Josh Lee on WordPress

WordPress Tips, Tricks, & Musings

by on

Are you following these 9 best practices for WordPress security?

WordPress is currently the most popular content management system in the world, powering over 25% of new websites. When you consider WordPress’s ease-of-use, customizability, strong support community, and out-of-the-box SEO, it is easy to see why.

But such popularity comes great vulnerability. What am I talking about here? I’m talking about hackers. Modern hackers are nothing at all like the friendly, “fight the power” teens from 80s and 90s films. They are out for one thing and one thing only — money.

So what does this have to do with your website? Well, your website probably (hopefully!) gets a lot of traffic every day. A would-be hacker can see this, and may think to himself, “Hmm… that is a lot of traffic. I bet I could make some money from that traffic.”

The hacker will then scan your website for common vulnerabilities, and if any are found, he will take control of your website — and your traffic! All of a sudden, your visitors and potential customers find themselves looking at a website filled with knock-off “Rolex” watches.

Because WordPress is so widely used by publishers such as yourself, the vulnerabilities for it are quite well known. Hackers know that an exploit for WordPress has a high likelihood of being applicable to almost any blog or website.

But fear not! These hackers may sound scary, but their attacks are typically quite unsophisticated. With just a few simple steps, you can protect yourself from a vast majority of potential threats.

1. Start with a strong foundation

No matter how secure you make your own WordPress website, if your hosting provider does not properly isolate accounts, you may find yourself hacked. Why? Because another website got hacked that happened to live on the same server as yours. While there are no guarantees against this happening with any hosting company, some have track records better than others.

Read more about choosing a WordPress host.

2. Keep regular backups, stored outside of your WordPress site

Most infections can be cleaned up easily by a trained expert (or avoided altogether by following the advice in this article), but every once in a while a really nasty bug may integrate itself with your site to the point where restoration from a clean backup is the only option. Backups of your site files and database should be made daily (if you update content often) and always be stored on a separate server or service from your WordPress website itself. I recommend Jetpack.

3. Never have a user named “admin”

In 100% of the brute-force attacks we’ve witnessed, the attackers assume that the username “admin” is used for the main administrator account. Always rename administrator accounts to something unique and specific to your website.

4. Choose a strong password. Change it often.

So you have a good, unique username for your administrator account? Good. Don’t get lazy now. Make sure you choose a strong and unique password to go with it. WordPress comes with a built-in password-strength meter. We recommend that passwords for all administrator accounts be “strong.” All administrator passwords should also be reset to a new unique password yearly.

5. Store and transfer passwords securely

Having a strong password is of little help if you broadcast it to the world. Avoid transmitting passwords by unencrypted methods whenever possible.

6. Limit login attempts

Your final (and most important) protection against brute force attacks is to configure your WordPress installation to ban users after a certain number of failed login attempts. This can be accomplished using a number of WordPress security plugins.

7. Keep all software up-to-date

After brute force attacks, your biggest potential vulnerability is out of date software. This can include WordPress itself, your theme, or your plugins. Most updates include dozens of security patches along with the new features that you see.

8. Change default database settings

By default, all WordPress database tables are named with the prefix “wp_” — this is so that you can keep WordPress installed on the same server(6) as other software without conflicts. Attacks on WordPress installations often use this fact to their advantage, as WordPress tables can be easily identified. We recommend the plugin Better WordPress Security to rename your database prefix to something unique to your website.

9. Use a cloud delivery service

In addition to speeding up your website, a Content Delivery Network such as CloudFlare will also provide a layer of extra security protection. CloudFlare will automatically filter potential threats against your domain name, and prevent them from ever reaching your servers.