WordPress is responsible for running more than 27% of the world’s websites (as of February 2017), and is the platform for many well-known, high-profile sites. So that makes it a number-one target for hackers everywhere. If you have a WordPress site, the chances are high that at some point you have had someone poking around looking for vulnerabilities, the same way a burglar checks your back door to see if you’ve left it unlocked.
There are measures you can take to make it much more difficult for a hacker to gain access to your WordPress site. Obviously if a government or highly skilled hacker wanted in, there is probably nothing you could do to stop it.
10 Tips To Secure WordPress
The following 10 suggestions will nevertheless deter, what I call, the “drive-by opportunist” – someone who spontaneously decides to have a go and try their luck. The “teenager in their bedroom” scenario.
You don’t need to be a big programmer either. Just someone that knows their way around WordPress, and also how to use a FTP client. There are more technical options out there but I have tried to limit it to the easiest-to-implement ones. There’s no need to re-invent the wheel.
Remove The Admin Login
When you install WordPress for the first time, it presents you with a big security weakness right out of the gate – the admin login.
The default username is always “admin” followed by a temporary password set by WordPress (which you then have to change to something stronger). But many people then become lazy and keep on using that admin username.
Hackers seize on this laziness and they see if you are using the admin username. If so, they have already worked out half of the username/password combo.
So you need to get rid of the admin username, which is very simple. First, create a new user ID which would be hard to guess by someone who doesn’t know you.
Then go into the settings and make that user ID an administrator.
Finally, delete the “admin” username. Alternatively, if you don’t want to delete it, you can downgrade the admin username to a “subscriber“, so if someone DOES break in through the admin username, they will only have subscriber privileges (which is basically nothing).
Another alternative is to install the Jetpack plugin and sign into WordPress with your WordPress.com account. But however you decide to do it, neutralize that admin username right now.
Switch On Brute-Force Protection
When a hacker is trying to figure out the password, they rely on what’s called “brute-force” methods. In other words, they go through all the various passwords until they get the right one. Many online users are lazy, so they may have passwords such as admin, 123456, password, 654321, their name, their pet’s name, their spouse’s name, their birthday, whatever.
First I am assuming you are sensible enough not to use any of these extremely weak and stupid passwords. If so, you can slow down a hacker by switching on brute force protection.
The one I have used for years, and which works like a charm is Login Lockdown, which shuts down your login page for a specified period, after a specified number of login attempts.
Add Google Authenticator
As well as the password and Login Lockdown, I like to have another layer of protection on my login page. For that I turn to Google Authenticator.
Google Authenticator is perhaps THE best smartphone app for generating two-factor authentication codes for logging into websites. You can now use it on WordPress, but obviously remember that everyone who needs to log into your site (such as staff), will need to have the app installed too.
If for some reason you don’t want to start going down the two-factor authentication route (and I strongly recommend you DO use it), you could instead use ReCaptcha. But ReCaptcha is not the strongest protection in the world, and it HAS been breached in the past. It’s still better than nothing though.
Automate Daily Backups
If a hacker DOES manage to get through your defenses, they are likely to do a lot of damage to your site. Files will be deleted or damaged, and your site defaced. So if you care at all about your site, you will invest a few dollars a month getting automated daily backups done.
Jetpack recently introduced a basic backup plan called VaultPress which automates daily backups of your site for only $3.50 per month. If you then discover that a hacker has come by and wrecked the place, you can log into VaultPress, go to the previous backup, and click Restore.
Provided you have previously granted VaultPress FTP access to your site, it will automatically restore your site in minutes.
ALWAYS Update Your WordPress Version When Available.
There’s a good reason why WordPress is being updated all the time. Developers are obviously trying to improve the product, but the main reason is that there are always vulnerabilities being found, exposed, and exploited by criminals and hackers. These holes have to be patched, and the only way to do that is to update your WordPress version with the newest one.
So if WordPress tells you there is an upgrade available, don’t look upon it as an optional thing. It HAS to be done. It only takes a couple of minutes. Go make yourself a coffee or check Facebook while it’s being done.
Remove Unnecessary Meta Tags
If we go back to the analogy of a burglar trying your back door to see if it’s unlocked, they are obviously going to be attracted to the doors with really old locks on the door. Or doors with really obsolete alarms. It makes sense because why try to bust open a new state-of-the-art lock when you can jimmy a rusty old one instead?
The same analogy can be applied to WordPress. Hackers will be looking for the sites running the really old unpatched versions of WordPress, not the ones which have been updated with the latest and the greatest.
Hackers can find out what version you are using because it says so in the WordPress meta-data (which can be accessed by right-clicking on your page and choosing View Page Source). But you can easily hide your version number (and other non-essentials) by opening your functions.php file and copy/pasting this snippet.
remove_action( 'wp_head', 'wp_generator' ) ; remove_action( 'wp_head', 'wlwmanifest_link' ) ; remove_action( 'wp_head', 'rsd_link' ) ;
Stop People Seeing The Contents Of Your WP Folders
The last thing you want is for people to be able to view the contents of your folders on WordPress. So to stop them from doing that, insert a blank index.php file in each folder, especially in the wp-content/themes folder and the wp-content/plugins folder.
To make a blank index.php file, open up Notepad (or an equivalent program), start a new text file, and without putting anything in the file, save it as index.php (remembering to remove the txt which will automatically be inserted at the end).
Now when someone tries to view the folder, they will see your blank index page instead.
Also, open your .htaccess file (which is in the root folder of your site), and add this:
Options All -Indexes
Constantly Review Your File Permissions
If you are familiar with the workings of your FTP program, you will know that each folder and file has a “permission”. The number assigned to that file or folder will specify who has the right to make edits to it and who doesn’t.
The default permissions should be 0755 for folders and 0644 for files. You can change them if necessary to accomplish certain functions, but only if you know what you are doing. Otherwise, you would be letting that hypothetical burglar in.
Whatever you do, NEVER have any file or folder set to 0777. That number lets everybody in to trash the place.
Limit Who Gets Access To Your WordPress Back-End
The more people who have access to the WordPress dashboard area of your website, the weaker your overall security is. So try and keep the number of registered users down to the barest minimum possible.
This means going through the users list and deleting anyone who doesn’t need to be registered. You should also resist the temptation to set up user accounts for IFTTT recipes and auto-posting bots.
Finally, switch off the function that lets people register for a subscriber account on your site (available at wp-admin/options-general.php). Although subscribers do not have any privileges when it comes to making any changes to the site, they are still partially through that door.
Disable WordPress Login Hints
When you enter an invalid username into the login page, WordPress normally shows this.
BUT if you enter a correct username and an incorrect password, you see this:
If someone is trying to figure out what your username is, WordPress has just confirmed it for them.
To stop this from happening, enter the following code to the functions.php file.
function no_wordpress_errors(){
return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
It will now say “something is wrong!” instead of confirming the username. If you want it to say something different, then just change the wording where I have highlighted it above.