Home » The Blog » Tips to Secure Your WordPress Website

Tips to Secure Your WordPress Website

WordPress Security Tips to Help Keep Your Website Safe

When you find out your site has been hacked, it is common to wonder if there was anything that could have been done to prevent it. Yes, yes there is.

When it comes to hacking, not having the basics in place means it is not a matter of if — it is a matter of when your site will be compromised. I'm not saying this to be overly dramatic it's just the reality when you do not keep your site current.

The fact is there are solid reasons why sites are targeted and then hacked. The primary reason is not keeping your web hosting server, WordPress, theme and plugins updated. It makes sense to remove that target off your website's “back” when you have the power to do so.

Small WordPress Sites are Just as Vulnerable

You may be asking, why would hackers be interested in your little old site? You don't have to be a big famous brand-name to be hacked. Your “website” is on a web server (computer) with software that can be manipulated while your resources are used for nefarious activities.

Actually the little guys (and gals) are more of a target because many times it is the little guys that do not have the necessary blocks in place to prevent exploitation. They also tend to be the websites that are not kept up to date leaving old code and back doors open to be manipulated at will.

For example, a site I recently helped was a little non-profit with a very local market. They even had a security plugin in place (this is where a good host comes into play). And still foreign troublemakers caused them a lot of problems.

I'm going to share with you some basics that you need to consider for your WordPress website. It is not your hosting server alone, but WordPress, themes and plugins that can have security vulnerabilities.

WordPress, Database and Files

Malware (aff), short for malicious software, is basically the code used to gain unauthorized access to your WordPress website. You'll often hear that sites that are compromised, therefore have malware.

This is where your web hosting provider can make a difference in whether server-side intrusions are blocked. You can do your part by having a crazy strong password for both your hosting account login and any FTP (File Transfer Protocol) accounts that in place. FTP is how you can access where your WordPress core files are stored.

One of the primary ways that hackers gain access to your website is via file inclusion exploits. This is where vulnerable code is used to load remotely located files. The most common target is the wp-config.php file — the heart of your WordPress installation.

Next comes the SQL injection. Your WordPress website runs via an SQL database. When a hacker gains access to your database, they gain access to all your data too. They can then manipulate that data and add links to malicious websites.

Cross-site Scripting via Plugins

This is accomplished usually via plugins. Code is modified to direct users to other web pages that include insecure scripts — many times JavaScript.

Because of this, I recommend my clients only use plugins that are maintained and kept up to date with WordPress and known threats. Only use plugins that are tested up to the most recent version of WordPress. This is where Premium plugins (aff) tend to take it up a notch security-wise.

Security Tips to Put to Work Right Now

Delete the Default “admin” Account

When WordPress is installed, a default administrative user account with the username “admin” is created. Administrative account permissions have access to everything on your site and is the most powerful role.

Since that is the default user setup on new WordPress installs, hackers look for that account to exploit. So we need to delete that account immediately.

Go to Users > All Users

If the default admin account is the only user noted. Setup a new user account, with the role set as Administrator for yourself. It is also a good idea to not have your nickname and username be one in the same.

Use the WordPress password tool to create a difficult password for this very important new account. Then, log out and re-login with the new account credentials and delete that default admin account.

Use Strong Passwords

Use passwords that are at least 8 characters in length and are a combo of capital and lower case, numbers, letters and characters. You want to make it as difficult as possible to be guessed.

Use the password tool on your WordPress user page to get a password that will be difficult for any to determine. The best passwords don't spell anything out and are challenging, even for you, to remember. This goes for your WordPress database password too!

I hear you — how the heck do I remember all these passwords? And it is a real PIA to have to type them in. Well, there's an app for that! Check out LastPass. I use the premium version of LastPass and it does all the heavy lifting for me.

Keep WordPress, Themes and Plugins Updated

All updates include security hardening due to bugs and newly discovered issues that need to be addressed. This means updating your theme and plugins when they provide an update to ensure you have the latest most secure versions.

However, and this is important, before just “updating” there are considerations and backups that need to be accomplished first. Updates can go wrong, plugins can have bugs yet discovered and your site can break. Consequently, if you are uncomfortable with this process, check out my White Glove Support Plans.

Techie Issues

There are several “techie” things that also need to be covered such as server, folder and file permissions. Permissions are what allow access, or not, to your files and folders on your website hosting server. Usually these are set correctly from the get-go by your hosting provider.

While this access can be controlled via your .htaccess file — which gets a bit techie for many, there are plugins that can do some of this for you. That's why you don't mess with these files unless you really understand the ramifications. Generally, however, we only need to check this file if we've been hacked to eliminate that as a catalyst.

Security Plugins

Security plugins can check your WordPress installation for security vulnerabilities and suggest corrective actions. Things like:

  • Passwords
  • Hiding Your File Editor
  • 2FA (Two Factor Authentication)
  • File Permissions
  • Database Security
  • Version Hiding
  • WordPress admin protection/security

But they aren't the end all be all. I've seen sites with a security plugin exploited anyway. I use WordFence as a monitoring tool to help keep my sites secured and keep tabs on the activity that could be of concern.

Using a CDN (Content Delivery Network)

I am a big fan of using Cloudflare to add an additional layer of security and enhance performance for all of my sites. Basically Cloudflare is a network of data centers that sits between your web server and the rest of the internet.

This accomplishes two things: CloudFlare can serve cached static web content to the visitor to enhance performance, and screen visitors to make certain they are legit and not traffic coming from an attack, malicious bots, or other bad things.

Cloudflare filters out most of the spam attacks at the name-server level, and such requests don't even hit your server. It also protects your website from DDOS attacks, SQL injections and comment spam.

The free account is good for most sites. However, you have the option to upgrade for additional features and hardening.

2FA = Two Factor Authentication

Due to the recent increase in hacking and identify theft activity I've seen, and experienced, I've advised all my clients to lock down their WordPress dashboards with 2FA. Two factor authentication adds an additional step of verification to login to your WordPress website dashboard.

To setup 2FA, all you need to do is download the Google Authenticator App to your phone. Once that is in place, use your phone's camera to scan the provided QR just for your account within the WordFence dashboard ( Setup in: WordFence > Login Security).

Then, when you login, you open up the app on your phone, put the new code that is displayed in the app into the provided field and you are good to go. Another layer of security to prevent access to your WordPress dashboard.

Security Needs to be Taken Seriously

Google Site Hack Notice

Every day I work on WordPress websites that require updating. I know the site owner doesn't think much about it being a time-sensitive priority. Most times they are just afraid to tackle the process themselves.

Then, one day, they discover that their site is not accessible, redirecting to porn or illegal sites or simply not responding.

Worse yet they then discover Google is warning searchers that their site has malware or may have been hacked. Imagine finding this out from a potential or established customer?

Google Hacked Message

Boy will that ding your brand! You'll then have to get your site cleaned, secured and have to go through the process to ask Google for a review to get the hack notice removed from search engine results. This is what is referred to as baptism by fire.

Security is NOT Set and Forget

Even with the best security plugins, you still need to monitor your site regularly for any unforeseen occurrences or file changes indicating trouble is afoot. This allows you to tweak settings or address any concerns that become apparent based on actual site activity.

You want to have the processes and procedures discussed in place to do your best to secure your website. Believe me, the time (and $$) it takes to remedy and recover is something you do not want to have to deal with. [FOR MORE READ: Hardening WordPress on WordPress.org]

As a site owner the onus is on you to protect your investment from those with too much time on their hands or who may have diabolical motives. Review these issues carefully and make sure your WordPress site is as secure as it can be. Now.

At your service,
WordPress Consultant Judith