It is common knowledge by now that WordPress is the world’s most popular content management system (CMS). There are endless types of websites out there that use WordPress, such as eCommerce stores, corporate sites, portfolio projects, and obviously blogs.
However, being the most popular kid on the block also means WordPress is targeted by malicious users and hackers. WordPress by itself is not inherently insecure. In fact, it is a robust and reliable CMS. However, since it powers over a quarter of the internet, WordPress is obviously the de facto prime target for malicious attacks.
So, if you are running a WordPress website, how do you secure it? In this article, we will be taking a look at some useful tips for hardening and securing your WordPress websites and blogs.
The Obvious Measures
First up, let us take a moment to reiterate the basic security practices that apply to not just WordPress but virtually any online website management tool that you run.
Be sure to keep strong and hard to crack passwords. A good idea is to generate one using WordPress itself, such that it is irrelevant and hard to guess. You should also keep changing your WordPress passwords at regular intervals.
Furthermore, there are some WordPress default measures that you should consider avoiding. Most WP installations tend to have these set at the default values, for example:
- Change the database and table prefixes to something other than “wp_”. I often rely on the website name’s initials, such as rh_ as the table prefix.
- Avoid using “admin” as the administrator username. Better still, use an administrator username that has nothing to do with “admin” or any similar term — even your first name would do.
Also, keep the number of WordPress plugins and themes to the minimum. If you are not using a given plugin or theme, consider deleting it (simply deactivating it does not help).
Before going further, one special word of advice related to WP themes and plugins. When you are downloading and installing any given theme or plugin, be sure to check its current usage count (the official repository shows the number of active installations) as well as the update frequency. For premium themes and plugins, I entirely avoid developers who refuse to share public changelogs of their products. This way, you can be sure that the theme or plugin that you are using is under active development and will be supported for a good duration of time.
Of course, be sure to keep your WordPress installation as well as themes and plugins up to date!
Using Security Plugins
Quite possibly the best part about WordPress is that you will not have a hard time finding decent security plugins for the software. There are various free and premium options out there for you to choose from.
First, if you are wanting to secure the login page and prevent brute force attacks, a plugin such as WP Limit Login Attempts can be useful. It prevents malicious users from guessing your password by locking down access to the login page in case of multiple failed password attempts. Jetpack too has a security module that works out of the box and accomplishes the same task.
For overall security, Wordfence Security is by far the de facto leader in its league with over a million active users. It also has a premium version but for the most part, the free version suffices. There are other plugins with a similar feature set too, but Wordfence Security has a plethora of security options that you may not find elsewhere, including the ability to schedule scans and a firewall that keeps bad IPs away.
If you happen to run into performance issues after installing Wordfence, disabling the live traffic logging option usually will fix this. Go to the “Options” section of Wordfence and uncheck the “Enable Live Traffic View” box.
WP Bruiser is also a decent security plugin that keeps the bad bots away. It can protect not just your login form but also contact forms and WooCommerce forms, as well as send login and logout notifications.
One word of caution: do not go overboard with security plugins especially if you are on a shared hosting plan. Most of these security plugins tend to consume resources and this can slow down your website. If you are using Jetpack, rely on its brute force prevention measure (Wordfence has one too) and avoid a separate plugin for that task.
Other Hardening Measures
Beyond that, you can also take some extra measures to further secure and harden your WordPress site. The following measures are not mandatory, and if you already have a good security system in place, you can safely ignore the steps that follow.
You can consider changing the URL of your login page entirely. For example, rather than yoursite.com/wp-login you can make it yoursite.com/xyz such that malicious users cannot locate it easily. This step is not always helpful though — it is only a matter of time before your login URL is located by bad bots unless you have a good firewall in place. That said, here is a tutorial on how to change the login URL in WP.
You should disallow code execution in your WordPress directories, especially the wp-uploads folder. A plugin such as Sucuri Security can do it for you via .htaccess edits.
There are various other measures that you can take, such as hiding your WordPress version. This, however, has rarely been useful and is more of a paranoid safety measure than an actual one. On the other hand, a more logical step would be to run the latest version of PHP and MySQL as well as WordPress itself.
Lastly, if you are not using it, you can disable XML-RPC support in WordPress using this plugin. XML-RPC can be misused to remotely corrupt your website or launch malicious attacks. However, you should note that a good number of remote management services and clients as well as plugins use XML-RPC and you might encounter some performance issues. As RESTful API grows more and more, XML-RPC will eventually fall out of favor but as of now, it is a necessary protocol for various services (including the likes of Jetpack).
Conclusion
There is no such thing as “absolute security” on the internet. You are just one bad line of code away from disaster. However, by following good safety practices, such as keeping your WP installation and themes and plugins up to date, as well as using a decent security solution, you can ensure your website’s safety in the long run.
Finally, be very sure to have regular backups of your content. Even if something is compromised, you can still restore your data and safeguard your website.
Sufyan is a contributor to a variety of websites and blogs about technology, Linux, open source, web design, content management systems and web development. Learn more about his works on sufyanism.com
I clean a lot of hacked WP sites. Almost all of them have Wordfence. This is not to say that wordfence is not effective but rather the problem is that people install it and say to themselves “Everyone says this plugin is good for security” and they never again visit their Dashboard, update their plugins and themes or even their wordpress version.