and check it periodically to make sure you are running the latest software.

2. Keep your WordPress themes and plugins up-to-date

Outdated plugins and themes are one of the most common ways that WordPress sites are hacked, so keep your themes and plugins updated to the current versions. Be aware that sometimes updating a plugin or theme can break functionality on your site, so be sure to back up your site before updating, and check your site after updating to make sure everything is working.

You can also set your plugins to update automatically using the JetPack plugin. JetPack is written by the developers of WordPress itself, and it connects your site with WordPress.com for easy management and additional functionality. It is one of my favorite plugins for WordPress, hands down. If you don’t trust yourself to regularly update your plugins, this is a good option. Just make sure you also check your site’s functionality regularly and that you have a backup system in place for your site, in case a plugin update causes issues. More on WordPress backups at the end of this article.

3. Choose plugins carefully and uninstall what you don’t use

Much like the risk presented by outdated plugins, plugins that are poorly written or not well supported also pose a risk. In fact, all plugins add additional risk, so be judicious about what plugins you install and uninstall any plugins that you don’t use. Check the reviews, check the last updated date, and check the number of installs to get an idea of how established and trusted a plugin is among other WordPress users. It’s common to install and try a few plugins while you’re trying to add new functionality to your site, but once you settle on one, make sure to go back and uninstall the others. Also make sure you’re only downloading plugins from the official WordPress plugin library or another legitimate source.

Protect yourself from login-based attacks

4. Delete the admin user account

Many WordPress attacks attempt to login to the admin account with the default username of “admin”. But you can assign any users admin rights, and then delete the admin account. That is a simple way to thwart a lot of basic WordPress hacks, and it takes almost no effort. If you don’t already have another user, create one, and assign it Administrative rights. Then delete the account named “admin”. If the admin user had ever created any content, WordPress will prompt you to re-assign the author of that content to another user, and you can choose your new administrative username.

wordpress-login-screen

5. Use strong passwords

Always use strong passwords for everything you do. With the number of attacks against WordPress and the damage that can be done by a hack, it’s especially important to secure with a strong password. Make sure your WordPress password is long and complex, with a variety of uppercase and lowercase letters, as well as numbers and symbols. And change your password periodically. If you saw my recent password security tech tip, you know I recommend using a password manager to keep up with your logins.  If you have multiple users on your site, require them to use strong passwords as well. There are plugins to force strong passwords if you have multiple users with editor/author/admin level accounts.

6. Restrict unauthorized logins

There are a couple of ways you can restrict unauthorized login attempts. The first is to block IPs after repeated failed login attempts. I recommend a plugin called Login Lockdown to do this. By default, the plugin locks out IP address for 1 hour after 3 failed login attempts within 5 minutes, but this can be adjusted in the plugin options. The other way to restrict unauthorized users to is to block entire countries from accessing the login page, as many hacking attempts come from foreign countries. By restricting your login page to only users in your own country, you can prevent a lot of unauthorized login attempts before they even happen. The plugin I recommend for this is called iQ Block Country. It’s not fool-proof, but it blocks a significant amount of unauthorized visitors from reaching your login page. It can also block specified countries from accessing your public web site if you’d like, although this is more of a privacy concern than a security concern.

Make smart hosting decisions

7. Choose a trusted web hosting provider

Hosting your site at a trusted, reliable web host will go a long way to protecting your site from hackers. Many times WordPress sites are hacked because of underlying vulnerabilities on the server. That means hosting your site on your cousin’s server in his basement may not be the best idea. You want an established company with 24×7 server administrators, who are experienced at installing, securing, scanning, and monitoring the web server environment (servers, firewalls, etc.). A good host will also provide valuable support to help you setup your site correctly and respond to any issues you have. The right provider has other benefits beyond security and support as well, such as better performance and uptime for your web site.

8. Disable directory listing

By default, many web servers are setup to allow directory listing. This means that if there is no index page in a folder (like your images folder, for example), a web visitor could browse the folder and any subfolders, seeing file names and downloading files from your site. Fortunately, it’s usually very easy to disable directory listing on your web site. If your site uses CPanel hosting, go to “Indexes” on your CPanel dashboard. Click the words “public_html” (don’t click the folder icon), select “No indexing”, and then click Save. Now if anyone goes to a folder path that doesn’t have an index page, they’ll get a WordPress page not found error instead of a file listing.

cpanel-directory-indexing
In CPanel > Indexes, select “No Indexing” for your public_html folder.

And last but not least… Back up your site!

No matter what you do to protect your site from hackers, you could still be a victim of a compromised site. Setting up a good backup system for your web site is the best thing you can do to ensure a quick recovery if your site is hacked. This will allow you to restore your site to its pre-hacked state with the click of a button, and then fix whatever allowed the attack to occur. Without a clean backup, your only option to fix your site is to manually remove the hacked content. Unfortunately, it is often hard to be certain if you’ve fully removed all remnants of a hack, so you may be be left re-creating your site from scratch.

If your WordPress software is managed by the Softaculous installer, it includes a very nice backup scheduler, and it is very easy to configure restore WordPress backups from within Softaculous. If you don’t have Softaculous, you can ask your hosting provider if they have another WordPress backup scheduling option. A third, and really easy, option for WordPress backups is part of the JetPack plugin that I mentioned earlier. While the plugin is free, the backup feature of JetPack requires a low-cost monthly or annual subscription (pricing). For only $39/year, your site will be backed up daily to the WordPress.com servers, and backups will be archived for 30 days. This subscription also includes spam protection to filter spam comments posted to your web site. This plan is a great deal for individuals and small business owners with WordPress web sites. Larger businesses may want to consider a higher level plan that includes malware scanning and other features. I started using WordPress many years ago when it was a lot more complicated to schedule and manage automatic backups of your WordPress site. Now, it’s so easy, you have no reason not to have great WordPress backups should something go wrong with your site!

A good hosting provider will also do backups of your entire hosting account. You should ask what your hosting company provides. I still recommend backing up your WordPress site separately in addition to account backups, because having WordPress-specific backups gives you more freedom and flexibility for restoring your site.

Now that you have a list of steps to take to secure your WordPress installation, go through your site NOW and make sure you are covered. You don’t want to be victim of a WordPress attack that could have been easily avoided.