WordPress is one of the most popular content management systems in the world, if not THE most popular. The simplicity for users, coupled with extreme flexibility (with the right themes and plugins, you can make your WordPress site pretty much anything you want), and accessibility are all reasons for its immense popularity.
On the other hand, such popularity also makes WordPress vulnerable, exposing it to all sorts of attacks.
Here are some ways to keep your WordPress site safe and secure.
How secure is WordPress, anyway?
As WordPress is free and open-source software that anyone can download, modify, and share, these features might make it vulnerable to those who wish to abuse it. This is not the case but WordPress actually has very good security measures in place.
WordPress has a dedicated team of developers that work on keeping the platform as secure as possible. They regularly monitor WordPress for security vulnerabilities and install patches and updates as soon as they are available. That’s the first line of defense.
The rest, however, depends on the users.
According to the WordPress.org Support article Hardening WordPress,
“Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target.”
How can you, as a user, harden your WordPress site?
Choose your hosting wisely
When it comes to WordPress (or any other website, for that matter) security, you should choose a hosting service you can trust. A good hosting provider should provide up-to-date stable versions of software as well as thoroughly monitor for vulnerabilities and malware. It is also important to check whether they provide reliable methods for backup and recovery, as well as whether SFTP or SSH are supported.
Keep your WordPress installation updated
Next, it is up to you as a user to defend yourself. Due to outdated versions of WordPress and/or plugins and not installing the latest patches and updates, many WordPress sites fall victim to hacker attacks. When these files aren’t kept up to date, they become increasingly vulnerable to exploits.
The best way to reduce the risk of your site (and also increase its stability) is to update WordPress, make sure all themes and plugins you installed (whether from the WordPress site itself or third-party developers) are also up-to-date.
WordPress automatically installs most minor updates via the Auto-Update feature, but major updates require manual intervention. This can be done via the Dashboard>> Updates menu. Make a backup of your site before you begin the update so that it can be restored if anything goes wrong.
Be mindful of your passwords and permissions
WordPress used to set the default username to “admin” and many website owners never bothered to change it. Even though WordPress has since started requiring users to select a custom username after installing the software, some one-click installers still set the default admin username to “admin”.
Thus, “admin” is usually the first username hackers try when they launch a “brute-force” attack against your site. If you have the “admin” username, you should change it as soon as possible to something unique.
There are 3 ways to do that:
- Create a new username under “Users”, assign the “Administrator” role to it, set the “Attribute all content to” option for the new profile, and then delete the default one;
- Use the Username Changer plugin to change the username;
- Update the username from phpMyAdmin.
The same logic applies to passwords, including those for the admin account, FTP accounts, and so on. They should be hard to guess and unique to the site. Changing them regularly is also recommended.
A second way to reduce the risk is to restrict access to site directories and disable file editing for some of the user accounts. In the case of someone helping to edit older blog posts, you might grant temporary permissions by granting them the Editor role (in this case, under the Users menu) and then revoke them upon no longer needing those permissions (perhaps by restoring them to Subscriber status).
Furthermore, you should limit login attempts and set notifications for excessive logins.
Install security plugins
As we mentioned before, there are plenty of WordPress plugins out there for every purpose, including security plugins that will further protect your website. As an example, if you search for “Security” on the official WordPress site>>Plugins tab, you will find over 4000 plugins related to security, from all-in-one solutions to specific functionality.
Here are some useful plugins that will help you keep your site safe:
- WPS Hide Login – this lightweight plugin allows you to create a custom URL for accessing WordPress instead of the default login URL. This will make it much more difficult for hackers to log in to your admin panel.
- WordFence – a premium (versus free) plugin, WordFence will protect your site from brute force attacks and limit the amount of failed attempts of logging in to your admin panel.
- WP DB Backup – this is a simple plugin that lets you backup your core database tables.
- Anti-spam – this spam-block plugin allows you to block and remove annoying (and potentially malicious) spam messages.
- Antivirus plugin – popular among WordPress users to keep their websites secure from bots, viruses, and malware.
When you install a WordPress security plugin, you are granting it access to your WordPress files, directories, and database, and you cannot restrict this access. Before you install the plugin, you should check what access it will need. You can find this information in the plugin documentation.
You can also check the plugin’s reviews and active installations if you are unsure of its reputation. Keep looking if the ratings are low or there are not many users. Check to see if it works with the current version of WordPress and has been updated recently – avoid older plugins that may have security holes or conflict with the current WordPress version.
You should update all security plugins you install regularly, as often as you update WordPress.
Back up your site
Even if you are confident that your WordPress site is protected from external attacks, it’s still a good idea to back it up regularly, especially when you add or change content. When you have a backup, you can restore your site quickly in case of mistakes made while editing, accidental data loss, or if you move to another host – and, of course, if your site gets hacked or compromised.
You should make sure you back up your site files and database when backing up your WordPress site, as both are essential for the site to function.
It is also a good idea to keep backups on cloud storage like Dropbox, Google Drive, or similar services, so they can be accessed even if your server is down or your account is compromised.
Due to its popularity, WordPress is also a target for many attackers – but luckily, there are several steps users can take to protect their WordPress websites.
Regularly updating and backing up the site, as well as using trusted security plugins, will greatly reduce the chance of it being compromised. If you need more tips on keeping your WordPress site secure, we have a couple of resources that can help. Please review our recent blog on reducing plugins to keep your website secure, and our Knowledgebase article that details how to harden your WordPress database, as well as other tips.