The Ultimate WordPress Security Guide for Website Owners Big and Small
Updated for 2020.
My Toronto WordPress design company has been working with WordPress for 17 years. We’ve been along for the ride since the fledgling blogging platform started to garner enough attention in the web design world as a potential CMS powerhouse due to its ability to be highly customized and the fact that it’s open-source; people love free stuff!
When it comes to WordPress we take security seriously and share our experience not only with our clients but also with anyone that reaches out with questions or needs support with the aim to clarify misconceptions created by ill-informed users and help make the web a better place.
Is WordPress secure? Yes, with proper maintenance and care WordPress is a very secure platform to build your business’ online marketing strategy upon. Can WordPress be hacked? Absolutely! Just as any website can be hacked if not maintained properly and regularly updated to combat the latest threats and security vulnerabilities. The web is in a constant state of change and evolution and as a website owner, it’s your job to stay on top of these changes.
Occasionally, when discussing content management system options with new clients I find that they have been misinformed about WordPress and scared off by nightmarish security issues. Like any website or CMS, if the website administrator is not active and committed to maintaining a secure website there will eventually be issues. WordPress is no different from any other platform, however, because WordPress is the world’s most popular CMS there is naturally more attention both good and bad focused on it. In many of the cases where my clients have been misled about using WordPress, I have found after our initial consultation that hobbyists or DIY bloggers are driving the bus when it comes to their WordPress security concerns. These types of users are simply not qualified to be passing along such information given they’re not web professionals and most often do not make sure they are following the most basic of practices when it comes to maintaining a secure WordPress site, or any website for that matter.
In truth, brute force attacks on websites and web hosts are very common and it’s true that many WordPress websites have been hacked. However, it’s important that we understand how and why this happens before forming an opinion on any CMS platform. My goal in speaking with both new and existing web clients is providing them with the most up-to-date and relevant information so that they can make the most informed decision for their business. Having been creating professional WordPress websites and eCommerce website design for nearly two decades garners me a little added experience and ultimately more trust when it comes to discussing WordPress security with my clients.
The way my web development agency breaks down WordPress security so that all website owners can understand it to make more informed decisions and understand each step is to divide our best practices into four groups that we call The Four Pillars of WordPress Security. Parachute Design focuses primarily on WordPress web design, but many of these practices can be applied to any website or CMS platform. We receive inquiries from business owners periodically asking “How can I improve my WordPress security?” from time to time. These conversations are the inspiration for creating this article to shed light on theme and WordPress plugin security and to provide clarity on the WordPress security best practices we recommend using to maintain a secure website.
1. Server Level Security
Web hosting matters. Plain and simple, website hosting can make or break your online marketing success. Choosing a hosting provider is also one of those things in life where you clearly get what you pay for. Many of our clients have got by just fine using a shared hosting environment for years and have stayed loyal to that web host because they’re cheap. When it comes to performance and security, web hosting is the most fundamental piece of the plan. For a few dollars more a month we deploy our clients’ websites to a managed WordPress hosting service that not only offers a mixed bag of better development, management and performance enhancements but most importantly a much more secure environment for the website to live. The primary reason we do not use run of the mill shared hosting services is that our client’s websites would live on a server with thousands of other websites and any one of those websites could become vulnerable due to negligence, poor coding or just lack of website management. When that happens, every website on the server faces increased security risks and there is nothing we can do about it. Conversely, when using managed WordPress hosting we can still use a shared environment to keep hosting costs relatively low, but we have the added benefit of industry-leading security measures that are geared up just for WordPress. All websites on the shared server are deployed into individual containers that do not allow malicious code, bots or attackers to move through each website residing on the server. If one website were to become compromised the attack is contained and does not spread to other websites living in the environment.
The icing on the cake here is that most managed WordPress hosts include a security or hack guarantee that should someone or something manage to find a way past their advanced firewalls and security protocols they will fix the website for free. Wouldn’t that alone help you sleep better at night?
Domain-Level Security and Content Delivery Networks
To bolster your efforts to keep WordPress secure there are also fantastic third-party platforms that work in concert with your managed WordPress hosting in order to stop attacks or malicious visitors before they even land on your website. The services compare visitor IP addresses against known attackers, historical patterns and a variety of other signals that tell the software immediately if the person (or bot) visiting your website is trustworthy. This happens before your website even loads and can stop threats before they even land on your page. This is called network edge security and there are two big players in the industry that we use with regularity.
My personal favourite is Cloudflare. With plans and services that are easily configured for all websites ranging from startups to enterprise-level super sites, Cloudflare offers industry-leading software and security for virtually everyone. Once configured your DNS is routed through Cloudflare’s servers and content delivery network where login attempts are monitor and thwarted on the spot, brute force DDoS attacks are blocked and malicious visitors cannot gain access to your website let alone your plugins and themes or WordPress core. Power users are even able to control access to specific areas of the website, such as the WordPress admin to allow only specific users, IP address or email domains to make sure that only the right people are granted access to the website.
In addition to the security measures available from Cloudflare they also offer incredible performance enhancements to work with your web server to power your website’s speed and overall user experience. These factors also contribute to improved search engine optimization and better rankings when used correctly. However, that’s another topic for another article.
Sucuri is another fantastic tool that website owners can deploy easily to monitor and manage security on their WordPress site. Similar to Cloudflare, website owners are able to route their DNS through Sucuri’s servers to stop brute force and other attacks before they happen. In general, Sucuri is a little simpler to install and manage as they provide a WordPress plugin that is easily installed via the WordPress dashboard. The plugin then sends information directly to your Sucuri account to offer added monitoring on theme security, plugin updates and WordPress version. Sucuri also offers a free website scanner to look for common issues, errors or malicious code that can be correct by your web developer or cleaned up by Sucuri for a nominal fee.
Sucuri does not offer the performance enhancements or level of personal control over features that Cloudflare does, but it is geared towards entry-level to intermediate users that prefer to take a more “hands-off” approach.
Limit Access to the “wp-content” Directory
Order deny,allow Deny from all <Files ~ “.(xml|css|jpe?g|png|gif|js)$”> Allow from all </Files>
Use SSH Instead of FTP
To access your website files on the web server you or your web developer must use FTP (file transfer protocol) to open a connection to the server and place, remove or modify website files. FTP is not quite as secure as most people believe it to be as FTP credentials are not encrypted and are often quite easily accessible to hackers wanting to get into your server to attack your website. Many managed WordPress hosting providers require everyone to use SFTP with strong passwords that add additional security to the server connection, however the most secure method to access the web server is SSH (secure shell).
SSH is a more secure alternative to FTP which uses security keys and a straight forward algorithm to encrypt all the data sent through it to make sure your connection and user credentials are hidden from would-be attackers.
The wp-config.php file is very important as it contains all the access information and keys that are vital to securing your blog. We can secure the file by adding these lines to the .htaccess file in the WordPress root directory (where the wp-config file resides):
# protect wp-config.php <files wp-config.php> Order deny,allow Deny from all </files>
This code denies access to the wp-config.php file.
Prevent Search Engines from Indexing the WordPress Admin
Search engines deploy their crawlers in order to read and organize all the content available on the web to build their search results pages. If the WordPress admin area is left open to indexing you could end up with unwanted information available online. Though this is rare as search engine’s algorithms are getting smarter and are able to understand the difference between what should and should not be indexed it’s still a part of our WordPress security guide to block the admin area from Google’s crawlers. The easiest way to block crawlers access is to create a robots.txt file in your root directory and add the following code in the file:
The core of all WordPress websites is the /wp-admin/ directory and understandably, the most important to secure and maintain. Should this directory fall victim to infiltration the entire WordPress website is open to malicious activity.
A failsafe method to approach this potential issue is to secure the /wp-admin/ directory with a password. Using this method requires the website administrator to provide a password to access the standard WordPress login page, and another to access the general WordPress admin dashboard. If you’re using Cloudflare to help protect your WordPress website and enhance performance, this can be easily configured using Cloudflare Access that limits access to the WordPress login page based on any number of filters you choose to apply.
Modify the Default WordPress Database Table Prefix
By default, WordPress configures its database with the “wp-” prefix. This naming convention is also common knowledge among malicious visitors and makes the database an easy target. By changing the table prefix to something unique or unidentifiable, you can help keep your database hidden from prying eyes.
Another tried, and true method to ensure that the WordPress admin dashboard is secure is to protect it behind your SSL certificate (secure socket layer). SSL encrypts the data transfer between the web browser and the web server, which makes it much harder for anyone to hijack your admin account or scrape your login information. Most websites have made the transition from HTTP to HTTPS by now to take advantage of the added SEO benefits it offers, but if you’re still serving content over HTTP, now is the time to make the switch.
Take Regular Website Backups
Having regular and current website backups is an important practice for any website, whether you’re running WordPress or a basic HTML or PHP file system. Business owners taking advantage of managed WordPress hosting services will have this feature activated by default with virtually any provider they choose to host their site, but other common shared web hosts will often require site administrators to configure automatic backups in the hosting control panel, or in some cases install additional plugins or software.
No matter what format your hosting and backup services require, be sure to make regular backups of your website content (database), themes and plugins. Imagine if you lost years of your WordPress website content, blog posts and articles because someone thought it would be fun to hack your website. This would be disastrous to any business with an established online presence and could take years of hard work to regain your positioning and rebuild user trust.
2. Website Level Security
Website attackers use different methods depending on the type of attack and open vulnerabilities discovered within a website. In most cases, the hacking is done by bots that hackers release onto the web to search out websites with a specific set of weaknesses that the bot is programmed to find and exploit. The vulnerabilities may include weak passwords, outdated security updates, web forms or predictable usernames. Fortunately, when the appropriate best practices are followed the chances of one of these bots finding their way into your WordPress website are slim.
Many social media platforms and enterprise-level services rely on two-factor authentication to secure user account data and allow only true users to access their service. 2FA requires the user to prove who they are using two different methods, such as a standard web form login with a username and password as well as confirming their identity with separate devices or information like an SMS text message.
The Best 2FA Plugins for WordPress for 2020
Google Authenticator – Two Factor Authentication (2FA) is hands down the most advanced 2Fa plugin for WordPress. With its plugin, Google takes the most proactive approach against potential website threats, providing multiple backup options for users experiencing severe attacks.
While using this powerful 2FA plugin WordPress admins may activate the two-factor connection service and quickly work to configure their preferred connection options. Each user can then connect to a WordPress installation using their usual username and password combination plus a two-factor authentication or username and 2FA.
The key advantages to using Google’s 2FA plugin are two-factor authentication via SMS, OTP sent by e-mail, software key, QR code, push notifications, shortcode for customized login pages, and identification of the device to avoid repeated attempts. One drawback to using this plugin for some users is that it does not support the multisite feature in WordPress or authentication via phone call and YubiKey.
Shield WordPress Security
Formally named Simple Firewall, Shield WordPress Security gives WordPress administrators the option to choose between two methods authenticating themselves. One by email, the other by YubiKey. The plugin’s email authentication includes two separate methods (cookies or IP address).
Perhaps the most simple and easy to use 2FA solution available to WordPress users is Duo Two-Factor Authentication. This plugin can be installed and configured in mere seconds to start logging in without a password at all. The core idea behind this awesome plugin is to create a simple 2FA login on a WordPress website that is easy to use, yet robust enough to defeat the anyone attempting to gain access to the website that doesn’t belong there.
The main advantages of Duo’s plugin are multiple 2FA options including SMS, phone call and hardware keys. However, just like Google Authenticator, Duo does not support the WordPress multisite architecture or work with Google Authenticator.
Limit Accounts with Admin Access
Another way to help keep your WordPress site secure is to limit the number of user accounts that have full administrative access. By keeping a watchful eye and restricting the number of all-access accounts within the website, it’s much easier to maintain a secure website and control over the core WordPress functions as well as plugins or theme version.
Login Monitoring and Lockdown
The server-level practices discussed in step 1 will help to secure access to directories and plugin or WordPress theme files. However, we cannot keep all attackers at bay and it is important to monitor your WordPress website on a regular basis. There are many security plugins that offer this service and most come with additional security tools to help secure your WordPress site at the website level should a hacker or bot find its way past the web server firewalls in place.
WordPress plugin developers tirelessly work at creating plugins to help you monitor and set preferences to harden your WordPress installation. The plugins achieve this by protecting or hiding commonly attacked files such as plugins and themes, the wp-config PHP file, WordPress code and WordPress version. For example, with most WordPress security plugins, you can monitor both automated crawlers and visitors to your website and block access to any suspicious visitor by adding them to a disallow file that lives on the web server. The plugin can help lock down your WordPress website and notify administrators when pages or content were last updated.
The Best WordPress Security Plugins for 2020
The best WordPress security plugin available right now is Sucuri Scanner. The plugin is easy to set up and will begin automated scans to audit and monitor your website right away to keep track of everything that happens within your website. Once configured the plugin runs automatically on a set schedule and delivers reports to your inbox including the integrity of your file system, failed login attempts and associated IP address, as well as malware scanning and a handful of other features.
iThemes Security Pro
Priced at $80 per year, iThemes Security Pro is a very good WordPress security plugin that offers two-factor authentication for an extra layer of security in addition to the enforcement of strong passwords and can even detect outdated plugins or broken page errors among many of the other common offerings that ship with most security plugins. There is no WAF (web application firewall) or malware scanner, but the plugin does utilize Sucuri’s free malware scanner.
WordPress administrators looking for an all-in-one security solution will find luck with Jetpack Security. The plugin is very well-known and easy to install on any WordPress installation to immediately start scanning for vulnerabilities. Jetpack includes some great features right out of the box to protect the WordPress core, such as automatic backups with a one-click restore, login attempts limiting and automated comment filtering making this plugin a favourite among bloggers. A free version of Jetpack is available, however, to use all the great features baked into this plugin users will need to purchase a license for the premium version starting at $9 per month.
Like an old reliable friend, Wordfence is a great free plugin that has been around for many years and over that time has developed a well-stocked offering of security features to protect WordPress websites. Wordfence is free to download and use on your WordPress installation but does lack some of the automated features offered by some of the other plugins above.
BulletProof Security looks and feels rather dated compared to some of the others on this list, but given it has been on the block for a long time and boasts a great track record with users among being free to use keeps this plugin in the mix. One of the greatest features rolled into this plugin is its Idle Session Logout option. Many WordPress admins forgot to log out of the CMS when they’ve finished making updates. With this plugin, when a session becomes idle, meaning nothing has happened over a pre-determined amount of time the plugin will automatically log that user out. This is a handy feature when multiple users are accessing the CMS to make updates to prevent one user from hogging access unknowingly to a specific page or post.
3. User Level Security
Maintaining a secure username and strong password is the most important part of securing a WordPress website that the everyday user has control over. A weak password can undermine all the hard work you have put in place to secure your website and give attackers quick and easy access to your WordPress software and files.
A brute force attack typically tries a list of common usernames and passwords to gain access to the WordPress dashboard. To counter this type of attack, the first thing you must do after installing WordPress is to create a new user account with administrative privileges using an uncommon or obvious username. Something that is unique to you and not an obvious username such as “admin” or “administrator.” You must also keep in mind, that should our hypothetical attacker be a human instead of a bot, they may be able to scan your website About page to collect names of people in the company and create a list of potential user names. They can also follow links to your social profiles and gain more insight into your professional and personal life to make more educated guesses at what your password might be.
In addition to using a secure username, you must also create a strong password for your account. Passwords should not be readily obvious and use 32-bit encryption to appear as random as possible. Special characters mixed in with alphanumeric characters add additional complexity and make your password much more secure. There are countless password generators available online to help you create highly secure passwords or offer suggestions for creating highly secure usernames and passwords.
In this age, if you’re still using shared plain text passwords across multiple sites or applications you are vulnerable on multiple levels. I would highly recommend using a service like Dashlane to store and manage your passwords securely so that you don’t have to remember them all. Additionally, Dashlane will scan all your usernames and passwords and prompt you to update those that are potentially weak. Even better, the app can scan the dark web for references to your accounts that may invite malicious activity as well as notify you of websites that have been hacked previously putting your account or user data at risk.
4. Website Maintenance
Given that WordPress is an open-source CMS, any new enhancements, security patches and code changes to the core software are available to the public immediately. Similarly, the plugins used on your website are also open source and any vulnerabilities in the plugins and WordPress version can be exploited by attackers if they are not addressed in a timely manner.
Thankfully, WordPress fixes and releases updates frequently when they come across flaws or new vulnerabilities to protect users. As a website owner, you must ensure that you install and maintain updates to the plugins and themes used on your WordPress site regularly.
In terms of updating the WordPress core, a managed host pays for itself again as they will help make patching a little easier for you with their automatic core updates. You will receive a notification from the web host before the update takes place to ensure you have ample time to test the WordPress version update with your plugin or theme on a staging environment to ensure there are no issues before it becomes accessible to the public. Maintaining the latest version of WordPress is critical in ensuring your website is operating at its full potential and the WordPress core is compatible with installed plugins as well.
Managed WordPress hosting providers will not update your WordPress plugins or themes however as these elements are often customized in order to achieve a specific design or function. Though any user with admin access to the WordPress installation has access to run plugin or theme updates, I always recommend our clients leave software updates to our WordPress developers. The reason being is that many of the custom WordPress websites we design and develop can be damaged by the automatic plugin update when plugin update files are installed reverting to their default or “out-of-the-box” settings overwriting the customizations in place to modify the design or functionality of the plugin.
Many of our clients prefer a proactive approach to maintenance where we schedule monthly or quarterly updates to ensure their websites are running smoothly and efficiently without having to worry about security or performance issues. This practice allows our clients to focus on running their business and leave the website management to our experienced web design company.
WordPress security is a complex and ever-evolving topic. This article categorizes our tried and tested best practices for WordPress security into four steps that every WordPress website owner can implement. Mass attacks on web technology often target everyone using a specific platform. While these basic steps to secure your WordPress website may not stop a dedicated attacker hell-bent on hacking your website, it can protect you from most of the mass attacks that exploit vulnerabilities in the system and those created by ill-informed users.