WordPress can often get a bad rep for security, however, the truth is that WordPress is in itself, very secure and most security breaches are caused by human error and poor choice of plugins or themes. We will guide you through 5 very basic steps to harden your WordPress security without any expense.
1. Some common ways to improve security
1. Usernames & Passwords
The first step we take when working on any WordPress site is ensuring that the default username ‘Admin’ doesn’t exist. During most WordPress installs the first user added will have a username of ‘Admin’, this is well known and if you are still using the ‘Admin’ username hackers will be 1 step towards gaining access to your site as they will often attempt a brute force entry using the username ‘Admin’. If you still use the ‘Admin’ username then the best thing to do is create a new user and then delete the admin user, during the deletion process you can assign all the content from the old user to the new user.
Passwords are also a huge weakness, WordPress now has a password generator and strength indicator. We recommend you use the password generator to ensure that your passwords are very strong. Having a strong password will make gaining access to your site forcefully much harder and most automated attacks will move on. While on the topic of passwords, make sure that your email password is equally as strong. If a hacker gains access to your email they could request a password reset for your site and gain access to almost any service you signed up for using your email. We suggest you use 2-factor as a minimum with your email.
2. Core & Plugin Updates
You must update the WordPress core as updates are rolled out, most updates will contain fixes for previous vulnerabilities and outdated versions of the WordPress core and plugins can leave your site susceptible to attacks. It’s also important to only use plugins that are updated regularly and if you need to use a plugin that hasn’t been updated in a while have it reviewed and tested first.
We notice a lot of WordPress users don’t update certain plugins because their site developer told them not to. If this is the case we recommend you ask your developer to update the plugin for you or consult with a WordPress expert on how to update the plugin and ensure that the site retains full functionality.
3. Server & Database Access
Your WordPress install is only as secure as your server, database, and/or your hosting control panel (should you have one). Ensure that your server is set up with basic security in place, prevent root login, restrict SSH, use a strong password for database access, and change the default database table prefix. If your hosting control panel allows it use 2-factor authentication and an extremely strong password.
4. Use a Security Plugin
We recommend the Shield Security plugin as it provides very good security features that are easy to manage and doesn’t cost a penny, you can also use any other well-known security plugin. If you are unsure of the settings you can install and leave the default settings in place, be careful with certain settings as you may end up locking yourself out or slowing your site down if your server doesn’t have many resources. As a minimum, we recommend you use a security plugin that prevents brute-force login attempts on login forms.
5. Only Use Reputable Plugins & Themes
When looking for a theme or plugin ensure that you pick one from a reputable source, never download ‘nulled’ copies of premium themes or plugins not only is it essentially stealing but most likely you will end up installing malware on your site. When looking for plugins and themes in the WordPress plugin directory pick one that has a good review rating and that is updated recently, check support forums for the theme or plugin to see if there are any known issues before installing.
Try to limit the number of plugins you are using, only use plugins that you need. How many plugins are too many? Check out this article to find out more.
6. Move Your WordPress Site to SSL/HTTPS
SSL (Secure Sockets Layer) is a protocol that encrypts the data transfer between your website and the user’s browser. This encryption makes it harder for someone to sniff around and steal information.
Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.
SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.
To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.
7. Change the Default “admin” username
In the old days, the default WordPress admin username was “admin”. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.
Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.
- Create a new admin username and delete the old one.
- Use the Username Changer plugin
- Update username from phpMyAdmin
8. Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code to your wp-config.php file.
// Disallow file edit
, true );
8. Limit Login Attempts
By default, WordPress allows users to try to log in as many times as they want. This leaves your WordPress site vulnerable to brute-force attacks. Hackers try to crack passwords by trying to log in with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.
Upon activation, visit the Settings » Login LockDown page to set up the plugin.
9. Change WordPress Database Prefix
By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.
10. Add Security Questions to WordPress Login Screen
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit the Settings » Security Questions page to configure the plugin settings.
I hope this guide is useful and helps you maintain a secure WordPress installation. Should you come across any issues please leave a comment below or contact WP Helper, we offer complete security hardening and hack recovery, and all our maintenance and support plans provide advanced security monitoring and hardening.
Always make sure to keep your WordPress core, plugins, and themes up to date, as well as maintain strong password policies, to enhance the overall security of your website further. Additionally, consider other security measures like using a reputable web hosting provider and regular backups.
For more information on WordPress basic settings, maintenance routines, or hiring support services for WordPress, let us know your thoughts on custom plans, deals, and support services.