What this is
This article is for WordPress website owners or managers who are concerned about the security of their site.
It covers the low-hanging fruit, the easy wins, that will provide a basic level of security for your website.
What this isn’t
This article is not a definitive guide to WordPress security. Following these steps does not guarantee that you will not be hacked.
No-one would hack me? Right?
You might think that no-one would want to target your business. After all, you don’t have enemies! You’re probably right. However, the vast majority of hacks are indiscriminate attacks by automated bots.
This means that any business can be a target, just because they have a website.
The motivation behind hacks varies greatly. Some hackers just seem to find it fun, some are pushing a political message, some are using your server as a spamming tool, and some want access to your information.
Is WordPress secure?
That’s a good question. You might hear in some circles that WordPress is insecure. But that’s like saying that WordPress sites are ugly, or WordPress sites are slow. WordPress itself isn’t insecure – it’s all in the implementation.
WordPress takes security seriously and, when a vulnerability is found, the team release security patches very quickly. In fact, because of the large user base and the massive network of developers involved with WordPress, security exploits tend to be found and resolved quickly.
In this article, I’m going to show you a few simple WordPress security tips that will help to prevent your site being hacked. These tips are all available without needing to be able to write any additional code (although I’ll include links to a few more advanced resources below).
Usernames and passwords
This is my absolute number one tip, use strong username and password combinations.
I recently had my PayPal account hacked because I used the same username and password everywhere. Eventually, I either signed up to a fake site, or a site I registered with was hacked. Either way, once the hackers had my details they could access everything of mine online.
Here are some easy rules to follow:
- Use a strong password (long and random).
- Use a unique password (a different one for each website).
- Never use ‘admin’ or ‘administrator’ as a username.
If you, or a user on your site, has a weak password then it needs to be changed. Do it now! Seriously, right now – everything else can wait.
What makes a strong password?
It’s probably better to use the term ‘passphrase’ rather than ‘password’. ‘Password’ implies a single word, sometimes with a few extra characters added to the end. A ‘passphrase’ is multiple words which makes it longer, more random and therefore more secure.
WordPress will tell you if your password is strong or not. If it isn’t, think of another one.
The very best passphrases are long and made up of random characters. For example:
That is going to be pretty hard to crack! (please don’t use it, though!) However, it’s also hard to remember, which is where password managers come in.
Since my PayPal incident, I’ve started to use unique passwords for nearly every site that I use. I know that it sounds daunting, but there are ways to manage passwords including password managers that save passwords for all of your sites and services (check out 1Password). Just make sure that your master password is a really strong one!
This is a technique which requires an extra step after entering your password. This is often in the form of a unique combination of numbers on a mobile device. You would typically receive a PIN on your mobile and then enter it on the site to prove that it is, in fact, you trying to log in.
Another way to reduce the risk of nefarious activity as a result of a login hack is to limit the number of people with ‘administrator’ roles on the website.
Often, everyone who needs editing access to a website is given the ‘administrator’ role. It’s best practice to limit the number of administrators to only those who need it. Often, ‘editor’ or ‘author’ access is enough.
Keeping up to date with the latest version of WordPress, and especially the security patches, is essential.
WordPress regularly releases security patches and other major upgrades. Keep ahead of the hackers by having the latest version installed.
Warning: back up your site fully before installing updates, especially point releases, i.e. moving from 4.8 to 4.9.
Sometimes updates will break your themes or plugins. This is just the way it is. Nobody can predict the future, but the best themes and plugins should be more future proof.
If you run into problems with upgrades, revert to your backed up version and contact your WordPress professional. Ideally, have your developer do the update, on a staging site, testing and bug fixing for you.
It’s also important to keep your theme and plugins up to date. These can also have security vulnerabilities, and the authors should fix these and release new versions. This is a key reason to carefully choose your plugins and themes, make sure they are well used, well supported and being actively developed.
The Mossack Foneseca breach is a famous example of this.
Remove unused plugins and themes
Disabled or inactive plugins and themes can still be a security risk because it is still part of your codebase. If you aren’t using a plugin or theme delete it from your site.
It’s worth noting that some off-the-shelf themes include plugins as part of the theme. This is a problem because the plugin updates are then not available through the WordPress update system. The plugin might be patched, but the bundled version might not be.
- Keep everything (core, themes and plugins) updated
- Only keep the themes and plugins that you are using
- Use themes and plugins that are regularly updated
- Avoid themes that bundle plugins
We’re always advising our clients to use dedicated, trusted, WordPress specific hosting. Better hosting platforms will often run scans on your site, back up your site automatically and sometimes have some further security measures in place.
It’s also worth considering a dedicated, rather than shared, server as if another site on a shared server is hacked, all of the other sites could be vulnerable.
There are a few popular WordPress plugins that handle many of the basic and advanced hardening techniques. Currently, the top 3 on the plugin repository are:
- Wordfence: https://en-gb.wordpress.org/plugins/wordfence/
- iThemes security: https://en-gb.wordpress.org/plugins/better-wp-security/
- Sucuri security: https://en-gb.wordpress.org/plugins/sucuri-scanner/
It’s often a long time between a hack taking place and a website owner realising that it has happened.
During that time, hackers can be doing all kind of damage to your website and business reputation, including: sending spam emails, accessing user data, harming your SEO, and more.
By constantly monitoring your website for malicious code and suspicious activity, you are more likely to realise that your site has been compromised.
The best way to monitor a website is by using automated scanners and activity logs. Some of the security plugins (see below) have these capabilities built in. You can also use external services, such as Sucuri, to monitor your website and notify you of any hacks.
The plugins listed above (‘Security plugins’) all have monitoring built in.
You have to accept that, even with preventative measures and monitoring in place, your site might get hacked. What do you do when this happens? If you don’t have a backup system in place, it might mean time consuming and expensive developer bills. You might even lose your site completely.
Using a backup system means that you’ll never lose all of your site files and data, and it will enable you to restore your site to a point before it was compromised.
There are lots of ways that you can backup your website. I would suggest using an automated service so that you don’t have to worry about it.
Check out the list of backup plugins here: https://wordpress.org/plugins/tags/backups.
There are also WordPress management services available that can backup your site in various ways. For example, you could use ManageWP with Amazon AWS to backup your website on the Amazon cloud.
Some web hosts also run automatic backups. However, we believe it’s important to have a backup of your site away from your server.
Our advice is to use at least two different backup methods. Just in case.
It’s good practice to keep a series of recent backups and some historic backups. For example, you might use the following:
- 1 backup from each of the last 12 months
- 1 backup from each of the last 4 weeks
- Backups for each of the last 7 days
There’s no point in having backups unless it helps you to get your website back up and running quickly. It’s important to have a restore process and one that works.
Regularly test your backups and restore process.
Having your website hacked can be devastating to your business. Luckily, the majority of hacks are automated and indiscriminate, and by taking some simple steps you can prevent the vast majority them.
If your site is hacked, you’ll want to have a recent backup and a working restore process to get you back online quickly.
Did you know?
Highrise Digital offer maintenance plans where we take care of all of the security essentials. Get in touch if you want to find out more.
Did you find this useful?
If you’d like to receive occasional, up-to-date, valuable website management advice then we have something for you: