The amount of malicious activity on the Internet is growing despite the best efforts of security experts to foil it. When it comes to WordPress sites, attacks are launched across a wide variety of vectors. Whether outdated plugin code is to blame, or password reuse, or any number of other security flaws, no site owner can afford to put their online assets at risk. So here are some tips that will greatly improve the security posture of your WordPress website…
Change the Default Login Username
Websites that use the default ‘admin’ username for their primary administrative user account are easy prey for bots that brute force a password. Having a username other than the default ‘admin’ can help protect against the privilege escalation vulnerability, thus making the exploit less attractive to attackers.
Use Strong Passwords
Strong passwords are the first line of defense against brute-force attacks and compromised user accounts, so it is one of the most important things you can do to make sure your website is secure. Simple passwords take just seconds to brute force, thus taking attackers only seconds to get into your account. It is advisable to start a password with a special character and use them in the middle and end to better protect against this type of attack.
Do Not Reuse Passwords
A common, yet simple mistake WordPress users often make is reusing passwords across accounts: the hosting account, WordPress website, and FTP account. Of course, if one account gets compromised, all the accounts get compromised. Use a password manager such as LastPass to store long complex passwords that will help make sure that all of your digital assets are protected.
Exercise Good Access Management
User registrations and the default roles assigned to those users can lead to compromise when done haphazardly. Considering the following best practices:
- Grant users minimal access. Follow the principle of least privilege by granting users the minimum amount of privileges they need. For most standard sites this will be “Subscriber” and for most eCommerce sites this will be “Customer.”
- Disable user registration unless it is required. If your site has no areas that require user registration, then disable this feature. This will eliminate potential problems.
- Select a strong password. When setting up access credentials for a new user, you can allow WordPress to suggest a strong password that will usually better protect against brute force attacks than any password you can make up.
- Require 2-factor authentication for administrators and publishers. There are numerous plugins that will implement 2FA. It requires users to provide two means of identification before accessing their account. Typically, the two levels of security are the password and a unique special code generated by an authentication app installed on the user’s smartphone. The code must be entered into the login interface to gain account access.
Use SSL/TLS Certificates
SSL/TLS certificates are essential for protecting the privacy of data in transit from your site visitors’ browsers to your web server. If your website features an online store, the presence of a certificate gives would-be purchasers confidence that their credit card information will be handled safely. These certificates also have an impact on your site’s search rankings as Google favors sites using SSL.
Use a Web Application Firewall
A WAF acts as a gateway, checking requests from users to determine what is allowed and what is not allowed. Whenever a request is deemed “allowed,” like a legitimate user is logging on a site, the firewall will allow the request to go through. When a request is deemed “not allowed” due to a firewall rule, then the WAF will block that request. A WAF can provide blanket protection against vulnerabilities like Cross-Site Scripting, Arbitrary File Uploads, SQL injection, Directory Traversal, and more.
Avoid Poor Hosting Choices
Poor hosting choices can have detrimental security consequences on your WordPress site. You want to make sure your hosting provider offers all the functionality you need to ensure that your WordPress site is secure. When choosing a host provider, look for the following:
- Make sure your site will be properly isolated if running in a shared hosting environment.
- Does the hosting service provide access logging to help you determine when and if an intrusion has occurred?
- Do they offer a free SSL/TLS certificate?
- Do you have a dedicated IP address to avoid getting blacklisted?
- Do they support SSH/SFTP/FTPS as a means of transferring data over an encrypted channel so that data can’t be easily intercepted?
Avoid Using Nulled Themes or Plugins
Nulled themes and plugins are premium themes and plugins that are offered for free on sites that may look legitimate but usually contain malicious code. Once installed, they will infect your site and any other sites hosted in the same account. Always source your plugins and themes from the original developers, a reputable marketplace, or the wordpress.org directory.
This is very often ignored… PHP is the coding language WordPress is built on, and its version is set at the server-level by your hosting company. The minimum version of PHP required by WordPress is 5.6, but this is fraught with security risks, so much so that many eCommerce plugins require at least PHP 7.0 – preferably 7.2 – to perform properly. Updating to at least PHP 7.4 is highly recommended. It delivers a huge performance increase – up to 3 or 4 times faster than older versions – plus it provides the latest security features. Failure to keep PHP updated can also result in WordPress plugins not updating. PHP is continually being updated, so it’s a good idea to stay current.
Backup Your Website
No matter how secure you think your website is it will never be 100% safe. In the event the worst happens, you’ll need a backup to restore files and functionality. There a plenty of WordPress plugins that will automate backups. You can set the backup schedule to hourly, daily, weekly, or monthly. You can decide how many backups to keep and where to keep them. In addition, your hosting provider can perform automated backups. When the time comes, you can fully restore your site, including its database, with one click.
The majority of hacked sites are due to vulnerable plugins, themes, or even outdated core WordPress installations. All of these intrusions could have been prevented by practicing good habits in maintaining your WordPress installation. To stay out of trouble, update your plugins, themes, and core as soon as a security patch is released. And it’s always a good idea to visit your WordPress site to check on its current security posture.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.