In this article, we’ll share ten of the easiest and most effective steps you can take to help protect your site.
1. Update everything, every month
The first and most crucial component of your WordPress security plan is consistent, recurring updates. We recommend you run an upgrade routine at least monthly, and for larger sites or sites with dozens of plugins, we often do biweekly updates (twice a month) instead. This includes:
- Updating all plugins
- Updating all themes
- Updating the WordPress core, if necessary
- Running a quality-assurance check to make sure nothing broke in the process
Most of this can be accomplished by a visit to Dashboard > Updates in your WordPress control panel. There you’ll find a list of plugins and themes to be updated, as well as an option to update your WordPress core software if it is out of date. If you use any premium/commercial plugins, make sure you’ve properly set up your license keys so they can check for updates automatically as well.
We also recommend deleting any unused plugins or themes, rather than leaving them inactive on your site. This reduces the risk of bugs, security holes, or performance lags that come from having these extraneous files on your server.
2. Get a solid web host
Even the best security plan is ultimately at the mercy of your web host. Choose a cheap hosting service, and you open yourself up to uncontrollable risk – backdoors that allow hackers to get in, other customers on the same server causing issues or insecurities for your site, and an array of other potential dangers.
Our go-to hosting recommendation is WP Engine. They are a high-end, WordPress-exclusive host with excellent built-in security and caching, as well as live chat support with a very fast response time. We use them for our own site as well as clients ranging from small brochure sites to big magazines that get hundreds of thousands of monthly visitors.
If you’re a direct client of ours, let us know before you sign up for WP Engine and we’ll hook you up with a coupon code and other significant discounts.
The general rule: you get what you pay for, so find a host that charges more than $5/month. Going with a budget hosting provider is going to cause you tons of headaches in the long-term, and almost all of those can be resolved by spending an extra $20 to $100 per month.
3. Secure your site with SSL (it’s finally easy and free)
Not long ago, setting up an SSL (secure socket layer) certificate was a nightmare even for seasoned tech veterans. Thanks to new software, it’s often now a matter of a few clicks. It’s also ever-more important, as it benefits your security directly (passwords and other information passed to your site are encrypted by SSL), and also benefits your SEO, since Google is getting harder and harder on rankings for unsecured sites.
To add SSL to your site, we recommend:
- Get a free Cloudflare account and follow our guide to set up free SSL.
- If you host with WP Engine, you can also get a free Let’s Encrypt certificate installed with a few clicks (this also works in combination with CloudFlare)
- If you need to purchase a certificate directly, GoDaddy is an inexpensive and effective option. You can buy your certificate through GoDaddy and work with your host to get it set up. (Note: We do not recommend their cheap hosting, but their cheap SSL is all good.)
Generally speaking, the least expensive certificate option is just fine, as all certificates are effectively equally secure. If you want your business name to show up in the browser bar, you’ll need an Extended Validation certificate, which is more costly and time-intensive to set up, but is visually more “authentic” since it carries your specific business name and makes the user’s browser bar light up to demonstrate the site is secure.
4. Add Two-Factor Authentication to WordPress (and everything else you use)
No security mechanism is perfect, but for the modern web, two-factor authentication is about as good as it gets. Also called two-factor verification or multi-factor authentication, 2FA changes your login process so that once you enter a correct username and password, you’re also prompted for a short numeric code which is sent to your mobile device as a text message or via an app.
The result is that even if someone manages to steal your password, they can’t log in as you unless they are also in possession of your phone, dramatically increasing the barrier to a hacker compromising your account.
For WordPress, we use a plugin that hooks up with Google Authenticator to provide 2FA on all the sites we build.
We also highly recommend setting up 2FA for all your accounts that support it, both business and personal. Especially with e-mail, it’s easy for one hack to cascade into others – for example, if someone gets your personal Gmail, they can use that to reset your Dropbox password, which contains your WordPress passwords, and so on. The best practice is to add 2FA to everything you possibly can.
5. Add Cloudflare for some serious firewall and performance boosts
In addition to its one-click SSL solution, Cloudflare is great as a security firewall. Almost all sites can get huge benefits from a free account, and the $20/month upgrade adds a lot of extra features.
Cloudflare’s security settings will detect malicious behavior on your site (for example, a bot trying to crack your password or find another vulnerability) and block that traffic immediately. The service also pulls on its global database of known malicious IP addresses, so you benefit from the experience of all other Cloudflare users in identifying hackers before they can cause trouble.
If you also turn on Cloudflare’s caching features, your site will likely see an instant performance boost. And if your web server ever goes down, Cloudflare’s cache will keep displaying any site pages it has stored, so you’ll still be up even when your server is offline.
6. Corral your administrator and FTP accounts
If you’ve been running your site for a while, you’ve probably experienced “administrator creep,” where more and more staff, contractors and other team members require access to your site to get their jobs done. The problem here is that everyone with access as an administrator, as well as everyone with an FTP account on your server, is a potential security risk. Their computer or e-mail or phone gets hacked, your site gets hacked – and the more people with access, the more your risk multiples.
First, downgrade anyone who doesn’t absolutely need to manage all site settings from the Administrator role to the Editor or Author role. Day to day, this probably won’t affect their work at all, but it significantly reduces your security risk. If they need Administrator access, you can grant it temporarily from time to time.
Do the same for FTP accounts, deleting any that are not immediately necessary. Where possible, using SFTP over FTP is also preferable, since it encrypts the data you transfer similarly to the way an SSL certificate encrypts data transferred via a browser.
We’ll dig into secure password practices in a moment, but for now, also be sure you don’t have a user with the default username of “admin.” Forcing hackers to guess a username, rather than using the default, makes it less likely they’ll be able to infiltrate your site.
7. Lock down your theme and filesystem
By default, WordPress allows you to edit theme files directly through your dashboard if you’re an administrator. This is largely unnecessary and creates a big security hole, which you can plug by adding the following line to your wp-config.php file:
You can also tighten up security on your wp-config.php file and wp-includes folders by adding the following lines to your .htaccess file. (If you’re not on the Apache web server or don’t feel comfortable making direct code changes, check with your host for the best way to do this.)
<files wp-config.php> order allow,deny deny from all </files>
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
This code should go above the “# BEGIN WORDPRESS” comment in your .htaccess file. For a deeper technical discussion on the WordPress Codex (from which we pulled these code snippets, which we consider the highlights of the document), check out Hardening WordPress.
8. Get intense about password security
By far, the most common and most easily preventable reason a WordPress site gets hacked is a stolen or easily cracked password. Hackers run bots 24 hours a day, 7 days a week, trying to guess your password and find other vulnerabilities of your site, so a little prevention goes a long way. We’ve already talked about Two-Factor Authentication and limiting your Admin users. Add these password policies for everyone with access to your site, and your site (and your whole IT infrastructure) will be much harder to crack.
One person, one account. No sharing logins between team members under any circumstances. This eliminates the need for password sharing, allows you to instantly shut down individual user accounts if they have security issues (or leave your company), and creates a clearer paper trail should an account ever be compromised.
Never use the same password twice. In fact, you should use the longest, randomest password possible in all circumstances. Purchase 1Password or LastPass for yourself and everyone on your team so they can securely manage all these random strings with ease.
Never send a password in plain text. We recommend using One Time Secret as a “dead drop” any time you need to share a password. For example, if you’re sending an e-mail, you can include a username in the message and a link to your One Time Secret drop containing only the password, with no other identifying information (the secret gets deleted after it is viewed once). That way, if either the e-mail or the One Time Secret data gets compromised, the hacker still won’t have the information they need to log in. For WordPress logins, you never need to share a password; just have the users reset their password via the normal WP interface.
9. A little help from some great plugins
Our favorite security plugin is All In One WordPress Security & Firewall. While we don’t use all of its many features for every site, it’s a very easy way to implement a few absolute necessities:
- Enable the Login Lockdown feature to prevent brute-force password attacks. This blocks a user if they fail to log in too many times (e.g. 10 times in an hour), which stops robots from trying to “guess” your password hundreds of times a minute.
- Change your database prefix. This can be done manually if you’re technically inclined, but it’s super-simple through the plugin’s interface. By default, your database tables start with wp_. If you change that prefix to a random string, it makes it harder for hackers to execute queries if they get access to your database.
- Fix your filesystem security. This builds upon the recommendations in Checklist Item #7 to add some additional barriers to hackers editing your files. Note that if you’re hosting with WP Engine, you don’t need this feature and shouldn’t use it, as they have their own system for doing this.
10. Back it up!
Even with the best of security measures, there’s no way to completely guarantee that bad things won’t happen to your site. The best way to mitigate that risk is to automate daily, off-site backups of all your files and data.
We highly recommend CodeGuard, which can hook up with just about any web host and also has a simple WordPress plugin that’s useful for smaller sites. (Bigger sites need to be configured with FTP or SFTP instead of using the plugin.)
In addition to keeping your backups safe for about $5 a month, CodeGuard also alerts you to file changes each time it runs a backup, which can be an early warning sign if your site does get breached.
We’re always here to help.
Whether you’re a direct client or a web professional looking for some extra insight on any of these security techniques, get in touch and we’ll be happy to lend a hand.