5 Things You Can Do to Secure Your WordPress Website
With WordPress comprising what is estimated to be about 20% of all websites online WordPress websites have become an appealing target for attacks. There are some simple things you can do yourself to make sure your WordPress website is safe and secure.
1. Do not use the default “admin” username. Every WordPress default installation creates the first user as “admin.” When you set up your WordPress installation or if you currently have “admin” as a username you should immediately create a new admin user with a different username and delete the “admin” username.
2. Make your display name different than your username. Again, WordPress by default uses the username as the display name for your users. Make sure your display names for blog posts, author archives, and so on, is different than the username used for logging into your control panel. We have seen a number of instances were display names are used as usernames to attempt a brute force attack on the WordPress log in. You can change the display name for users under the “users” tab in your control panel.
3. Only use strong passwords. Password security is critical. Users without fail tend to use passwords that are all to common and simple which can make your site an easy target. Here is an interesting list of common passwords taken from a recent Adobe security breach. We recommend that you use a strong password generator to generate all your passwords for your log in and other users. Failing that make sure to create passwords that are at least 8 random characters long, combine capital and lowercase letters, and use special characters like, @%< *, ) and so on.
4. Assign each user their own log ins. Make sure all your editors, contributors, and administrators have their own log ins. All to often site owners decide for expedience sake to make communal log ins and have everyone log in via one central username and password. This is a bad idea! Take the time to make every user their own account and when that user no longer needs access then delete them.
5. Limit access. When you create users only give them the access they need to perform the tasks they need to perform. Well privileged users are a huge security risk and it’s a good idea never to assign users admin privileges unless they absolutely need that type of access. To see more about the different types of users privileges assigned to WordPress user types check out this post.
Bonus WordPress Security Tips
Here are three additional bonus items we highly recommend. However, we don’t recommend that you attempt these without proper back ups of your site and/or a professional developer. The recommendations below could crash your site and cause irreversible damage if not done properly.
1. Make sure your WordPress installation and plug ins are up to date. WordPress is a beautiful thing and the community that develops plug ins to extend the native functionality of WordPress is absolutely amazing. But what is WordPress’ greatest asset is also, it’s biggest liability. Plug ins can be a major attack vector on a WordPress website but fortunately many reliable developers monitor and support their plug ins and when or if a security issue arises they will release updates to patch security holes. It’s good to keep your WordPress application and plug ins up to date and you can manage this in your WordPress control panel. Only users with admin access can make these updates. Addtionally, if you have any plug ins installed that are not being used make sure to delete them.
2. Install a security plug in for WordPress. One of our favorites is Sucuri. Sucuri helps bMighty2 eliminate common attack vectors, tracks user log ins, provides alerts if file changes are made, and let’s us know if a user tries to make to many failed attempts to log in, which could mean your site is under brute force attack. Sucuri offers a free-mium version which should be all that you need to keep your site safe.
3. Have a back up strategy. And finally, if all else fails, set up your hosting to make full back ups of your site and database because bad things can happen to good people and even if you are doing everything right your site could still get hacked. We recommend at least a monthly back up of your site or more if you are an active site owner. The best policy if your site is ever hacked is to wipe the server clean and install an absolutely clean version of your site. We don’t recommend trying to clean your site and files because if you miss the smallest detail your site could become infected, in short order.