WordPress Security has always been food for thought. Even though most of the latest updates deal with WordPress security issues, there is still a lot that can be done to improve that security. Here, I’d like to elaborate on some suggestions on how to improve security on your WordPress website for the best WordPress security.
Don’t use admin as a username
Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin, you’ll also kill the attack outright.
For the every day, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bit harder for the hacker to guess the username. For the sake of clarity, understand that when we say admin we are speaking specifically to the username only and not the role.
Create an editor account for yourself
In addition to the above, when you write/edit your blog posts, your “author name” shows up in the lower left-hand corner of your browser when you hover over the author name in the post. If your author name is the same as your admin name, you’ve just given any hackers half of a successful hack attempt.
The fix is simple: create a username for yourself that only has editor privileges, then anytime you log in to write and edit posts, use that name; and it will be on all your posts as a result. Your hackers will assume it’s your admin name and will waste an incredible amount of time attempting hacks with a username that only has edit privileges. What simple and great revenge on these evil people!
Also, there are security plugins for WordPress that limit login attempts and reports the hacker to your email so you can tell if there’s a hack attempt that uses your real admin name. This tells you it’s time to pay more attention to your security before they suss out the password.
Use a less common password
An easy thing to remember is CLU: Complex. Long. Unique.
This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.
Add Two-Factor Authentication
Even if you’re not using admin and are using a strong, randomly generated password, Brute Force Attacks can still be a problem. To address this, things like Two-Factor Authentication are key to helping to reduce the risk of such attacks.
Oh, I know, the hassle two-factor authentication is. But for now, it’s your Fort Knox. The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the standard today for enhanced security at your access points. You are already using two-factor authentication for Gmail, Paypal, and the works (at least you should be), why not add it to your WordPress security toolkit as well?
We can help you set this up.
Employ Least Privileged principles
The concept of Least Privileged is simple, give permissions to:
- those that need it,
- when they need it and
- only for the time they need it.
If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.
Contrary to popular belief, not every user accessing your WordPress instance needs to be categorised under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.
Use WordPress security keys for authentication
Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically a set of random variables. That keys improve security (encryption) of information in cookies.
As part of our maintenance retainer we will update this for you every few weeks.
Limit login attempts
Attacks like a Brute Force attack, target your login form. Specifically for WordPress security, most security plugins have an option to simply change the default URL (/wp-admin/) for that login form. This can also be done manually.
Next to that, you could also limit the number of attempts to login from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way.
Hosting & WordPress security
There is no simple rule to decide on your WordPress hosting company. But the choice of a hosting company does matter when optimising your WordPress security.
Every article written on hosting or hosting companies seems to start by telling you that the cheapest one is probably not the best one. Most cheaper hosting plans won’t have support to help you out with a hacked site. These plans include little to secure your website, like for instance set up a Website Firewall. Shared hosting, for instance, does imply that your hosting server is also the home of other websites. These might have security issues of their own, which in turn might affect your own website’s security as well.
Hetzner is our preferred hosting company for reliable and secure web hosting. They also offer free SSL certificates (Let’s Encrypt) and Website Security with Cloudbric (free for three months). We offer Hetzner hosting at a reduced rate. Contact us for a package that is right for your budget and requirements.
As part of our web development offer we will install and harden your website with the necessary tools to protect it from hacking, brute force attacks or any other threat it may face.
Staying up-to-date is an easy statement to make, but for website owners in the day-to-day grind, we realise how hard this can be. Websites are complex beings. They have 150 different things happening at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
Updates need to extend beyond WordPress core. The same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.
Signing up for our website maintenance retainer will ensure that we look after your investment. We will do daily checks and updates. We also have an early warning system that will detect any issues and warns us to take the necessary action before things get out of hand.
Best WordPress security plugins & themes
Most WordPress users tend to apply themes and plugins at will to their sites. Unless you’re doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless a developer has a solid business model to accompany these free giveaways, he is maintaining a plugin just because it’s good fun. Chances are he or she did not take the time to do proper security checks.
There are exceptions to the rule though. Great free plugins do exist. It is important to make sure every plugin is checked for security before installing it.
Checking your WordPress security should be a routine for every WordPress site owner, or leave it to an expert to manage on your behalf.
This isn’t the full list of all the things you can do to secure your website. I am aware that one should, for instance, create regular backups. And that WordPress has a number of plugins for this as well. But backups are not part of WordPress security per se, I think these are part of having a website in general – they are administrative/maintenance tasks.
I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s on us to make it harder for the hackers!