The WordPress Security Guide – How to Keep Your Site Locked Down
Hackers and cyber thieves are everywhere these days. The more information we keep online, the higher our risks of losing it all. I sure don’t want someone stealing my information – do you?
That’s why it’s important to maximize your WordPress security, and that’s what this guide is all about. These are the practical, actionable steps to stop hackers from stealing your WordPress information.
Step 1: Keep Plugins Up to Date
This is the easiest way to keep your website security. Plugins, and WordPress itself, update fairly often.
Many times, these updates include security improvements. To update your plugins, go to your WordPress admin area.
Under Dashboard, click updates. If you see that you have the latest version of WordPress and your plugins are all up to date, you’re good to go.
Step 2: Hide Your Admin Area
Do you only use your site from home and the office? If so, you can add a small snippet of code to your website to stop your admin page from being accessible by any IP address other than yours. Add this code to your .htaccess file (you need to do this through your FTP client):
Deny from all
Allow from xx.xxx.xxx.xxx
Replace the “xx.xxx.xxx.xxx” with your IP address. If you don’t know your IP address, you can get it from whatsmyip.com. If you want to allow multiple IP addresses to login from, such as your office or a family members house you visit a lot, simply add another Allow from xx.xxx.xxx.xxx line of code with their IP address.
This may not be practical for you if you work from multiple places, like coffee shops or hotels or whatever it may be… or you may just not be tech-savvy enough to edit the .htaccess file.
Fear not - another way to secure your website would be to limit the number of login attempts. This stops hackers from being able to continuously try different passwords. The plugin I use for this is actually just called Limit Login Attempts.
Note: You may have heard of changing the URL of your admin area. While you may do this if you want to, ultimately it provides no increase in security what-so-ever. All serious hackers can find the URL of your admin area no matter where you put it.
Step 3: Use a Stronger Username and Password
WordPress defaults your username to “Admin”. Hackers know that people can be lazy sometimes, and will often try this username first. Change it and you’ll already by a step ahead of the pack.
Your password should also be fairly strong. Oh, and I hope I don’t have to tell you this, but… don’t use the same password for everything! An amazing app to help you overcome this password burden is LastPass. It helps you create super strong passwords and save them all to one place for easy one-click log-in.
Step 4: Use Two-Factor Authentication
Google Authenticator is an amazing, free app that gives you two-factor authentication. Basically, you download an app on your phone that shows you a random six-digit password to type in in addition to your normal password. The code syncs between your phone your WordPress account and resets every few seconds. The app (right) and the WordPress login (left) look like this:
So you would just type “887604” in the Google Authenticator code box.
Step 5: Ensure Your Hosting Provider is Secure
If you’re running a business, WP Engine seems to be the best hosting provider in terms of security. However, at their $29/month price tag, this may be beyond the scope of what you need. For a (much) cheaper, but still reliable, alternative, you can use BlueHost or Host Gator.
What to look for in a hosting provider is support for the latest PHP and MySQL versions and a web application firewall. If it has these two things, is affordable, and has any other features you want (like easily installing WordPress), then you’re good to go!
Step 6: Scan Your Computer for Viruses or Malware
This isn’t often talked about, but your own computer could be the culprit of your data being hacked in to. When was the last time you ran a full scan? I used to be bad (going almost two months or longer without a scan), and I learned the hard way.
If you’re looking for some great, free resources, my favorite combination (and most of Reddit’s) is Avast! and MalwareBytes. They both have excellent free features to keep your computer running clean.
Step 7: Remove Your Password Hint
You know how when you mess up your password, you get a hint as to what it might be? Well guess what? Hackers can see this too. Have no fear, you can change it with one simple addition of code in the functions.php file. Go to appearance -> editor. Find this:
Copy the following code:
return 'I love tacos.';
add_filter( 'login_errors', 'no_wordpress_errors' );
Then paste it in your functions.php file somewhere.
Note: You can change the “I love tacos.” to whatever you want. That’s the text that will show up for the hint.
Then just hit save, and you’re done!
Step 8: Disable Pingbacks and Trackbacks
Pingbacks and Trackbacks are basically code snippets that notify other WordPress blog users when you link to them. In a perfect world, this sounds great – they get notified when you link to them, and hopefully they will link back.
In our world of hackers, however, using these can compromise your security. They could use the trackbacks to cause distributed denial-of-service (DDoS) attacks.
In order to disable them, go to Settings -> Discussion and then uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)”.
Again, don’t forget to save!
Step 9: Hide Your wp-config.php File
Here’s another one with the .htaccess file. Again, it may be too tech-savvy for some, but if you know how to access it this is an easy change.
This file is incredibly important to your site because it directly affects your sites permalink structures and other things important to security.
Place the following code snippet (to hide your wp-config.php file) anywhere outside the #BEGIN WordPress and #END WordPress. We want to hide this because it contains your personal info and many other security-related information. Add this code:
order allow, deny
deny from all
Don’t forget to save!
Step 10: Keep Track of Dashboard Activity
If you have a lot of users on your site, you should check their activity on your site daily. Even if their intentions aren’t malicious, you can see what may have happened if your site broke.
To do this, download the Activity Log plugin. You can also use this to retrace your own steps, in case you broke anything (come on, we all know it happens.)
In case one of your users is malicious, you can see what they upload and check to see if it contains any viruses or malware or any other bad stuff.
Step 11: Back Up Your WordPress Site
This is a really easy and really important step. You never know when you might accidentally change something and have it break your website – or worse, get malicious data on it somehow. All you need to do this is a free plugin called BackWPup.
All you have to do is press “backup” once it’s installed, then let it work its magic. I’d also recommend scheduling regular backups every week, or at least once a month.
Step 12: Install a WordPress Security Plugin
It can be difficult to do everything manually that we’ve described here, so there are plugins that can help you get the job done.
They won’t do everything listed here, but they will help with some. Plus, they can perform malware and virus scans on your files and do other neat security things.
Two possible plugins are Sucuri Security and Acunetix WP Security. Sucuri seems to be the better of the two – it got 4.6 out of 5 stars as opposed to Acunetix’s 3.3 out of 5. However, they each have unique features so you may want to look in to both.
There You Have It – 12 Steps to Better WordPress Security.
WordPress security is so important now because we have so much information available online. Having been a victim of hackers myself, I fully understand how damaging it can be and don’t want it to happen to anyone else.
I hope this guide helped you to implement some practical steps to defend yourself.
If you enjoyed this article, please share it with others who have a WordPress site and could use some security updates.
What are some other security measures you take for your website? Let me know in the comments!
Useful Links Mentioned
- Whatsmyip.com – Allows you to find your IP address.
- Limit Login Attempts – Limits the number of login attempts to your admin page.
- LastPass – An excellent app to create strong passwords and keep track of every password for everything. Ever.
- Google Authenticator – A two-factor authentication to make your website 5674 times harder to hack… or something like that. Just use it.
- BlueHost – An affordable, reliable hosting service provider.
- Host Gator – An alternative to Blue Host.
- WP Engine – An incredibly secure, and incredibly expensive, hosting provider.
- Avast! – A free antivirus that rocks.
- MalwareBytes – Free Malware protection. Also plays nice with Avast!.
- Activity Log – A free plugin to track logins and activities by yourself and other admins on your site.
- BackWPup – Another free plugin that allows you to back up your WordPress site.
- Sucuri Security – Yet another free plugin to scan your site for malware and perform other security measures.
- Acunetix WP Security – An alternative to Sucuri Security.