WordPress can rightly be called one of the most popular content management systems in the world, if not THE most popular one. The simplicity for users, paired with extreme flexibility (with the right themes and plugins, you can make your WordPress site pretty much anything you want), and accessibility — it all contributes to its immense popularity.
However, on the flip side, such popularity also makes WordPress vulnerable, attracting all sorts of attacks.
Let’s look into the ways to keep your WordPress site safe and secure.
How secure is WordPress, anyway?
Because WordPress is free and open-source software that anyone can download, modify and share, in theory, these things might make it vulnerable to those who want to abuse it. However, WordPress is actually more secure than you might think.
The WordPress core product has a team of dedicated developers who work on keeping the platform as secure as possible. They regularly monitor WordPress for security vulnerabilities and install patches and updates to the software as soon as they are released. So the first line of defense is there.
The rest, however, depends on the users.
As noted in the WordPress.org Support article Hardening WordPress,
“Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target.”
With that in mind, what you, as a user, can do to harden your WordPress site?
woman pointing to a shield in the cloud
Choose your hosting wisely
A good place to start when it comes to WordPress (or any other website, for that matter) security is choosing hosting you can trust. When looking for a hosting provider, you need to ensure that they provide up-to-date stable versions of software, as well as thoroughly monitor for vulnerabilities and malware. Another thing to look for is whether they offer you reliable methods for backup and site recovery, as well as whether SFTP or SSH connection is available.
For example, here at Namecheap, we take our EasyWP security very seriously, so not only do we keep our servers well-protected, but we also offer PositiveSSL certificates for free with our Turbo and Supersonic plans to ensure better protection of our clients.
Keep your WordPress installation updated
The next line of defense is on you as a user. Many WordPress sites fall victim to hackers’ attacks due to having outdated versions of WordPress and/or plugins, or not installing the latest patches and updates. If not kept up to date, these files become increasingly vulnerable to exploits.
To reduce the risk for your site (and also increase its stability), updating WordPress to the latest version is a must, as well as making sure all themes and plugins you installed (be it from a WordPress site or third-party developers) are also all up to date.
By default, WordPress automatically installs most of the minor updates via the Auto-Update function, but in case of major releases, you need to manually start the update. This can be done via Dashboard>> Updates. Before you initiate the update, make sure to back up your site, so that it could be restored in case anything goes wrong.
Be mindful of your passwords and permissions
In the past, WordPress used to set the default username as “admin” and many website owners never bothered to change it. And although WordPress has since started to require users to select a custom username after they install WordPress, some one-click WordPress installers still set the default admin username to “admin”.
As a result, “admin” is usually the first username hackers try when they launch a “brute-force” attack against your site. So if you have the “admin” username, it’s wise to change it to something unique as soon as possible. There are 3 ways to do that:
Create a new username under “Users”, assign the “Administrator” role to it, set the “Attribute all content to” option for the new profile, and then delete the default one;
Use the Username Changer plugin to change the username;
Update the username from phpMyAdmin.
The same logic applies to passwords — including the passwords to the admin account, FTP accounts, and so on. They should be hard to guess and unique to your site. You should also change them regularly.
Another way of reducing the risk will be restricting the permissions to access the site directories and disabling file editing for some of the user accounts. For example, for someone helping to edit older blog posts, you might give temporary permissions by granting them an appropriate user role (in this case, to “Editor”) in the Users menu, and revoke them later by reducing permissions (perhaps back down to “Subscriber”) once the user no longer needs that access.
Another thing you should consider is limiting login attempts and setting notifications for excessive logins.
plugging balls into holes
Install security plugins
As we mentioned before, there are plenty of WordPress plugins for every purpose out there, including a vast selection of security plugins that will add another layer of protection to your site. For example, If you do a search for the “Security” category on the official WordPress site>>Plugins tab, you will find over 4000 security-related plugins, from all-in-one solutions to specific feature sets.
Here are some useful plugins that will help you keep your site safe:
WPS Hide Login – this lightweight plugin allows you to create a custom URL for accessing WordPress instead of the default login URL. This will make it much more difficult for hackers to log in to your admin panel.
WordFence – a premium (versus free) plugin, WordFence will protect your site from brute force attacks and limit the amount of failed attempts of logging in to your admin panel.
WP DB Backup – this is a simple plugin that lets you backup your core database tables.
Anti-spam – this spam-block plugin allows you to block and remove annoying (and potentially malicious) spam messages.
Antivirus plugin – popular among WordPress users to keep their websites secure from bots, viruses, and malware.
Keep in mind that when you install a WordPress security plugin, you’re granting it access to your WordPress files, directories, and database, and you can’t limit this access. So before installing the plugin, you should check what access it will require. This information can be found in the plugin documentation.
If in doubt regarding the plugin’s reputation, you can also check the reviews as well as the active installs. If the ratings are low or there aren’t many users, keep looking. You should also check to make sure it works with the current version of WordPress and has been updated recently — avoid older plugins that may have their own security holes or conflict with the current version of WordPress.
Remember all security plugins you install should be kept updated regularly, as often as the updates to WordPress itself.
Filing blocks into folders
Back up your site
Even if you are absolutely positive that your WordPress site is protected from outside attacks, it’s still a good idea to back it up on a regular basis, especially whenever you add or change content. Keeping a backup handy will help you restore your site quickly in case of any errors made when editing, accidental loss of data, moving to another hosting provider — and, of course, if your site gets hacked or compromised with a virus.
When backing up your WordPress site, make sure you are backing up both your site files and database, as both are needed for your site to function properly.
To be on the safe side, it is also a good idea to keep backups on cloud storage like Dropbox, Google Drive, or similar services, so it could be at hand even in case the hosting server is down or your hosting account became compromised as well.
The popularity of WordPress is what also makes it a target for many attackers — but luckily, there are a number of things users can do to protect their WordPress sites.
Keeping the site regularly updated and backed up, and with trusted security plugins running, will greatly minimize the risk of it being compromised.If you’d like more tips on keeping your WordPress site secure, we have a couple of resources that can help. Check out our recent blog on reducing plugins to keep your website secure, and you can review our Knowledgebase article that details ways you can harden your WordPress database as well as other tips.