WordPress is amazing — you’re going to read that time and time again because it is 100% true. But just because the software is amazing doesn’t necessarily WordPress Security shouldn’t be attended to.
Because WordPress is open-source, that means literally anybody can go look at the source code. Hackers and people with malicious intent can analyze every single line of the source code to look for ways to exploit any security vulnerabilities.
WordPress has so many updates because it is constantly patching these issues. A majority of WordPress updates don’t get released to add some cool new feature or function, they get released to patch holes in the security.
What happens if you don’t update your WordPress site every time a new security update is released?
Well, you become vulnerable to attacks.
Many of these attacks can be mitigated by your hosting company, and many will also require you to have some specific plugins or a specific combination of plugins installed. This is why not every single WordPress install out there is necessarily vulnerable.
But because new exploits are found constantly. Small ones are found every few days typically, major ones are found at least a few times per month. This means there are steps you need to be taking in order to secure your WordPress site.
You’ve got nothing to lose by taking these steps, and everything to lose if you don’t take them.
Follow WordPress Security Guidelines
These are the things that everyone with WordPress should be doing. In fact, some of these basic guidelines should be followed even on sites that aren’t using WordPress.
Update WordPress Regularly – You need to update whenever new updates have been released. Again, these updates are plugging up security holes. Reuters is a GIANT news organization, right? Guess what happened when they didn’t update their WordPress version? You guessed it! Reuters got hacked.
Don’t Use Nulled Plugins/Themes – First of all, it’s just a jerk move to make. Developers put so much time and effort into these projects only to have them literally stolen. Second of all, these nulled plugins and themes commonly have backdoors injected into them. Furthermore, should the developer release a security update, your nulled/hacked copy will not be eligible for the update.
Update Your Plugins/Themes – These need to be updated just as religiously as your core WordPress install does. Again, security updates are sent out for a reason. You can’t take advantage of these fixes if you’re not actively updating everything.
Use Safe Credentials – Don’t try and create a password for wp-admin that’s going to be easy to remember. That makes it easy for hackers. Don’t use a password that you use elsewhere on the web. If someone hacks your reddit account or your FaceBook account then will they now have your wp-admin password as well?
Use Secure WordPress Security Hosting
Remember how in our opening paragraphs we said that a majority of WordPress attacks can be stopped by the hosting company? That’s only possible if you’re using a company that actually knows what they’re doing. If you are running WordPress on your own VPN or dedicated server, do you have the technical know-how to properly handle web-server security?
Multiple layers of both software and hardware-level security need to be in place in order to ensure your WordPress site can defend against any potential attackers. WordPress servers need to be running the latest operating system and security software, they need to constantly be scanned for malware and any vulnerabilities, it’s a good idea to also have server-level firewalls.
We could go on and on. It’s 2020 and so many of the top hosting companies out there offer WordPress-specific packages .. HostGator, Bluehost, Dreamhost, etc but you may want to check out the WordPress.org WordPress hosting recommendations.
Secure Your wp-admin
Aside from finding exploits and vulnerabilities, the wp-admin section is another popular weak point amongst hackers looking to do some damage. If you can make it harder for hackers and people with malicious intent to find these weak points you are much less likely to get hit.
Unless someone is specifically trying to target you or your site personally, hackers will want to move on to easier targets. Here’s a couple of ways to make sure you’re not an easy target:
Change Your wp-admin URL – Have you ever wondered whether or not a site was running WordPress and typed in that domain /wp-admin/ so that you were brought straight to their admin login page? It makes you stop and think “huh.. That was easy. If I were a hacker this would’ve been way too easy!” A free plugin like WPS Hide Login will let you change your wp-admin URL to something that can be a bit more tricky for hackers to uncover.
Limit wp-admin Login Attempts – Hackers oftentimes use what is known as a Brute Force method whereby they have software or scripts to try various combinations of usernames and passwords. Hundreds of thousands or millions of combinations can be tried until the right combo has been found. By limiting the login attempts you can help prevent this type of acceptance. The free Cerber WordPress plugin is a great way to limit these login attempts.
Don’t Use the Default ‘admin’ Username – Hackers need both your username and your password if they want to successfully log into your wp-admin without using any exploits or backdoors. Can you guess what username they’re going to try first? Yes, ‘admin’. Why? Because that’s the default administrator username.
Think about thieves going around checking for car doors that have been left unlocked. Sure, they can bust the window open, but they don’t need to when someone leaves their door unlocked. Keeping ‘admin’ as your wp-admin username and not hiding the wp-admin URL is essentially the same as leaving your car doors unlocked. Lock your car doors!
WordPress Dual Factor Authentication
Unless you’ve been living under a rock, or you just avoid doing anything even remotely financially related online, then you’ve probably had experience with dual-factor authentication. The first factor comes from you entering your user credentials into a login form. The second factor comes from a source outside of the web page — like a text message, for example — and adds an extra layer of security.
So how do we set up a WordPress admin login to have dual-factor authentication? Well, with a plugin, of course! Many of these plugins we’re about to list will add a third field on your wp-admin login page for you to enter whatever security code gets sent to you. Many of these plugins also have corresponding apps, like the Google Authenticator or Duo Mobile apps.
Dual-Factor WordPress Plugins:
Use SSL Certificates (HTTPS)
This is one of those tips that apply to every website on the internet. Seriously, everybody should be using SSL. If you are running a WordPress site that has multiple users, multiple authors, or any eCommerce capabilities YOU NEED TO USE HTTPS!
When you use an SSL certificate, not only do you get a cool httpS in your URL and a fancy miniature lock icon in the address bar, but you ensure that nothing ever passes from your WordPress install as plain text.
Hackers can oftentimes “intercept” these “signals” that are sent from your WordPress install through your hosting companies, to other “places”. These other places can be someone else’s web browser or a third-party service like your credit card processor.
Aside from the obvious security, you know what else HTTPS can give you?
- SEO – Google has officially admitted that HTTPS is a ranking factor for their search engine results pages. You will literally rank higher if you’re using an SSL certificate to get an HTTPS URL.
- Trust WordPress Security– Almost 1/3rd of visitors know to look for that tiny little lock icon, the green security indicator, or the S in HTTPS. More people are learning every day to look out for these signs of a secure connection. Visitors will be 77% more likely to purchase something from you, or subscribe for something, as long as you’re giving them a secure connection.
TL;DR: Get an SSL Certificate. This is one of the most important aspects here. Seriously, minimize this web page and go install one.
Is Your wp-config.php Secure?
Those of us old-school WordPress users know how vital that wp-config file is to WordPress security, installation, and overall usage. But because the installation process has become so easy, many WordPress users that have been introduced in just the past few years probably don’t even know it exists.
The wp-config.php file contains a lot of important and potentially vulnerable information, like your MySQL database credentials. Wp-config.php is the single most important file when it comes to WordPress security. How can you make it secure?
Move The wp-config.php File – By default, this file is located in the root directory of your WordPress install, usually in that wonderful public_html folder. Consider moving it. Here’s an amazing explanation by Aaron Adams on how to move the wp-config.php file.
Wp-config.php CHMOD Permissions – When WordPress gets installed manually, the documentation suggests you change the permissions of this file to 400 or 440 to prevent any other users on the server from reading it, accessing it, or changing it. This can be done in many FTP clients by right-clicking on the file and finding Permissions or CHMOD. You may need to check with your web hosting provider.
WordPress Is 100% Safe To Use
Any application on the web is going to open itself up to hackers looking to take advantage of any weakness that they can find. WordPress is no exception to this rule. I know that we’ve listed a lot of steps you should take in order to secure your WordPress install, but that doesn’t mean WordPress isn’t safe to use. It just may take some tweaks to ensure you’re as unhackable as possible!