WordPress is a popular platform, and the more popular it gets, the more hackers are going to try to target all those WordPress websites. This doesn’t mean moving to Joomla or Drupal or another system for better security.
Any type of website platform is going to have the same issues, but you can secure your WordPress site simply by performing some basic WordPress security steps.
Because WordPress is so popular, there’s tons of brilliant developers that are always working to make sure it’s secure. But, the security on WordPress is only as good as its weakest point. In 98 percent of cases where websites are hacked, the weakest point was something that could have easily been prevented.
Make sure you understand the basics of WordPress security, so you can prevent yourself from being an easy target.
You need to adopt the mindset of most hackers, which is that they like to go after easy targets.
Yes, there’s the crazy hackers that are going after the big guns, like Apple and Google, but the majority of hackers are not visiting individual websites and trying to find ways to get into them.
Rather, they’re running scripts, or bots, that scan the Internet looking for vulnerabilities. These programs automatically try to guess passwords and usernames, find vulnerabilities, and break into as many websites as possible.
If someone hacks your website, chances are that it’s not one person who came to your website and found a way in. Rather, it’s a hacker running software that’s been scanning thousands, even tens of thousands of websites, looking for vulnerabilities. They may have discovered one on your website, and found a way to take advantage of it.
Fortunately, much of the general security breaches in WordPress are avoidable. First of all, you want to make sure you’re using a good webhost. Most webhosts these days keep their software up to date. So, any decent webhost, such as HostGator, DreamHost or BlueHost conduct the security checks on their end, but you have to uphold your end of the security bargain, too.
Rule #1: Keeping Your Website Up-to-Date
Here’s a few simple things you can do to make sure that your website is up to date:
- Start With Your WordPress Dashboard. When you log into your website, it’s easy to tell if all of your plugins, theme files and WordPress files are current.
If WordPress releases a new version, they’ll notify you when you log in, so update whenever you get a notice.
This is because when WordPress releases an update to the core files, they add important security updates, too.
- Check WordPress News. When you look at WordPress News, which is on the right and slightly down the page on your dashboard, you’ll often see a WordPress security release. So, in many cases, when they’re not releasing new features, they’re releasing security updates.
- Pay Attention To WordPress Updates. If you scroll over to the Updates area on your dashboard, you can see how many theme files or plugins you need to update. If you’re using plugins that you have either purchased a license to, or downloaded off WordPress.org, when a release is sent to you, go ahead and click on Select All and Update Plugins. This is because, just like WordPress core files, many of the plugins you’re using release an update when they find or suspect a vulnerability.
- Settings To Automate Plugins. There are settings to make sure all your WordPress plugins automatically update. And if you have a website that you’re not maintaining often, you may want to set it, so everything auto-updates.
Some people like to see what’s updating and when it’s updating, because if something go wrong with the website, they know they just ran an update, so it’s easier for to troubleshoot without things happening in the background.
So, rule number one is to make sure you always run updates, because many of these updates protect you from security vulnerabilities.
Rule #2: Know Who’s Administering Your WordPress Site
The second rule in WordPress Security is strengthening your username and password. Let’s start with your username. The first thing is to go into is the Users section, where you’ll find Administrators. If there’s more than one administrator of your website, make sure that you know who that administrator is.
And if you’ve ever had your website hacked or had a malware attack, in many cases you may find an administrator who you don’t know. If you see an administrator account that you did not create, you need to delete that account to shut it down. You’ll also want to force everybody to update their passwords.
In addition, if you are giving out administrator accounts to a designer, for example, you’ll want to delete that account as soon as they finish their changes.
Make certain any administrators you add uses strong passwords that are difficult to guess, which brings me to my next point.
When you first create a WordPress website, the default username for the administrator is Admin, A-D-M-I-N.
When hackers write a script or software to go out there and to try and guess usernames and passwords to log into WordPress websites, what username do you think they start with?
Admin, and it’s amazing how many people leave their default username as Admin, A-D-M-I-N. All they have to do now is guess your password.
They’re using special software, so they can guess passwords very quickly. If you have a simple password that is a combination of words, there’s a good chance that hackers are going to be able to conduct a brute force attack to guess the password.
Follow these steps when creating a new WordPress site:
- Go into the User Account and click on Add New user.
- Create a new Admin user under whatever name you want – anything but Admin.
- Once you’ve created that new account, log out of the Admin account.
- Log back in with the new administrator account you created.
- Delete the original Admin account; now that vulnerability is gone.
Rule #3: Create a Rock Solid Password
The next thing that you want to do is make sure you’re using hard passwords. This means passwords that nearly impossible for hackers to guess.
When you input your password, you’ll see a strength indicator. Avoid using password that are weak, or even medium. You want to use one that is strong by adding characters and numbers to the combination you use.
Don’t be fooled by thinking nobody can guess it. Hackers run special software that puts through literally thousands of combinations of words, so it is quite possible to guess your password if you’re just using standard language and words.
The key is to make your passwords random using a password generator, such as:
- Passwordgenerators.net: In just 15 characters, they will create the perfect password, using a combination of letters and unusual characters. Save that main password, though, so you can enter it into the generator for next time.
- Lastpass.com: If you have a problem remembering passwords, use a powerful and secure service like lastpass.com, which helps you recall your passwords.
- Combine words and separate them with symbols: Using strong passwords is critical to the security of your website. If you want to log your passwords to memory and you can’t remember something obscure and long, string three words together and mix up upper case, lower case, and then separate them by odd characters, like dollar and percent signs, for example.
The bottom line is to make sure your password is unbelievably hard to guess. Make sure that password strength indicator shows it’s strong, too. Those are your first lines of defense.
Rule #4: Use Security Plugins To Secure Your WordPress Site
The last line of defense is using the security plugins on WordPress. To find a security plugin:
- Go to Plugins
- Click on Add New
- Search Plugins
- Select OK
- Download and Install
- Click on Activate
If you’re not sure which one to use, I recommend Wordfence.
Unleashing the Hounds: Wordfence
Here are some of the helpful things you can do with Wordfence:
- Conduct a scan. Once activated, you’ll see Wordfence on the left side of your screen. The first thing you will want to do is conduct a scan of your entire WordPress site. After you run it, you’ll see the results of your scan in a summary.
- Check out Live Traffic. The next thing to do is to scroll down to see Live Traffic on your website, so you know what’s going on in real time. Although it’s interesting, the Scan feature is the one you should use the most.
- Monitor your site performance. Look at your performance setup, because there’s some good performance options here to help you cache stuff and to speed up your website.
- Wordfence blocked IPs. Scroll down a bit, so you can block IPs.
If you find you have a site with an IP that is hammering your website or conducting a brute force attack, you can block them here.
That would normally be something that you could do at the ISP level, or at the server level, but you can also do it from here.
- Block selected countries from accessing your site. You can block certain countries by scrolling down to that area of Wordfence.
If you find that you’re getting a lot of hacking attempts from a specific country, and you do no business in that country, just block it by following their simple instructions.
- Schedule when Wordfence scans occur. You should set up a regular scan schedule. Depending on your website, at least once a week’s probably a good idea.
- WHOIS lookup. Be sure to scroll around to discover all the Wordfence tools you can use, such as the WHOIS Lookup. Although advanced, it is a helpful tool for security.
- Advanced blocking. You can block full-IP ranges if you notice a range of IPs from a specific server that’s attacking you. Once again, this is a little bit more advanced setting.
- Wordfence options. Under Options, you can buy an advanced key. The advanced key is going to allow you to upgrade to Wordfence Premium.
Reasons to Use Wordfence Premium
Wordfence Premium gives you some additional features that you can view on their website. One of the best tools is Site Repair. It helps you repair your website if you have malware and it restore your files.
If you’re scanning and protecting your website and you know that you don’t have any malware, stick with the free version. But if you find that your website is infected, you may want to invest in the Premium version, so they can help you get the malware off your website. Premium features aren’t available unless you have a license.
Spend some time studying the features of Wordfence to see what will benefit you the most.
Wordfence is a great plugin for locking down your website, but most importantly, for scanning your website to make sure there’s no malicious software there.
The free version works great for scanning your site and making sure everything’s clean and secure. If you do have an issue, invest in a Premium license, because then they can help you remove the bad stuff without breaking your website.
However, if you are scanning with the Premium version of Wordfence and your settings are sensitive, you need to be cautious, because sometimes it will identify files that are actually good files as suspicious ones.
And if you delete those, you could break your website. So, when you are using the Premium version to clean up your website, be cautious. If you set the settings too high, they will look at some files as suspicious that are not.
A perfect example of that is many of the optimize press files will trigger security suspicions in Wordfence, just by the nature of how they wrote the files, and there’s nothing wrong with them. That’s something you need to be cautious of when you are using the Advanced Premium filters in Wordfence.
Final Words of WordPress Wisdom
Remember these keys to WordPress security:
- Make sure your plugins and your theme files are always up-to-date.
- Be proactive and create your unique admin username before deleting the admin username.
- Always monitor your admin users and be sure you don’t have any admin users in your account that you don’t know.
- Make sure you choose a strong password for your administrator users. Do not use weak passwords and always delete user accounts when they’re done.
All you need is one brute force attack to create huge headaches for you. A security plugin like Wordfence will consistently scan and protect your website from malicious files and malware.
If you take those steps, you are going to make your WordPress site much too difficult for the average hacker to take a run at. They want to go for low-hanging fruit, but with the right tools, your website will be in good shape. It only takes about 10 minutes to lock down your website simply and safely.