There are plenty of ways to up the security of your WordPress site which don’t require a lot of know-how.
WordPress is the world’s most popular website platform. Providing a solid baseline that can be further enhanced with thousands of community-sourced plugins, it can do almost everything you can think of. But success can draw the wrong kind of attention, with many WordPress website owners finding their sites under attack. We look at how you can improve the security of your WordPress website, whether you’re just starting out or well established.
Use the right WordPress plugins
You likely have a number of plugins installed on your site, covering everything from basic features to fully-fledged ecommerce capabilities. With all the possibilities available, it’s no surprise that plugins can be used to help you secure your WordPress site, too. Here are some to consider:
1. Wordfence, Cerber Security, iThemes Security – these plugins act as all-in-one firewalls for your WordPress site. They scan the files of your website to ensure there’s no malware hidden in anything that’s been uploaded. They also mitigate brute force attacks by limiting login attempts to the site, among many other features. If you’re serious about protecting your site, using at least one of these plugins is a must.
2. An audit log plugin, such as WP Security Audit Log, is also a very helpful tool for managing your server. These plugins will show you a log of any activity on your website, including showing when users log in or out, and any changes to your site’s files. By collecting this information into one place, they help you keep an eye on what’s happening to your site.
3. Two-factor authentication – 2FA isn’t implemented in WordPress sites by default, but you can get a plugin to do it. Two-factor authentication adds a crucial extra step to logging into your website, preventing unauthorised logins even if they crack your password. The all-encompassing plugins such as Wordfence also include 2FA within their functionality, and as you’ll find out, it’s best to limit your number of plugins where possible.
Upgrade to HTTPS
Where having an SSL certificate used to be something reserved for ‘proper’ websites, initiatives from web giants like Google to push sites towards HTTPS have had a huge effect on the prevalence of site encryption. Now, sites with only HTTP are flagged as insecure when visited, which can be problematic when you’re trying to draw visitors to your site.
But looking good for potential visitors isn’t the only reason why HTTPS is so vital. Having HTTPS in place prevents data being intercepted while it’s being transmitted across connections by encrypting it while in transit. This protects it from not only malicious attackers, but also intrusive companies and ISPs that seek to monitor the data.
You’ll need to choose whether you go for a free or paid SSL certificate, but what you choose will depend on the site you have. Whichever method you decide, HTTPS is a must for your website.
Move away from default settings
By default, the URL of the page you use to log into and administer your website will be www.example.com/wp-login. It may also refer to /login or /admin. The issue with these URLs is that they’re easy to guess for someone who isn’t familiar with your site. All they need to access your login form is the address of the website, which they can easily see if it’s public. They can then get to your login page using one of the above URLs, then proceed to make any number of attempts at breaching your account.
Furthermore, the default administrator login is set to ‘admin’. That means that if your site is left using the defaults, someone can reach your login page and enter the correct username without needing to crack anything. They only have the password to get past at that point before gaining access to your site.
That’s why we recommend using one of the security plugins above which will automatically detect if a user is named admin, and allow the username to be changed to make it more difficult to guess the login details. They also enable you to adjust the login URL of the site, to make it harder for unauthorised users to locate it.
While a strong password and 2FA setup will prevent many attempts to access your account, every step you can take to prevent attackers even getting that far is a no-brainer.
Keep up to date
Even if you have no plugins installed, there are a few things powering your site which will be updated every so often – including your WordPress install itself. And no matter what cocktail of plugins you decide to add to your setup, they will all need updating at some point or another.
It’s critical that you ensure your WordPress install and all of your plugins are always updated to the latest version. While this seems like a hassle at times, especially when you have a lot of plugins, it’s vital that any patches are applied as soon as possible. To find out why that is, simply take a look at the patch notes released with each update. You’re likely to come across a number of bug fixes – and many of those represent vulnerabilities within the plugin or within WordPress itself.
When vulnerabilities are discovered, the plugin creators are often very quick to fix them, announcing the latest version as soon as they can. However, as users do not update their plugins often enough, many are left without the fix – and with a gaping hole in their security.
If you are running quite a lot of plugins, a further plugin such as Easy Updates Manager allows you to click a single button to check for, and install, all available updates. This makes it far easier to ensure that all possible holes are patched.
Minimise your footprint
Contrary to many of the suggestions in this post, another effective method of increasing your WordPress site’s security is to try and use as few plugins as possible. Rather than using a completely different plugin for each feature, try and find a plugin which encompasses all of those features into one. These multi-functional plugins also tend to have better support behind them than those that only fulfil one function, with many of the larger security and management plugins even having whole teams of people working on them.
Every separate plugin or theme you have installed on your WordPress site should be treated like another door you need to lock, and another potential entryway for malicious attackers. Therefore, minimising your number of plugins is a surefire way of reducing the likelihood of an unauthorised user accessing your site.
And vulnerabilities being found in plugins is not rare – even in the last month three popular plugins were found to contain vulnerabilities which allowed unauthorised users to gain admin access. The compromised versions of these plugins affected a combined 400,000+ websites.
While WordPress and its customisability is a powerful platform when running your own website, it’s worth bearing in mind that installing third-party code onto your site is always a security risk. But with these tips and common sense, you can minimise the risk considerably.
We also offer WordPress Hosting, which will automatically apply WordPress patches and hotfixes to your install, as well as allowing you to enable auto-updates for full versions. You can take care of keeping your site up to date without lifting a finger, and all your sites will be hosted in our secure UK data centres.