The 8 point WordPress security checklist
With many years experience of using WordPress, I have become very aware of WordPress security (or ‘hardening’ as it is often referred to), not least because of the effect a hacked site has on your brand and sales, but also the time that it can take to restore the site.
It is worth taking note that since WordPress is the most popular content management system for website owners with over 50% internet share, it follows that due to its popularity, WordPress will be one of the most targeted platforms. Although WordPress itself is regarded as secure, it is what we add on to it (plugins, themes, weak passwords) that can cause the problems.
Fortunately there are a number of approaches that can be taken to secure a WordPress site from hackers and provide a level of reassurance to WordPress website owners.
The 8 point WordPress security checklist:
1. Keep WordPress, Themes and Plugins up-to-date
Make sure your website is not running an old version of WordPress. Check your dashboard which will tell you if a new version of WordPress is out. Often the new version will have fixed an identified security hole. Websites running an older version of WordPress will therefore be vulnerable.
Likewise, look out for alerts to update your plugins which are at risk if not updated to the current version. Delete any plugins that you no longer need – the easiest way to make sure they don’t go out of date!
Is your activated theme up to date? – check for alerts on the dashboard. WordPress comes loaded with earlier default themes, if you don’t need them, just delete them from your site.
2. Plugin awareness
Plugins are the easiest way to extend and expand the functionality of WordPress but unfortunately one of the main causes of security holes, because of the potential for vulnerabilities in the code, often due to human error. Use established recommended plugins – look out for how many versions of the plugin have come out – and are there many (good) reviews of the plugin? One of the best options is to only choose plugins from wordpress.org which have been thoroughly checked before being added to the directory.
You should also be aware that many of the most popular plugins are targeted by hackers. In fact 5 of the top 10 most vulnerable plugins are commercial ones.
You might not be aware of this but many off the shelf commercial WordPress themes employ numerous commercial plugins to give them the functionality they require.
3. Use ‘strong’ passwords
Are you using strong passwords (12 characters minimum mix of letters, numbers, and symbols) or perhaps you prefer a password you can remember? Passwords are notoriously un-user friendly and the minute we have established one that seems hard to crack but memorable, it is time to change it to a new one…that we go and forget. I started using a password manager a few years ago and assuming I don’t forget the master login, then all my computer generated complicated passwords are stored and auto-filled when required. Recommended password managers are LastPass or Dashlane.
4. Don’t use admin as your username
A few years ago ‘Admin’ was the username everyone had for their WordPress login page which made life a bit simpler for the login page hackers. My hosting company nowadays generate the username on install so it is impossible to use admin. However, what should you do if your site already uses admin as the username? Can you change it? If you have some experience of WordPress files and database management you can edit your username in phpMyAdmin. There is a great tutorial on the process here. Alternatively, get in touch with a WordPress developer to do this for you.
5. Limit users
Giving too many people access to your WordPress site can blow a hole in your security strategy. Try to keep users to a minimum and only give permissions to complete the tasks required. Make use of WordPress logins – you could just allow users ‘Author’ privileges for example rather than the full admin login. See a summary of WordPress user roles & privileges here.
6. Use backups
Backups are an essential element of a WordPress security strategy. This means that if something goes wrong with your website, whether security related or not, it means that you can restore your site easily to an earlier ‘backed up’ version. Hosting companies often provide this service, but if not, you could try automated solutions such as BackupBuddy, WordPress Backup to Dropbox, VaultPress or BlogVault.
7. Use two step authentication
Two step authentication you may already be familiar with – for example when logging into PayPal. This is where you can set up an authorisation code to be sent to your phone in order to login to your site. Since this blog was inspired by the Clef two factor authentication plugin (or the lack of) are there any alternatives we can use instead? Have a look at Google Authenticator or Duo Two-Factor Authentication which also offer this feature.
8. Use WordPress security plugins
The most popular WordPress security plugin is WordFence with over a million active installs. It offers a free version and a premium subscription. The free version comes with a site scan and the option to set up a firewall and you can set up emails to alert you to attempted logins to your site. Full a full review of the plugin see here.
Alternatively there is optimal WordPress security provided by Sucuri. This is a premium plugin starting at $199 per year but provides ultimate insurance against hacking attempts. Sucuri will direct your site traffic through their cloudproxy firewall before reaching your hosting server. This allows them to block all the attacks and only send you only the legitimate visitors. If your site has already been hacked you can get in touch with Sucuri who offer a malware cleaning service to restore your site.