Even though most of the latest updates WordPress updates deal with security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. In this article, we cover a number of suggestions on how to improve security on your own WordPress website for the best WordPress security.
WordPress itself also has a list on WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below.
1. Don’t use admin
as a username
Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it really easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin you’ll also kill the attack outright.
Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember though, like our friends at Sucuri like to say, Security is not about risk elimination, it’s about risk reduction.
For the everyday, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bitharder for the hacker to guess the username. For the sake of clarity, understand that when we say admin
we are speaking specifically to the username only and not the role.
Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the admin
user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.
2. Use a less common password
An easy thing to remember is CLU: Complex. Long. Unique.
This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.
‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘letmein’; seriously? Shame on you. Even ‘starwars’ made the 2015 list of 25 most used passwords. Remember, you’re never as unique as you think you are…
3. Add Two-Factor Authentication
Even if you’re not using ‘admin’ and are using a strong, randomly generated password, Brute Force attacks can still be a problem. To address this, things like Two-Factor Authentication are key to helping to reduce the risk of such attacks.
Oh, I know, the hassle two-factor authentication is. But for now, it’s your Fort Knox. The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the recognized standard today for enhanced security at your access points. You are already using two-factor authentication for Gmail, Paypal, and the works (at least you should be), why not add it to your WordPress security toolkit as well. Ipstenu (Mika Epstein) did an article on the subject you might want to read: Two Factor Authentication.
There is a plugin for that: Google Authenticator. An alternative that takes a slightly different approach for the same purpose is the Rublon Plugin.
4. Employ Least Privileged principles
The WordPress.org team put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to this step.
The concept of Least Privileged is simple, give permissions to:
- those that need it,
- when they need it and
- only for the time they need it.
If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.
Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.
5. Hide wp-config.php
and .htaccess
NDESIGN recommends and installs a wonderful plugin on sites we build – Yoast SEO for WordPress. Using that plugin, performing this step is not hard to do. Simply navigate to Yoast SEO for WordPress > Tools > File Editor and edit your .htaccess
.
For better WordPress security, you’d need to add this to your .htacces
file to protect wp-config.php
:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
That will prevent the file from being accessed. Similar code can be used for your .htacces file itself, by the way:
<Files .htaccess>
order allow,deny
deny from all
</Files>
You can do it. It’s no rocket science.
6. Use WordPress security keys for authentication
Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically set of random variables, used to improve security (encryption) of information in cookies. Changing this in wp-config.php can be simply done by getting a new set of keys here and add these. These keys change on a refresh of that page, so you’ll always get a fresh set.
Syed Balkhi at WPBeginner did an article on WP security keys, in case you want some more background information. The Sucuri plugin can help you with these keys as well.
7. Disable file editing
If a hacker gets in, the easiest way to change your files would be to go to Appearance > Editor in WordPress. To lift your WordPress security, you could disable writing of these files via that editor. Again, open wp-config.php and add this line of code:
define('DISALLOW_FILE_EDIT', true);
You’ll still be able to edit your templates via your favorite FTP application, you just won’t be able to do it via WordPress itself.
8. Limit login attempts
Attacks like a Brute Force attack, target your login form. Specifically for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form.
Next to that, you could also limit the number of attempts to login from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way. We haven’t tested all, but feel free to let me know your experiences.
9. Be selective with XML-RPC
XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful how they implement this specific hardening tip.
While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.
There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.
10. Stay up-to-date
Staying up-to-date is an easy statement to make, but for website owners in the day-to-day, we realize how hard this can be. Our websites are complex beings, we have 150 different things going at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
Updates need to extend beyond WordPress core. The same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.
This can be compounded in really complex environments in which dependencies make it so that backups can’t be achieved. This is why we personally employ Sucuri’s Firewall. This firewall virtually patches and hardens our website at the edge. It gives us the time we require to go back and apply updates in a more reasonable time frame, allowing us to test in our staging environments first, and only then push to production.
11. Best WordPress security plugins & themes
NDESIGN has teamed up with Sucuri, and recommends their services for our clients.Sucuri is a globally recognized website security company known for their ability to clean and protect websites, bringing peace of mind to website owners, including us!
We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. There are a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. Sucuri has built a product / service that lets you get back to running your business.
Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts to your SEO (something dear to our hearts). Because of this, we turn to them for our needs, like they turn to us for website optimization.
A lot of the suggestions in this article can be dealt with by installing and configuring their free Sucuri Scanner plugin for WordPress or hiring them to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.