Another sustained attack against WordPress installations worldwide has just subsided, and there has never been a better time to nail down your installation before it’s too late.
I personally hate scare-mongering, but this really is an example of a situation where it’s better to act sooner rather than later, and take these basic steps to secure your WordPress website.
Many of these quick wins to secure your website are fairly straightforward, but don’t worry if you can’t do them all — it’s better to eliminate some vulnerabilities than none at all.
Whenever making changes to a live website, I’d urge you to err on the side of caution if you’re not confident following any of these guidelines, and especially if you haven’t done this kind of thing before. A working site is better than a broken one any day!
Ten easy steps to secure your WordPress website
These steps are listed in approximate order of importance, and to avoid unnecessary duplication of effort:
- Take a backup first!
- Install the WordFence security plugin
- Update WordPress
- Remove unused themes
- Remove deactivated or unused plugins
- Lock down admin privileges
- Prevent public account registration
- Enforce strong passwords
- Set up a backup schedule
- Only install plugins from trusted sources
1). Always take a backup first!
Firstly I’d say that before you go any further, you must take a fresh backup of your entire WordPress install (database and files). I’d recommend BackWPUp — it takes a full backup of both your database and files and can push those backups to a remote cloud storage solution such as Dropbox. And best of all? It’s free.
2). Install the WordFence security plugin.
Seriously, if you only do one of the things in this list, do this. Now. Even if you leave it set with the default settings, you’ll still enjoy far superior security protection right off the bat. Look at this awe-inspiring graph to see WordFence in action, and then scroll down that page to read more about how it provides real-time security for your website. And did I mention it’s free?
3). Update WordPress
This should be a part of your site maintenance routine. WordPress now performs minor core updates automatically, so you shouldn’t need to worry too much about keeping WordPress itself up to date for security purposes (provided of course that you are running version 3.7 or upwards).
But regardless, you will still need to regularly check for updates to any plugins you’re using, and for your theme too. Again, WordFence comes to the rescue: go to ‘WordFence’ -> ‘Options’, enter an email address under ‘Basic options’, then make sure you have ‘Alert on critical problems’ checked. WordFence will now email you whenever it detects a plugin or theme is out of date.
If you have more than one theme to update, read the next step too.
4). Remove unused themes
Remove any themes you’re not using. You only need the one that’s currently activated, unless you’re using a child theme in which case you’ll need to keep its parent theme too. Leave this step if you’re not sure — you’re always welcome to give me a shout if you need help.
5). Remove deactivated or unused plugins
Always remove any plugins you’re not using. But don’t just deactivate them — you’ll need to hit ‘delete’ to remove the plugin completely.
The code inside a deactivated plugin still presents a potential security loophole that hackers can exploit, especially if you’ve fallen into the habit of not updating your deactivated plugins.
Try not to have more than between 10 and 15 plugins on your website. Generally, the fewer the better: besides creating more attack vectors for hackers to exploit, lots of plugins will also slow down your website.
6). Lock down admin privileges
Remove admin privileges from all users, other than the account you use to actually administer your website. Go to ‘Users’, and delete any user accounts you don’t recognise. If you’re not sure about an account, dial down their privileges to ‘subscriber’ — if they have a legitimate reason to enjoy elevated privileges on your site they’re sure to get in touch with you.
If your administrator account is still called ‘admin’ (as it is with many WordPress sites), create a new administrator account with a different username (that again, isn’t something completely obvious), and then delete the admin user account. This will provide better protection against brute force attacks.
If you’ve ever done the unspeakable, and allowed somebody else to use your admin account, change the password immediately — have a look at step 8 for more guidance. People and user accounts must always have a one-to-one relationship: one person, one account.
If you want to give somebody access to your WordPress website, add a new user account for them, and give them the bare minimum privileges they need to get the job done. Never give them your login details, especially not if you run admin privileges.
For example, if somebody is writing a guest post for you, give them ‘author’ privileges at most. This will allow them to upload images to their post, and submit a draft article for you to review. They won’t be able to publish anything or make any changes to your site. That’s all the access they need.
And if you publish blog posts on your website, create a separate ‘editor’ account for yourself. Don’t publish content using your admin account — it’s easy for hackers to find out the username and user id from any published post. So if you publish using your admin account you’re giving the bad guys a foot up from which they can then attack your site.
7). Prevent public account registration
Do you really want to allow anybody to register with your website? Probably not, unless you run an ecommerce store, forum or similar. Best to double-check: go to ‘Settings’->’General’, and make sure ‘Anyone can register’ is un-ticked.
If you’re allowing visitors to register with your site in order to cut back on spam, at the very least make sure that ‘New user default role’ is set to ‘subscriber’ under ‘Settings’ -> ’General’.
8). Enforce strong passwords
When you are creating a new password for a user, WordPress does give you feedback on how strong it thinks the password is, but it stops just shy of forcing users to actually use strong passwords. You have to do this manually, which does seem a little silly.
So as the administrator of your site, change all user passwords to something you know is strong, or email your users and ask them to do the same.
Use a password generator such as Lastpass to create those passwords, the longer the better.
And now, going forward, if you’ve installed WordFence, go to ‘WordFence’ -> ‘Options’, then make sure ‘Force admins and publishers to use strong passwords’ is selected, about mid-way down the page.
9). Set up a backup schedule
Okay, so this isn’t technically going to make your website any more secure, but now you’ve got the basics in place, make sure you set up a regular backup schedule. If the worst comes to the worst, and some scruffy little hacker urchin gets inside your site you’ll be glad you set up a regular backup schedule.
Whatever you do, don’t just take one backup and be done with it. Set up a schedule that takes account of how often you add content to your site — but I’d suggest setting weekly backups as a minimum regardless. And be sure to keep a sensible number of backups in your archive, keep the last 12 weeks of backups if you can.
You should’ve already installed BackWPUp by this point of course…
10). Only install plugins from trusted sources
Going forward, make sure you only install plugins from trusted sources. As a rule, I only install plugins from within the WordPress plugin dashboard. I know these plugins will come from the trusted WordPress.org plugin repository — although that doesn’t necessarily mean they are any good! Read more about how to choose the best plugins for WordPress.
Another wonderful feature of WordFence is that as well as notifying you when something is out of date, it also automatically scans your WordPress core, plugins, and themes for viruses and unauthorised modifications and emails you if it spots a problem. At this point it’ll show you what’s changed and let you roll back to a previous version.
Security in layers
These 10 security tips are a great start for beginners, but if you’re already comfortable with these recommendations, stay tuned! We’ll shortly be posting a set of intermediate security measures you can implement to tighten up your WordPress security even more.
If you’re having trouble with anything in this tutorial, are afraid your site may have been hacked, or would just like somebody to analyse your website for security and performance, why not get in touch and we’ll be delighted to help.