It has been a while since we’ve looked at best practices for securing your WordPress website. So it seemed fitting to dig up my original post from March 2014 entitled The 4 Pillars of WordPress Security and take a look at how web security or more specifically WordPress website security and management has evolved in the last three years.

Just as in 2014, I still experience occasional push back from new clients when broaching the topic of using WordPress as their new content management system. In most of these instances, the client has been misguided or influenced by a poor web host or colleague who has not been following these simple methods to keep their WordPress website safe.

Malicious attacks on websites and web hosts are widespread, and it’s also true that many WordPress websites have been targeted and hacked. However, it’s important to look at the facts when forming an opinion on whether or not move your next website to WordPress.

Most commonly, these cases arise when the web host and website owner have not taken minimal efforts to address security issues in their WordPress installation by keeping the core software and plugins up to date addressing the most obvious vulnerabilities.

Further skewing this perspective is the fact that WordPress powers nearly one-third of all websites currently online – more than any other platform. WordPress powers 28% of all websites and is the most widely used content management system online. By the law of averages, it’s unfair to compare it to the number of successful attacks on other systems that do not hold nearly as much market share.

Server-level WordPress Website Security

A well known DDOS attack on WordPress websites around the world put a strangle hold on the web with a brute force attack that was staged from multiple IP addresses to exploit weaknesses in usernames and passwords. The attackers’ goal was to bring down the websites by systematically guessing common usernames. To combat this type of attack as well as many others, let’s have another look at the essential security measures that you and your web host should be taking to secure your WordPress website from malicious hackers.

Server Level Security

SQL injection hacks are the most frequent attacks WordPress websites face. A hacker may gain access via the .htaccess file before moving on to the WordPress core code files. A good way to view your .htaccess file is the doorway to your WordPress installation. By modifying your .htaccess file, you can stop attackers from accessing other important files and folders within your WordPress installation.

.htaccess

To secure the code base and various files within your WordPress website, your web developer may customise the permissions in your root .htaccess file. You may also add .htaccess files to other common directories like /wp-content/uploads. I’ve discussed this security measure in more detail in another article titled How to Help Prevent Your WordPress Site From Being Hacked.

With the custom permissions configured in your .htaccess file, you can rest assured that unwanted visitors are not able to access your WordPress website or theme and plugin files. However, what if you’re not savvy enough to make modifications to your .htaccess file, as I suspect is a challenge for the average website owner. By choosing to utilise a reputable and specialised web host like WP Engine, these basic security precautions will be put in place you automatically.

Secure /wp-admin/

The core of all WordPress websites is the /wp-admin/ directory and understandably, the most important to secure and maintain. Should this directory fall victim to infiltration the entire WordPress website is open to malicious activity.

A failsafe method to approach this potential issue is to secure the /wp-admin/ directory with a password. Using this method requires the website administrator to provide a password to access the standard WordPress login page, and another to access the general WordPress admin dashboard.

Modify the default WordPress Database Table Prefix

By default, WordPress configures its database with the “wp-” prefix. This naming convention is also common knowledge among malicious visitors and makes the database an easy target. By changing the table prefix to something unique or unidentifiable, you can help keep your database away from prying eyes.

By default, WordPress configures its database with the “wp-” prefix. This naming convention is also common knowledge among malicious visitors and makes the database an easy target. By changing the table prefix to something unique or unidentifiable, you can help keep your database away from prying eyes.

SSL Encryption

Another tried, and true method to ensure that the WordPress admin dashboard is secure is to install an SSL certificate (secure socket layer). SSL encrypts data transfer between the web browser and the server, which makes it much harder for anyone to hijack your admin account or scrape your login information.

WordPress Website-level Security and Management

Another tried, and true method to ensure that the WordPress admin dashboard is secure is to install an SSL certificate (secure socket layer). SSL encrypts data transfer between the web browser and the server, which makes it much harder for anyone to hijack your admin account or scrape your login information.

Securing your website with an SSL certificate can also help boost your search engine rankings as Google has now moved to give priority to secure websites using the https:// protocol.

Website Level Security

Hackers with malicious intent on harming your WordPress website can approach your installation in several ways. The .htaccess suggestions discussed earlier in this article will ensure that your WordPress directories and code base is secure. However, it is important to remember that the best way to keep your website safe is to pay close attention and monitor activity on the website.

Login Monitoring and Lockdown

WordPress plugin developers tirelessly work at creating plugins such as Wordfence Security to help you track and set preferences to harden your WordPress installation. For example, with the Wordfence Security plugin, you can monitor crawlers and visitors to your website and block access to any suspicious visitor. Additionally, you can also monitor login attempts to your website, and set the maximum number of unsuccessful login attempts allowed before the plugin blocks the user from further login attempts. The plugin also scans the WordPress installation files and offers an option to restore original data if any files become infected with malicious code. Additionally, Wordfence has options to set up email alerts to keep you informed of any vulnerability that the plugin detects during its daily scans.

Two-factor Authentication

Many social media platforms and enterprise level services like iCloud now rely on two-factor authentication to secure user accounts and allow only true users to access their service. Two-factor authentication requires the user to prove who they are using two different methods, such as a standard web form login with a username and password as well as a confirming their identity via another separate device or set of information, such as verifying a unique code via text message.

User-Level Security

The most important security features for any user-level account are a unique username and password tailored specifically to you. A predictable password and username combination can undermine any other web security work you or your developer have put into the website.

One of the most frequent attacks, known as a “brute force attack” will use easily predictable or generic usernames and passwords to gain access to the website. The most efficient way to defend against a brute force attack is to ensure all admin level user accounts have a unique username and password combination. The best practice for creating usernames is to rely on your email address, which is more difficult for brute force attacks to guess. In addition to creating a secure username, a strong password is also essential for your account.

Usually, a strong password has at least eight characters, is not a dictionary word, and is made up of numbers, both lowercase and uppercase letters and special characters like [email protected]#%. There are many password generators available online to help you create highly secure passwords.

Change the Admin Username

Modifying the default admin username is a quick and easy fix that. The first username any hacker or bot will attempt to use to login to your website is “admin” because it’s the default WordPress administrative account name.

To change the default admin username, it’s as simple as creating a new admin account with your unique name and email. Then logging into that new account, and deleting the default admin account. Done!

Limit Accounts with Admin Access

Another way to help keep your WordPress site secure is to limit the number of user accounts that have full administrative access. By keeping a watchful eye and restricting the number of all access accounts within the website, it’s much easier to maintain a secure website.

Website Maintenance

Given that WordPress is an open source CMS, any new enhancements and code changes are available to anyone with an internet connection. Similarly, the plugins used on your WordPress website are also open source. Without regular maintenance, attackers can exploit any vulnerabilities in the plugins and WordPress core software.

WordPress Website Maintenance

Fortunately, WordPress is very quick to update and respond to security threats with fixes and software updates. As a website owner, you must take the appropriate steps to install these updates when they are released. A managed WordPress host like WP Engine can make life much simpler with their automatic core updates and disallowed plugin rules.

Website security is a complex and fluid topic. My hope is that this article outlines the most basic steps that every website owner can understand and implement with relative ease. However, taking these basic steps to secure your website may not stop a dedicated attacker bent on compromising your website, they can protect you from most of the mass attacks that exploit vulnerabilities in the system and also those created by ill-informed users.

For a complete overview of maintaining a secure and healthy WordPress installation read our article on How to Help Prevent Your WordPress Site From Being Hacked.

About Parachute Design

If you’d like to discuss securing your website, please feel free to reach out for help. We’re WordPress professionals and have been creating beautiful hand-made WordPress websites for more than a decade. If you’re considering a new website design for your business, fill out our proposal planner for more information on how we can help your online marketing.

If you’d like to discuss securing your website, please feel free to reach out for help. We’re WordPress professionals and have been creating custom WordPress website design for more than a decade. Call our Toronto web design company at 416-901-8633.