Powering almost 30% of the world’s websites is a big responsibility, but WordPress carries its duties lightly. This flexible and popular content management system has been in a constant state of evolution since its launch 15 years ago, keeping pace with the times. Unfortunately, this responsibility has also required keeping up with malware’s evolution, once largely restricted to viruses, but now encompassing a far larger spread of malicious behaviors.
From spamming to phishing, and botnets to Trojans, the internet is awash with threats. As a result, WordPress security is a perennially hot topic. The open source nature of this software poses specific challenges since anyone is able to view – and edit – source code. Because plugins may be created and launched by anyone, there are huge variations in their dependability. Some are designed by specialists, paid for by consumers and complemented by regular developer updates. Others wither on the vine, with susceptibilities to malware or interference left untreated.
Fortunately, optimizing WordPress security involves little technical expertise and virtually no money. A combination of common sense and regular maintenance should be sufficient:
Change your username.
Admin is not a recommended administrator title – it’s just the default name. Anyone attempting to hack a WordPress site will try Admin in the first instance. Instead, create a new admin profile using a mixture of upper and lowercase characters. Then delete the old Admin user profile, and download a plugin to automatically block any login attempts using the term “Admin”.
Use strong passwords.
It would be tragic if your site is infiltrated by criminals because your password is 1234. It’s far safer to use a combination of upper and lowercase letters, numbers and symbols, such as Y0uW0n’tGu3$$Th15! Make a note of these lengthy WordPress security passwords in a secure offline location like a desk diary, and change them once or twice a year.
Employ two-factor authentication.
2FA introduces a second login screen, potentially involving additional data entry fields or a one-time password sent via SMS. On the downside, logging in becomes more convoluted and may involve password hints. More positively though, even if a database holding some of your login credentials gets compromised, it’s very unlikely every passcode and PIN would be revealed at once.
Restrict login attempts.
This expands on the previous points. Mistyping your own password is very different to a bot making a thousand attempts a minute to hack your administrator login screen. Install a plugin which gradually increases the timeouts between unsuccessful logins, rather like the one on Samsung smartphones. From maximum retries to lockout periods, lockdown options are fully adjustable.
Log out idle users.
In an ideal world, we’d all log out of websites immediately after use. In reality, few of us do unless the site is financial in nature. Walking away from a logged-in WordPress site could enable someone else to sit down and hijack proceedings. The Idle User Logout plugin offers automatic logouts after a user-determined time period, and it’s also customizable based on idle behavior.
Be wary of plugins sourced outside the WordPress directory.
Even though WordPress hosts around 56,000 plugins, some users still acquire plugins from elsewhere. Common sources include GitHub and the Unofficial WordPress Plugin Directory. These may be more vulnerable to attack than official WP downloads, or inherently compromised. Only download and install plugins with positive reviews and available support.
Monitor plugins and permit updates.
Though your WordPress installation will automatically perform software updates, individual plugins require manual checks and approval to install updates. Do not overlook patches as they are often security focused. Make logging into the dashboard a regular occurrence, and approve any bug fixes or compatibility improvements.
Stop directory browsing.
WordPress sites should include an empty HTML file called “index”, which stops information about active plugins or themes being visible to the public. If your web server doesn’t have an index.html file, then directory contents will be freely displayed. Hackers could then access or steal data by targeting files with known weaknesses. Online guides teach WP beginners how to prevent directory browsing.
Activate a firewall.
A web application firewall (or WAF) is essentially a barrier between a website and the outside world. Firewalls repel malicious traffic before it has a chance to wreak any damage. How do plugins like Sucuri know if traffic is malicious? Because they often originate from a blacklisted IP address. These addresses are already associated with spam, ask for inappropriate information or make repeated data requests.
Monitor site activity.
A number of popular WordPress security plugins audit and monitor what’s going on behind the scenes, from brute force login attempts to crawler bot visits. Apps will notify users of suspicious behavior, flag up potential weak points and recommend non-technical improvements to elevate site security. Comment forms are notoriously vulnerable, so always remove them unless absolutely necessary.
We would additionally recommend installing a backup solution for any WordPress website. Even if the preventative measures outlined above prove unsuccessful at preventing infiltration by malware, being able to roll back to a recent version of a full-site backup ensures relatively uninterrupted service. Backups can be made to a cloud platform like Dropbox or OneDrive on a daily/weekly basis, using plugins like BackupBuddy or VaultPress.
Finally, your choice of site hosting platform makes a real difference to a website’s security. Here at WestHost, we offer optimized WordPress hosting for blog, ecommerce, commercial and hobby sites alike. We have our own portfolio of mobile-optimized themes and plugins, and even more importantly, we provide essential back-office functionality to keep websites safe. Our Cloudflare content delivery network is robust and secure, while SSD disk storage ensures rapid page loading times onto audience devices – bringing attendant SEO benefits. We automatically update non-core software to prevent vulnerabilities becoming an issue, and malware is eliminated before it poses a risk. We even oversee real-time data backups, in case it’s ever necessary to reinstate a recent version of a website – though we’re confident that won’t need to happen…