9 Tips to Keep WordPress Secure in 2015

Written by Wholegrain Team - September 21, 2015

WordPress is the most popular CMS for a very good reason: it’s the best. Its popularity with bloggers and businesses alike means it’s running on one in five websites today.

However, as an open source CMS it can be vulnerable to hackers, and with so many users it’s little surprise that attacks on WordPress sites are growing in line with its popularity.

This means the security of your site is the most important consideration after content, appearance and hosting. By beefing up your website’s security you’ll ensure your site isn’t compromised, minimise downtime, safeguard your data, and keep it running quickly and reliably.

Fortunately, you don’t need to be a WordPress expert in order to keep the hackers at bay. Here are 9 tips and tricks that everybody can use…

1. Stay Updated

Ensuring your website always runs the latest version of WordPress, as well as your theme and plugins, is the simplest thing you can do to close off any security loopholes. Because WordPress files, themes and plugins are mostly open source, everybody has access to the code – including hackers.

It may seem as though new versions are being rolled out continuously, giving you access to lots of shiny, new and possibly unnecessary features. However, most of these updates contain bug and security fixes, designed to keep your site safe.

Some people delay updates because they worry the updates will ‘break’ something on their site. However, any issues can be easily overcome, and it’s far more likely that hackers will use knowledge of the security vulnerabilities on outdated versions to find a way in.

If something goes seriously off-kilter when you run updates, it’s often due to an old plugin that hasn’t been updated for a while. In which case, this is the perfect time to replace it with something newer and more frequently updated.

So don’t ignore those update alerts, OK?

2. Choose Your Theme & Plugins Wisely

Staying on the subject of themes and plugins, you want to choose these fellas wisely. It’s easy to get carried away when you discover a fabulous plugin or theme on Google that does just what you need. But it is worth it?

Always research your theme and plugins before loading them on your site. Check how many downloads they’ve had, ensure they’re actively maintained and see when they were last updated. And make sure they come from a trusted source.

3. Use Unique, Strong Usernames & Passwords

Are you still using ‘Admin’ as your username? Seriously? Change it NOW. And don’t change it to something easily guessable like your site name or your name, because they will be the next thing hackers will try.

Because usernames cannot be changed from the dashboard, you may need a workaround. All you need to do is create a new account with an unusual name, give it administrator capabilities, and delete the original. You can change the attribution of any published posts afterwards.

One of the most common ways for hackers to get access to your site is by guessing your password. With the help of automated bots, they can try thousands of options before finding the right one – then they have access to your entire site. So choose a complex password with a combination of letters, numbers and characters, and ensure all users of your site do likewise. Avoid dictionary words or anything similar to the site name or username, and aim for a random string of characters – you can use a password manager such as LastPass or 1Password to securely generate and store your passwords, and access your sites. Ideally, you should change your passwords every 6 to 8 weeks.

4. Protect Your Login Page

Hackers need your username and password to be able to access your site, but they need something else too: the URL of your login page. This is generally pretty standard – it’s your domain name plus an extension, usually /wp-admin or /wp-login. But because it’s standard, it makes it easy as pie for hackers to guess. So change it. And if you’re a more advanced user or developer with knowledge of server-side changes, you can password protect access to the login screen for an additional layer of security.

Setting up 2-factor authentication is a great move. This requires your username, password, plus a unique code – sent via an app to your smartphone or tablet – to be able to log in. Alternatively, you could add a CAPTCHA to your login screen to verify there’s a human at the door.

And the final word on this subject: limit login attempts on your site. Most attempts are made by brute force attacks, which use various online or offline tools to try thousands of username–password combinations to force their way in. By limiting the login attempts, you can shut these attacks out.

5. Use Security Plugins & Services

If some of the above sounds a little complicated, don’t despair – there’s an easy solution at hand. Because WordPress security is such a big topic, there are a number of really useful all-in-one security plugins that will take care of the above, and more.

There are free and premium options available – often for the same plugin – and they each have their different strengths and specialities. Review the available options, such as All in One WP Security & Firewall, Wordfence, iThemes Security, and BulletProof Security, and see what works best for your needs.

6. Become a Master of Backups

This is something that cannot be stressed enough: whatever you do, always ensure your website is regularly backed up and preferably stored offsite, either with a paid backup service, or a cloud storage account like Dropbox.

Having backups is critical to help your website recover from any issue, whether security-related or not. You also need to test your backups to check they restore without error, and ensure you or your webmaster knows how to restore the site.

There are a number of free and premium backup services and plugins available, including blogVault, VaultPress, BackupBuddy, Snapshot Pro, and BackWPUp. Again, do your homework, read the reviews, and see which option is best for you.

7. Understand & Enforce User Roles

If you have multiple users on your site, it can be easy to lose track of who has access to what, and this can leave you vulnerable – especially if you forget to remove a disgruntled employee after they’ve left your company!

Periodically do some housekeeping and remove old users from your site. Even if they’re unlikely to break in and leave a parting shot, other users are notorious for choosing weak passwords so you could be leaving yourself open to attack through their account.

It’s also worth taking the time to fully understand the different user roles WordPress has and applying them properly, only giving Admin access to those who really need it and who you can trust. The role of Contributor is suitable for a user adding blog posts that an Editor or Admin is going to review and publish, whereas a user who can write and publish can have Author rights. And if you must keep an inactive user on your site, assigning them as a Subscriber means they are limited in their actions.

8. Don’t Give Too Much Information Away

The more information hackers have about your site, the more likely they are to find a way in. So make things difficult for them.

If you can’t or don’t want to update to the latest version of WordPress, make sure people can’t see which version you’re using. Because a quick look at your source files will reveal which version you’re running so known vulnerabilities can be exploited.

Likewise, many plugins have known vulnerabilities that can be used to hack your site so blocking access to these directories is a no-brainer.

The other thing to keep under wraps is your username, even if you’ve changed it from the default Admin (which you have by now, right?). Hackers can still gain access to your real username by checking the author archive page of your blog, but a quick configuration change on your profile page so it appears as something random should sort this one out.

9. Choose Secure Hosting

Finally, we’ve focused on things you can do to keep your WordPress site secure, but a startling number of websites are hacked because of a weakness in their hosting service. So rather than opting for the cheapest service, take the time to find a reputable hosting company to make sure your blog’s in safe hands.

Read some reviews, speak to staff at hosting companies to see what security features they have in place, and choose the one that feels right for you. There are an increasing number of companies offering managed WordPress hosting that will automatically update WordPress and any key plugins if there are security fixes, and disable plugins if they have security issues. While this isn’t for everybody – some people find it intrusive and prefer to retain control – it’s a good solution if you’re busy, or simply lazy.

Final Thoughts on Security

There’s little point agonising over the content and appearance of your WordPress site, without paying any attention to security matters. Because all your hard work could be undone in a flash, which could cost you traffic, money, lots of time, and a great deal of stress.

Security can be a big, complex topic, but by enforcing the strategies we’ve outlined above you can keep your site secure for the future.

Which strategies do you implement to keep your site safe from hackers? Can you add any tips or tricks to our list? Tell us in the comments below…