10 Tips to Secure WordPress

By Tim Carr

Keeping WordPress secure is important in order to ensure that your site isn’t compromised. Uptime is maximized, your data is safe, and your site runs as quickly and reliably as possible.

wordpress-logo-simplified-rgb

Today we’ll look at 10 ways to help improve and maintain your WordPress site’s security, starting with the simplest and working through to some more advanced tips to help you secure WordPress.

User Security

A key area that attackers will attempt to access is the WordPress administration interface. If a malicious user is able to login as an admin, they’ll be free to do whatever they like to your site.

Some will attempt to login using a brute force attack, by setting up a botnet (many computers which the attacker controls) to repetitively attempting to login to your site, using different username and password combinations.

Here are some changes that you can make to help secure the WordPress admin interface:

1. Use a Unique, Secure Username and Password

Avoid using the default admin username. While you’re able to choose your own username when setting up a new WordPress site, if you’re on an older installation (which you should really upgrade – we’ll cover that later), or you’ve already set your username to admin, you can use a WordPress Plugin such as Username Changer to change your username to something more secure. You can also create a new user with admin rights and remove the old ‘admin’ username.

Try to avoid common usernames such as administrator, your website’s name or your name.

For passwords, it’s important to choose a complex password comprised of letters, numbers and characters. Don’t choose a password that’s similar to your username, website name or a simple word with a few changes. Avoid dictionary words, and preferably use a random string of characters. A good password management tool will help you securely generate, store and use these complex passwords.

Alternatively, an easy way to remember a password, whilst maintaining sufficient complexity, is to use a phonetic password generator (such as this one).

2. Use Two-factor Authentication

Two-factor authentication (known as 2FA, or sometimes 2-step verification) requires a user to login with not just their username and password, but also a unique code that’s generated for one-time-use and sent to a device (typically a smartphone) via SMS or an iOS/Android app.

We’ve covered how to setup 2FA in our Google Authenticator tutorial.

3. Verify the User Is Human

reCAPTCHA forms, which ask the user to input what they see in an image as text, are a useful way to stop botnets from attempting to brute force login to your WordPress site. Botnets typically can’t automate this part of the login process, therefore it helps prevent them from accessing your site.

We’ve covered how to implement ‘No CAPTCHA reCAPTCHA’ as part of your WordPress login process here.

4. Password Protecting wp-login.php

If you’re a more advanced WordPress user or developer, and you’re comfortable with some server-side changes, you can require a server-side login before the WordPress login screen is displayed.

This provides another layer of security, and we’ve covered how you can do this in our Preventing Brute Force attacks against WordPress websites article.

Code Security

Whether you’re developing your own theme or plugin for your site, or using something from a third-party, it’s important that the code used is secure, and doesn’t open the door to potential attacks.

Insecure code, and not following best practices, may result in attackers being able to gain control of some or all of your WordPress site.

There are a few ways we can help ensure code integrity and security:

5. Keep WordPress Updated

Since WordPress 3.7, minor releases – which cover security and maintenance – are automatically applies. However, you can also extend this to automatically install major WordPress releases, by adding the following to your site’s wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

Whilst this may seem like a good idea, it may result in incompatibility between the newly installed version of WordPress and your existing themes and/or plugins. It’s always a good idea to maintain a testing environment for this sort of thing.

There are third party tools which can connect to your WordPress website and let you manage all of your WordPress installations from a single, unified interface. Best of all, you can perform one-click installs of WordPress, theme and plugin updates:

For further reading, we’ve published articles on how to keep your WordPress website up to date:

6. Choose Your Theme and Plugins Wisely

It’s important to choose themes and plugins that are actively maintained and regularly updated. Whilst this isn’t a guarantee of security, it should mean that if there are security vulnerabilities found in a theme or plugin, it’ll be addressed and updated quickly.

Also check the detailed descriptions of plugins, as some will be audited by third parties (such as Sucuri) for security, which can help give you peace of mind.

7. Developing Themes and Plugins

Whether you’re new to WordPress development, or have been working with WordPress for some time developing themes and/or plugins, it’s important to follow key WordPress security best practices.

From sanitizing data, using nonces and adhering to WordPress Roles and Capabilities, it’s important to keep up-to-date with WordPress development best practices:

Hosting Security

With your WordPress installation more secure due to improving user authentication and the quality of our code, it’s also important to ensure you have well supported, secure, hosting.

8. Use Managed Hosting

There are several companies now offering Managed WordPress hosting, such as WP Engine, SiteGround and Media Temple. Whilst you’ll typically pay a premium over more traditional shared or unmanaged hosting, a managed host will help keep your site secure.

For example, WP Engine will automatically update WordPress and key plugins, if there are known security vulnerabilities, as well as disable plugins known to cause performance and security issues. As with most managed WordPress hosts, they provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.

Some users might find this approach intrusive, it does provide peace of mind and expertise to ensure your WordPress website remains functioning.

9. Ensure File and Folder Permissions Are Correct

If you’re not using a managed web host, it’s important to ensure that WordPress files and folders have the correct ownership and permissions. Not only does this allow WordPress to keep itself updated, it also prevents attackers from exploiting poor file security and taking control of your site.

As a basic guide, WordPress folders should always have 0755 permissions, and WordPress files should always have 0644 permissions – although this can vary from host to host.

If you’re getting errors when attempting to install plugins, or upload new media, don’t be tempted to set any folder permissions to 0777. Instead, work with your web host to ensure that PHP is run with the correct user, and that the folders are owned by the same user.

If you’ve got shell access, you can run a few commands to ensure WordPress is secure:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

If you know the user and group that should have ownership of the WordPress files and folders, use:

sudo chown -R username:group /path/to/your/wordpress/install

10. Server Side Hardening

For advanced users managing their own web hosting, you can also:

  • Ensure your database user has access to SELECT, INSERT, UPDATE and DELETE privileges only
  • Use strong database usernames and passwords
  • Disallow server-side file editing within WordPress, by adding define('DISALLOW_FILE_EDIT', true); to your wp-config.php file

Some web hosts will be able to perform some of these actions for you – it’s always worth asking.

For more information on WordPress and server hardening, check out the WordPress Codex documentation on Hardening WordPress.

Conclusion

In this article we’ve covered 10 tips for securing your WordPress website, ranging from basic user authentication through to coding practices and hosting setup. For more advanced users, we’ve touched on some of the advanced hardening techniques that can be used to ensure WordPress is as secure as possible.

Another option which is worth considering is the use of a security plugin such as WordFence or BulletProof Security. There are many to choose from, and they all have their advantages and disadvantages, so it’s best to do some research to find one which best suits your requirements. We’ve covered some of the more advanced options of security plugins here.

And, it always pays to remember that while prevention is better than cure, it only takes one small mistake to result in loss of data through a hacked WordPress installation. Therefore it’s vital to install a WordPress backup service, such as VaultPress and BackupBuddy, so that your website can be restored easily in case of attack or error. We cover the topic of backups, plus plenty more, in our Definitive Guide to WordPress Maintenance.

  • Nice list Tim, thanks for this. We have used Wordfence on a few client sites as it has a nice feature which allows you to immediately lock out anyone who tries to log in as ‘admin’. This stops a lot of casual attempts.

    The part about automatic updates is also spot on; we have inherited some client websites which are are so customised that they cannot take automatic updates so a back up and offline testing is essential.

    Thanks for taking the time to write this; I’ll be covering the server tips with the lads on Monday!

    • Anteaus

      I think the question here is whether you want to make your own unique Web statement or have an obvious clone of one of the standard themes. If the former, then you are likely to hit the catch-22 that if you use a custom theme it cannot be updated without risk of the site breaking, and therefore it will eventually fall victim to a security flaw.

      Not a good situation, and it basically indicates the need to think carefully about whether you actually NEED a database-backed CMS. If you site content is maintained by a single person or organisation then a traditional static site would be the better option. Although, nowadays there are file-based CMS (Kirby, Stacey, Mara for example) that avoid the SQL code injection risk which is the main route to CMS hacking.

  • Philipp

    Recommendations are very good, very useful article. 8/10 on a professional scale.

  • Hey

    marvelous tips you have shared i am amateur and i was concentrate such a variety of online journals yet never had an enough substance that can help however in the wake of having your post i have learn such a large number of things simply continue sharing stuff like this additionally i advise my companion to visit this web journal in light of the fact that its truly supportive and justifiable substance you have composed :)

  • Boy this is a great list. I really need to go back and check my security as you noted in #9. That is something that I have not been considering. Thank you so much.

  • Great tips. Article highlights almost all the critical concern areas of a WordPress website. It is always wise to identify the concern areas and list out the possible setbacks. This will allow a developer to verify website security against the set criteria’s. Database security, user accounts privacy, account settings, web content privacy etc. are few of the major concerns. WordPress being one of the most popular and proficient enterprise web content management services provider ensures that it has native tools to address these issues, however adding a plugin like All in One security tool gives an additional support layer for web content. There are many such built-in tools available with WordPress CMS which ensures best results.
    Thanks for the article.

  • Thanks for the information but does it help in securing WordPress blog against the SQL Injection which some hackers use to inject into a website as i am still having doubt????

  • You can use MainWP for free for all the sites you want. It’s a nice option. Plus, you can host it on your own server rather than using a third party’s. Some really good tips here!

Recommended
Sponsors
Get the latest in WordPress, once a week, for free.