Over time, WordPress has gained an unfair reputation for not being as secure as other open-source content management systems. This is mainly due to inadequate maintenance, poorly coded themes, or not keeping on top of updates to the core, themes or plugins.
WordPress security isn’t always seen as a high priority. That is, at least, until your website is hacked.
As with most things in life, prevention is better than a cure. Restoring a hacked website can be a long and painful process. Rolling the server back to a previously backed-up version is an option, but you risk losing any recent posts or content updates. Below are some simple steps to minimise the chances of your WordPress site being hacked.
This post will give you an outline of the security features I have in place. Please note that this is not a tutorial, so additional research is required to implement these points.
Ensure strong passwords and non-obvious usernames
The most obvious step to ensuring a secure WordPress can also be the simplest. And that is to make sure all user passwords are strong.This means that all passwords should be at least ten characters long, with uppercase and lowercase letters, numbers and special characters.
Another simple way to add an extra layer of security to your site is by using a non-obvious username. The most obvious username is ‘admin’. Changing the ‘admin’ username to something as simple as a combination of your first and last name means that a hacker will need to decipher both the username and password, as opposed to just the password, thus reducing the chances of a brute force attack.
If you need help remembering login credentials, try a password manager. Password managers store usernames and passwords securely over several devices and prompt you when logging in. There are many options, including LastPass, BitWarden and 1Password.
Keep core and plugins up to date
Life can get busy! Whether it’s a large project or mundane day-to-day tasks, there usually aren’t enough hours in the day, and there’s the constant assessment of essential and less critical tasks, the latter generally being pushed to the bottom of the list for months on end. Unfortunately, keeping on top of website maintenance can be one of those tasks.
Keeping your WordPress Core, Plugins and Themes up to date works two-fold. Not only does it help with security, but it also has an impact on performance. The WordPress security team work tirelessly to keep on top of security vulnerabilities, constantly releasing updates and patches to ensure the WordPress core is as secure as possible.
Reduce the number of plugins used
Plugins are at the very heart of WordPress. They may even be the reason you chose WordPress over another CMS or website builder. There’s a plugin for almost everything; most of the time, they are beneficial and time-saving. However, they can be a security threat. The more plugins you have installed, the longer it takes to maintain the site and the higher the risk of conflicts between plugins.
There are two main types of plugins; free and premium (or paid). Premium plugins, or free versions of Premium plugins, are well-supported and regularly updated as it is in the developer’s best interest to do so.
However, free plugins are not guaranteed to be. Often, these plugins perform a simple task which can be achieved by updating the theme’s functions file or coding it into the theme itself. It takes time and effort to update a plugin. Without a payment contract in place, plugins aren’t guaranteed to be updated every time a security update is released on the WordPress core, leaving the back door open to hackers.
The fewer plugins used, the less chance of vulnerabilities.
Maintain your server
WordPress hosting comes in all shapes and sizes, from basic shared hosting to hosting on a managed dedicated server and everything in between. This step ‘should’ only apply to WordPress sites hosted on a Virtual Private Server (VPS) or a cloud server, as shared and managed hosting server maintenance is usually performed by the web host, although it is worth checking with your host.
When performing updates to WordPress core, themes and plugins, it can be easy to overlook server maintenance. Performing maintenance to a VPS or cloud server will usually require you to connect to the server via SSH and execute command line scripts unless a control panel such as cPanel, Webmin or Plesk has been installed. Your web host usually provides detailed documentation and, although it can be time-consuming, it is essential that you keep on top of server security patches and updates.
Occasionally, after a WordPress core update has been performed, the PHP version needs to be updated. If this is the case, you will see a warning dialogue box within the admin area. As with server security patches and updates, you will need to update the PHP version via SSH or your control panel.
Install a Firewall
Usually, a shared or managed hosting package comes with a firewall installed to protect all sites hosted on that server. A firewall filters incoming and outgoing traffic measured against its pre-defined rules, thus ensuring that only legitimate traffic reaches your website. If you host on a VPS (Virtual Private Server), Cloud server or dedicated server, then firewall installation is up to you unless the server is managed.
If your site runs on Ubuntu, I recommend enabling the UFW (Uncomplicated Firewall). It is tried and tested and simple to set up via SSH with basic technical knowledge.
Install Wordfence
Wordfence is a security plugin which offers 24/7 protection for your WordPress site. It is available as a free plugin, or a number of paid options are available for added security and real-time updates.
WordFence is available in four different packages. While the free version offers all of the same benefits of the paid packages, including theme and plugin vulnerability monitoring, file change detection, brute force detection and login security, it delays updates to malware signatures, firewall rules and it’s IP blocker by 30 days and does not include support. For less than $10 per month, you can upgrade to WordFence Premium, which offers up-to-date malware signatures, firewall rules and suspicious IP addresses. Plus, premium ticket-based support.
The two additional packages are geared toward enterprise-level installs and include installation, configuration, monitoring and 24/7 support, and cost between $40 and $80 per month.
Here’s a summary of what’s included with all Wordfence packages:
Enforced secure usernames and passwords
As outlined in the ‘Ensure strong passwords and non-obvious usernames’ section above, you can enable WordFence to reject weak passwords which are not long enough and do not contain uppercase and lowercase letters, numbers and special characters. It can also be set up to reject the username as ‘admin’ and insist on a more secure username.
Login security
Protection against brute force attacks which includes blacklisting known or suspect IP addresses from accessing your login page.
Two-factor authentication (2FA)
This requires each user to enable two-factor authentication, which is an extra level of protection when logging in. Wordfence’s two-factor authentication is compatible with most 2FA apps, including Google Authenticator, Microsoft Authenticator and LastPass Authenticator.
Malware scan
The malware scanner scans your WordPress install for any suspicious malware and cross-references it with that gathered on its extensive database. It produces malware signatures to block intrusion attempts and detect malicious activity.
Wordfence Firewall
Wordfence constantly updates its firewall rules to protect against vulnerabilities, including through the WordPress Core, Plugins and Themes.
Conclusion
Securing your WordPress website is well worth the time and effort. It could save you both money and stress by protecting you against downtime. Except for server maintenance, all of the above are easy to implement, and I’d recommend setting a reminder in your calendar to perform monthly, if not weekly, updates.
If you would like a consultation or audit of your WordPress website, then please get in touch. I offer both custom WordPress development as well as hosting and maintenance packages.
When performing updates to the server or WordPress core, themes and plugins, I recommend that you do so on a staging environment and not on the live (production) site itself. By doing that, it is important that any conflicts can be rectified without the live site going down. To read more about server environments, see What type of WordPress hosting should I choose?
Let’s chat.