WordPress security is often referred to as “hardening.” Makes sense. After all, the process is like adding reinforcements to your castle. It’s all about bolstering the gates and putting lookouts on every tower. But that term doesn’t always allow you to realize the details that go into improving site security.
Even if you’ve done next to nothing to improve your site’s security, it’s likely that you have at least a cursory familiarity with some popular tactics. It’s also likely you’ve heard of a plugin or two that can get the job done. We’re not going to be talking about those things today, however.
This article is going to focus more directly on the ways you can secure your site’s admin, and more specifically than that, the ways that aren’t discussed over and over in every list out there. Because security is seriously important.
Did you know 73% of the popular sites that use WordPress were considered “vulnerable” in 2013?
Or that of the top 10 most vulnerable plugins, five were commercial plugins available for purchase?
Worse yet, one of those five plugins was actually a security plugin, which is just, well, pretty awful.
While the core installation of WordPress is very easy to use and relatively secure, the more you add on top of it via plugins, themes, and custom code, the more likely it is to be hacked. And the more users you add to any given installation, the likelihood increases further, still. That’s bad news all around for individuals and businesses, alike.
With that in mind, let’s spend some time today exploring the 12 ways you can secure your site’s backend to ensure your information (and that of your customers’) remains safe.
What You Should Know Already
I know I just said that I wasn’t going to talk about the more commonly referenced security solutions here, but just in case someone reading this isn’t well-versed in WordPress, I’d be remiss if I didn’t at least list them out. Even if you’re a WordPress pro, having this list to refer to can be helpful as you set about implementing security strategies on your sites.
Keep WordPress up-to-date. Something so simple can have a big impact on site security. Whenever you login to the dashboard and see that “Update available” banner, click it and update your site. If you’re worried about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.
Keep plugins and themes up-to-date. Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your site’s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like anopen door to your personal info.
Delete any plugins or themes you’re not using. Along the same line of thinking as what’s listed above, getting rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. If you’re not using them, you’re not going to want to update them, so it’s a much better idea to delete them. Read: Deactivating plugins isn’t enough; you must actually click “Delete.”
Only download plugins and themes from well-known sources. When you can, downloading plugins and themes from WordPress.org is actually your best bet since they will have been thoroughly scanned before being admissible to the Theme Directory or Plugin Directory. If you want a premium theme or plugin, only download them from reputable sources like Themeforest or from a highly respected developer’s website.
Change file permissions. Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.
Don’t use “admin” as a username. If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputting an SQL query in PHPMyAdmin. If that sounds difficult for you, contact us and we can do it for you.
Change your password often (and make it good). Random strings of letters and numbers are best. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task like Norton Password Generator or Strong Password Generator.
Make sure your users establish strong usernames and passwords. It’s all fine and well if you create a good username and password but if your users don’t, your personal efforts won’t matter and your site will be just as vulnerable.
Add two-step authentication. A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including Clef, Google Authenticator, and Duo Two-Factor Authentication.
Install a firewall on your computer. It’s one extra step, yes, but easy to do. And once installed offers another layer of protection from hackers and security breaches. A few firewall software providers to check out include Comodo, Norton Internet Security, and ZoneAlarm Free Firewall.
Limit logins. The brute force attack is tactic #1 for hackers. If you let them, they’ll try to login to your site over and over again until they crack your password. That’s why it’s called “brute force” because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time. Login LockDown is great for offering this feature but other plugins that offer a whole set of security features often include login limiting like iThemes Security and Sucuri Security.
Limit user access. Sometimes site security is run through the wringer because of something very simple: granting too many people access. A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks. Giving all of your contributors administrative permissions is just asking for trouble.
Backup your site. I don’t just mean every once in a while. I mean predictably on a schedule. Scheduled backups are an essential part of any site’s security strategy because it ensures that if your site is compromised, you’ll be able to restore it to a version prior to the damage with ease. Choose an automated solution like VaultPress, BlogVault, BackupBuddy, or WordPress Backup to Dropbox for simple backups and with built-in restore options.
Check for theme authenticity and conduct security scans. Just as you install an antivirus software on your computer to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri Sitecheck, CodeGuard, Theme Authenticity Checker, and AntiVirus.
Now that we’ve brushed up on the things you should already know about securing a WordPress website, we can move on to some of the more obscure things as well as those that you just might not have thought of yet.
But first, make sure you create a child theme before making any changes to yourfunctions.php file.
1. Cut Back on Plugin Use
I know I already mentioned in the list above that you should delete plugins and themes you’re not using. But it’s worth noting that you should make an effort to limit the total number of plugins you install in the first place. To keep your site secure, you need to be scrupulous in the criteria you use to select plugins.
This isn’t just about security, either. It’s about site speed and performance, too. Loading your site up with too many plugins can slow it down dramatically. So if your site can function without a particular plugin, skip it. Or, look for plugins that check off several items on your must-have features list. The fewer plugins you have, the fewer chances you give hackers to access your info.
2. Don’t Download Premium Plugins for Free
Though I totally get what it’s like to be a business person on a budget, it’s just a bad idea overall to try to download premium plugins from anywhere other than where they are officially for sale.
It’s lame to download pirated plugins anyway, but if you needed more of a deterrent than that, totally legitimate plugins are often corrupted with malware by the time they hit these illegal download sites. That means what was once a great premium plugin with excellent code is now a hacker’s direct line into your site’s backend. And for what? All because you wanted to save a quick buck.
Skip the illegal downloads and torrents, people. Just don’t do it.
3. Consider Automatic Core Updates
I’ve already talked about the importance of updating your WordPress installation whenever a new version is released, but it bears repeating. In fact, if you’re running an older version of WordPress than what is current, all of the security flaws in the version you’re running is common knowledge to the public. That means hackers have that info, too, and can easily use it to attack your site.
But updating your site might not be enough, especially if you don’t make site maintenance a regular habit. In these cases, the more automated you can make these tasks, the better. While I recognize it’s not for everyone, automatic updates might be a good option for those who want to take a more hands-off approach to site management but want a secure site, just the same.
Ever since WordPress 3.7, minor WordPress updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically.
It doesn’t get much simpler. Just insert this in the file and major core updates will happen in the background without the need for your approval:
|# Enable all core updates, including minor and major:|
|define( 'WP_AUTO_UPDATE_CORE', true );|
Be warned, however, that auto updates can break your site, especially if you’re running a plugin or a theme that isn’t compatible with the latest version. Still, setting up the auto updates might be worth the risk if you don’t regularly log into your site.
4. Set Plugins and Themes to Update Automatically
Now I realize this one also isn’t for everyone, but it’s worth mentioning anyway. Typically, plugins and themes are things you’ll need to update manually. After all, updates are released at different times for each. But again, if you’re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention.
Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. For plugins you’ll use:
|add_filter( 'auto_update_plugin', '__return_true' );|
For themes, use:
|add_filter( 'auto_update_theme', '__return_true' );|
5. Eliminate the Plugin and Theme Editor
If you’re the kind of developer who routinely makes changes and tweaks to plugins and themes then you may want to disregard this section. But if you don’t use the built-in plugin and theme editor in the WordPress dashboard on a regular basis, you’re better off disabling it altogether.
Why? Because authorized WordPress users are given access to this editor and if their accounts are hacked, the editor can be used to take down an entire site just by modifying the code found there.
So you can remove this editor by inserting another bit of code into the wp-config.phpfile. It’s another simple one:
|define( 'DISALLOW_FILE_EDIT', true );|
6. Eliminate PHP Error Reporting
Beefing up your site’s backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesn’t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but here’s the problem: these error messages often include your server path.
Hackers would only need to view your error reports to get your full server path, which means you’d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, it’s a better idea to disable it altogether. This one’s another code snippet to be added to wp-config.php.
7. Protect Your Most Pertinent Files Using .htaccess
If you’re into WordPress security at all, you’ve heard of the .htaccess file before and have likely accessed it. Still, the changes you make in this one file can have such a huge impact on your entire site’s security, I can’t leave it off the list.
Why is this file so important? It’s at the heart of WordPress and directly affects how your site structures permalinks and how it handles security. You can insert many different code snippets into the .htaccess file anywhere outside the #BEGIN WordPress and #END WordPress tags to modify what files are visible within your site’s directory. These snippets are sourced directly from the WordPress Codex.
For starters, you’ll want to hide wp-config.php because it’s a central hub for your site and includes your personal info and many other details related to security. Hide it by adding this bit of code to .htaccess:
|deny from all|
You can also restrict admin access by creating a new .htaccess file and uploading it to the wp-admin directory. You’ll then insert the following code:
|allow from 192.168.5.1|
|deny from all|
Insert your own IP address in the appropriate spot. You can allow access to wp-admin from multiple IP addresses by listing them out as allow from IP Address, each on a new line.
You can restrict access to wp-login.php in much the same way. Just add the following code into .htaccess:
|Deny from all|
|# allow access from my IP address|
|allow from 192.168.5.1|
If you don’t want to block every IP but your own and instead wish to just block specific people attempting to access wp-admin or wp-login.php, you can do so by blocking those IP addresses individually using this bit of code:
|deny from 418.104.22.168|
|allow from all|
Another way to prevent people from viewing your site’s directories is to make them non-browsable. This simple bit of code will do the trick:
|Options All -Indexes|
There are many other ways to modify .htaccess to heighten your site’s security as well—we’ve written on them extensively here—but these are just a few of the more important ones you should implement.
8. Hide Author Usernames
If WordPress defaults are left intact, it’s really easy to find out each author’s username for your site. And since more often than not the main author of a site is also the administrator, it’s also easy to find out the admin’s username. Which isn’t good. Anytime you’re giving away info to hackers, you run the risk of seeing your site compromised.
According to DreamHost, it’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier. To do this, all you need to do is add some code to your site. Once inserted, this code will make it so when someone inputs ?author=1 after your main URL, they won’t be presented with the administrator’s information and will instead be sent back to your homepage.
Just copy and paste the following into your functions.php file:
9. Keep Track of Dashboard Activity
If you have many users on your site, it might be a good idea to keep track of what they’re doing on your dashboard. Not that you suspect them of any wrongdoing, but sometimes when you have a lot of people involved in your site, a simple misstep can cause something to break. That’s why logging dashboard activity is so useful – it allows you to retrace your user’s steps up to the point of site breakage. You can even retrace your own steps.
This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.
Yes, WordPress logs this information automatically but it’s not easy to use. It’s a much better idea to use a plugin to organize all of that data. So you can see if installing a certain plugin, making a specific code change, or uploading a file caused the issue you’re dealing with. But even if you’re not handling a site issue, being able to see what your users are doing on your site at all times can offer some peace of mind.
According to Pagely, a good plugin to check out is WP Security Audit Log. This free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.
10. Obscure the Login Page
Though security that focuses on obscurity isn’t complete, it’s still an important part of your overall strategy. After all, hiding certain elements of your site won’t prevent hackers from accessing them, but it’ll make it harder for them to get to. And that’s good, right?
Relocating or renaming your login page is a quick way to make a hacker’s job harder. Brute force attacks are typically automated, so if your login page is anything different than www.websitename.com/wp-admin or www.websitename.com/wp-login.php then they’re going to have a really difficult time attacking. Many plugins are available that make this simple change for you including Lockdown WP Admin as well as several of the major WordPress security plugins.
11. Pick the Best Hosting You Can Afford
You can trick out your site all you want with all the latest security hacks but if you don’t have a good hosting provider, your efforts aren’t going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. That’s edging on half there, which means you need to do something about your hosting plan, ASAP.
If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone else’s site on the server from affecting yours in any way. But I think it’s a much better idea to use a service that’s catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.
A few really good managed WordPress hosts that have solid security track records include WP Engine, Pagely, and Siteground. Full disclosure: We use Siteground, and we were not paid to promote them here. However, using the link we provided does help us pay our hosting bill for the month.
12. Keep Your Computer Up-to-Date, Too
Sometimes hackers can gain access to your site due to security vulnerabilities on your computer. The best way to combat this is to keep your computer up-to-date. When software patches are released, install them. When a new operating system is released, do your best to upgrade as soon as possible.
Likewise, make sure you use an anti-virus software on a regular basis. You can run a free antivirus software like Avast, Panda Free Antivirus, Comodo, or AVG to see if there are any viruses or malware on your computer and to eliminate them.
Securing a WordPress site is about so much more than installing a security plugin and walking away. There are subtle nuances that fill out a complete strategy. Some you might’ve known about before but it is my hope that some were new discoveries. Sometimes, it’s the simple things you haven’t thought of yet that spell the difference between a mediocre security strategy and a great one.
What are some things you do to secure your WordPress sites? Did I miss a detail here that you think is vital? Feel free to sound off in the comments below.