Home » The Blog » WordPress » Tips to Secure Your WordPress Website

Tips to Secure Your WordPress Website

WordPress Security Tips to Help Keep Your Website Safe

When you find out your site has been hacked, it is common to wonder if there was anything that you could have done to prevent it. Yes, yes, there is.

When it comes to hacking, not having the basics in place means it is not a matter of if — it is a matter of when your site will be compromised. I'm not saying this to be overly dramatic. It's just the reality when you do not keep your site current.

The fact is there are solid reasons why sites are targeted and then hacked. The primary reason is not keeping your web hosting server, WordPress, theme, and plugins updated. So it makes sense to remove that target off your website's “back” when you have the power to do so.

Small WordPress Sites are Just as Vulnerable

You may be asking, why would hackers be interested in your little old site? You don't have to be a big famous brand name to be hacked. Your “website” is on a web server (computer) with software that hackers can manipulate while your resources are used for nefarious activities.

The little guys (and gals) are more of a target because many times, the little guys do not have the necessary blocks to prevent exploitation. They also tend to be the websites that are not kept up to date, leaving old code and back doors open to be manipulated at will.

For example, a site I recently helped was a little non-profit with a very local market. The site owner even had a security plugin in place (this is where a quality host comes into play). And still, foreign troublemakers caused them a lot of problems.

I'm going to share with you some basics that you need to consider for your WordPress website. It is not your hosting server alone, but WordPress, themes, and plugins that can have security vulnerabilities.

WordPress, Database and Files

Short for malicious software, Malware * is the code used to gain unauthorized access to your WordPress website. You'll often hear that sites that are compromised, therefore, have malware.

This is where your web hosting provider can make a difference in whether server-side intrusions are blocked. You can do your part by having a crazy strong password for both your hosting account login and any FTP (File Transfer Protocol) accounts that are in place. FTP is how you can access where your WordPress core files are stored.

One of the primary ways that hackers gain access to your website is via file inclusion exploits. Vulnerable code is then used to load remotely located files. The most common target is the wp-config.php file — the heart of your WordPress installation.

Next comes the SQL injection. Your WordPress website runs via an SQL database. When a hacker gains access to your database, they gain access to all your data too. They can then manipulate that data and add links to malicious websites.

Cross-site Scripting via Plugins

Cross-site scripting is accomplished via plugins. Code is modified to direct users to other web pages that include insecure scripts — many times JavaScript.

Because of this, I recommend my clients only use plugins that are maintained and kept up to date with WordPress and known threats. Additionally, only use plugins that are tested up to the most recent version of WordPress. Premium plugins * tend to take it up a notch security-wise.

Security Tips to Put to Work Right Now

Delete the Default “admin” Account

When WordPress is installed, a default administrative user account with the username “admin” is created. Administrative account permissions have access to everything on your site and are the most powerful role.

Since that is the default user setup on new WordPress installs, hackers look for that account to exploit. So we need to delete that account immediately.

Go to Users > All Users

If the default admin account is the only user noted. Set up a new user account, with the role set as Administrator for yourself. It is also a good idea not to have your nickname and username be the same.

Use the WordPress password tool to create a complex password for this critical new account. Then, log out and re-login with the new account credentials and delete that default admin account.

Use Strong Passwords

Use passwords at least eight characters in length and are a combo of capital and lower case numbers, letters, and symbols. You want to make it as difficult as possible to be guessed.

Use the password tool on your WordPress user page to get a password that will be difficult for any to determine. The best passwords don't spell anything out and are challenging, even for you, to remember. Of course, this goes for your WordPress database password too.

I hear you — how the heck do I remember all these passwords? And it is a real PIA to have to type them in. Well, there's an app for that! Check out LastPass. I use the premium version of LastPass, and it does all the heavy lifting for me.

Keep WordPress, Themes and Plugins Updated

All updates include security hardening due to bugs and newly discovered issues that need to be addressed. Update your theme and plugins to ensure you have the latest, most secure versions when they provide an update.

However, and this is important before just “updating,” there are considerations to go over, and backups need to be accomplished first. In addition, updates can go wrong, plugins can have bugs yet discovered, and your site can break. Consequently, if you are uncomfortable with this process, check out my White Glove Support Plans.

Techie Issues

Several “techie” things must be covered, such as server, folder, and file permissions. Permissions are what allow access, or not, to your files and folders on your website hosting server. Usually, these are set correctly from the get-go by your hosting provider.

Your .htaccess file can control access — which gets a bit techie for many. Some plugins can do some of this for you. That's why you don't mess with these files unless you understand the ramifications. Generally, however, we only need to check this file if we've been hacked to eliminate that as a catalyst.

Security Plugins

Security plugins can check your WordPress installation for security vulnerabilities and suggest corrective actions. Things like:

  • Passwords
  • Hiding Your File Editor
  • 2FA (Two Factor Authentication)
  • File Permissions
  • Database Security
  • Version Hiding
  • WordPress admin protection/security

But they aren't the end all be all. For example, I've seen sites with a security plugin exploited anyway. So I use WordFence as a monitoring tool to help keep my sites secured and keep tabs on the activity that could be of concern.

Using a CDN (Content Delivery Network)

I am a big fan of using Cloudflare to add an additional layer of security and enhance performance for all of my sites. Cloudflare is a network of data centers that sits between your web server and the rest of the internet.

Two things are accomplished: CloudFlare can serve cached static web content to the visitor to enhance performance and screen visitors to make sure they are legit and not traffic coming from an attack, malicious bots, or other bad things.

Cloudflare filters out most of the spam attacks at the name-server level, and such requests don't even hit your server. It also protects your website from DDOS attacks, SQL injections, and comment spam.

The free account is suitable for most sites. However, you have the option to upgrade for additional features and hardening.

2FA = Two Factor Authentication

Due to the recent increase in hacking and identify theft activity I've seen, and experienced, I've advised all my clients to lock down their WordPress dashboards with 2FA. Two-factor authentication adds an additional step of verification to login to your WordPress website dashboard.

To set up 2FA, all you need to do is download the Google Authenticator App to your phone. Once that is in place, use your phone's camera to scan the provided QR just for your account within the WordFence dashboard ( Setup in WordFence > Login Security).

Then, when you login, you open up the app on your phone, input the new code that is displayed in the app into the provided field, and you are good to go. Another layer of security is to prevent access to your WordPress dashboard.

Security Needs to be Taken Seriously

Google Site Hack Notice

Every day I work on WordPress websites that require updating. I know the site owner doesn't think much about it being a time-sensitive priority. Most times, they are just afraid to tackle the process themselves.

Then, one day, they discover that their site is not accessible, redirecting to porn or illegal sites or simply not responding.

Worse yet, they then discover Google is warning searchers that their site has malware or may have been hacked. Imagine finding this out from a potential or established customer?

Google Hacked Message

Boy, will that ding your brand! You'll then have to get your site cleaned, secured and have to go through the process to ask Google for a review to get the hack notice removed from search engine results. Have you heard of baptism by fire?

Security is NOT Set and Forget

Even with the best security plugins, you still need to monitor your site regularly for any unforeseen occurrences or file changes indicating trouble is afoot. You can then tweak settings or address any concerns that become apparent based on actual site activity.

You want to have the processes and procedures discussed in place to do your best to secure your website. The time (and $$) it takes to remedy and recover is something you do not want to have to deal with. [FOR MORE READ: Hardening WordPress on WordPress.org]

As a site owner, the onus is on you to protect your investment from those with too much time on their hands or who may have sinister motives. Review these issues carefully and make sure your WordPress site is as secure as it can be. Now.

At your service,
WordPress Consultant Judith