WordPress security is already pretty decent on installation. In a relentless struggle to stay a few steps ahead of hackers and maleficent persons, there is a number of good habits you should use. Here are some useful tips and tricks that should keep your WordPress installation safe from harm.
There are dozens of ways to improve security on your website. Needless to say, there is a wide range of plugins available in the WordPress repository that do an outstanding job. But since every plugin offers different possibilities and the installation of every plugin creates new vulnerabilities, these tips can help you to identify weak spots that may escape your attention.
First of all, let’s go through some general good practices that apply not only to WordPress but to other online services as well:
1. Use strong passwords
You’d be amazed how often weak passwords are used, even in professional environments. Although this point has been emphasized frequently the last few years, it seems difficult for some people to unlearn this bad habit. Therefore: never use your own name, the name of a relative or an obvious alphanumeric code (e.g. myname123). Instead:
- Make random alphanumeric passwords. There are plenty of online tools out there that do the job for you. Passwordgenerator or Norton are just a few.
- Don’t use passwords that can be found in dictionaries.
- Use at least 12-character passwords. Did you know that the time difference to crack an 8-character password and a 12-character password during a brute-force attack can add up to 200 years?
- Do not use the same password more than once.
- Store your passwords in encrypted programs. LastPass, Dashlane, KeePassX or StickyPassword are among the best out there.
Be aware that to avoid being hacked, a good first line of defence is indispensable. Using strong passwords can save you a lot of trouble. Up next there are some things you should do on your WordPress installation:
2. Add salt hashes in your wp-config.php to beef up WordPress security
An important step to boost WordPress security but often overlooked on installation. Since you have to add your host, database name and database user in this file anyway, you can easily apply this step with little or no effort.
This ensures better encryption of information stored in the user’s cookies. This functionality has steadily been improved over the last years, beginning with WordPress 2.5 already. Just copy-paste the link in the comment above and paste it in your browser. You will notice the codes change every time when you refresh te page. You can then copy the generated codes an paste them in your wp-config.php file.
3. Change your database table prefix in wp-config.php
By default, the table prefixes are set to wp_. It’s a good idea to change this into something completely random.
4. Create a separate admin user, pure for back-end tasks
Even if you are the only writer on a blog or the webmaster of a site, you should adopt this. That way, the admin user role, with the widest range of editing possibilities, is only used for tasks executed in the back-end (like installing plugins, emptying cache, etc.).
A second user (e.g. editor) can write content for the frontend.
5. Don’t use the same name as username, display name and nickname
These can easily be altered in your profile settings.
If you don’t do this, your posts will simply display your username, with which you login to the backend.
You shouldn’t make life too easy for maleficent people.
6. Set up some kind of two-way authentication
Even if you use a bullet-proof password, there is always a risk someone obtains it due to a database breach. Two-step authentication was added to WordPress in 2013 and it is a feature more and more services are beginning to offer. A more elaborate explanation on the how and why can be found on the WordPress codex but what is basically comes down to is that you are not only identified by who you are but also by something you have, like a text message you receive on your smartphone with an extra code).
The easiest way to apply this is make use of a plugin from the WordPress.org plugin repository.
7. Allow access to the loginscreen only form a certain IP-address
If you have a static ip-address, you can restrict the access to the loginscreen only from there. Add the following code to your .htaccess file (always remember tot take a back-up first).
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic <LIMIT GET> order deny, allow deny from all allow from xx.xx.xx.xxx </LIMIT>
Where you write your ip-address instead of the x’es on the second to last line.
8. Protect the loginscreen with a password
If you have some decent hosting, you should take a look in the adminpanel of the webserver. Most hosts offer the possibility to block direct access to the /wp-admin/ folder from there.
You can then set an additional username and password which will be prompted when you navigate to your WordPress login screen.
9. Check the file permissions of your core files and folders.
By default, the file and folder permissions are pretty OK. However, it happens that you have to allow editing on certain files or folders when you install plugins. Especially plugins for minifying and caching often create additional files and folders. Sometimes, you even have to allow full access to your .htaccess file. Although there is nothing wrong with this, always remember to reset the file or folder permissions after installation of the plugin. The .htaccess and wp-config.php files for example, will probably have 644 file permissions by default.
Note that 440 or even 400 file permissions are often sufficient.
10. Disable the plugin and theme editor
WordPress comes with an editor in the backend that allows you to make changes to the files directly. Especially when there are several users with access to your blog, you may want to prevent them from doing so. Therefore, add the following line to your wp-config.php file.
define( 'DISALLOW_FILE_EDIT', true );
11. Make sure you have high-end hosting for your website
There is a whole bunch of webhosts out there and some just offer better service and backup than others. Be critical with who you want to partner up with. Do some preliminary checks, take a look at their website, ask them some questions.
12. Be critical which themes and plugins you download
As is the case whith webhosts, there is a myriad of WordPress themes and plugins available. Take some things into consideration here too before downloading a theme or installing a plugin:
- Verify if themes and plugins are updated regularly
- Read some reviews of existing users
- Check if the developer or company is trustworthy
It’s safe to say that almost every WordPress website uses a number of plugins. It’s a great way to enhance your website with a minimum of effort.
But also be aware that every plugin creates new vulnerabilities and requiers extra attention from your side for maintenance and compatibility with your current WordPress version.
13. Always keep your WordPress version and plugins up-to-date
You will notice that new versions of WordPress are released regularly and the same goes for (good) plugins. When you see a notification in your backend, always update as soon as possible.
Updates are released for a reason and outdated software is one of the most common ways to grant access to unwanted visitors.
14. Delete disabled plugins from your blog
Plugins that are not active have no reason to remain in the backend. Again: they are a risk. Simply delete them entirely.
15. Figure out a backup plan when things do go wrong
If you are faced with a hacked website after all, be sure you have a plan B ready so damage can be limited in time and effort. Check with your webhost if backups of files and databases are executed on a regular basis. You can also make backups yourself.
You can check the WordPress.org plugin repository here too.