6 Dead Simple Security Rules Every WordPress user needs to know – Part 2

Written by Warren Holmes on March 28, 2014 Blog.

The final instalment of our Security Rules series comes from Jesse Friedman. He’s the Director of Innovation at BruteProtect. They provide a WordPress plugin which will protect you against brute force and botnet attacks.

If you missed the first post in this series, you can catch up here.

WordPress core out of the box is very secure and an extremely reliable CMS. Everything you do after you install WordPress is an opportunity to harden that security, or soften it. And I’ll tell you right now, it doesn’t matter if you’re hosting your Mom’s quilting website (I actually do this) or a government website, you’re going to get attacked.

Nearly all attacks come from crackers who have no idea who you are. They want to infiltrate as many websites as possible. Their goals could be to hijack your server, inject malicious code, steal your users’ information, or insert ads all over your site. The good news is the six steps outlined in this two-part series will help prevent those attacks from being successful, while saving you time and money.

4. Don’t publish under your administrative account

Most WordPress users don’t realize that their usernames are public. This is not an uncommon practice for the Internet. A hacker will know your Twitter username before they attempt to crack your password because it’s public. Keep two accounts so your administrator account can remain private.

Unless you’re currently building or developing on your WordPress site, you probably don’t need administrator access every time you log in. Limit exposure to your site’s backend by giving yourself a public facing editor-level account. Editor privileges will allow you to perform 90% of your daily activities.

Not a good idea....
Not a good idea….

Your admin-level account should have a username that is really difficult to guess and should follow password creation best practices. A good username for me would be jFriedman23432. This will ensure that your username will remain unpredictable and that is a good first line of defense against attacks.

5. With great power comes great responsibility

Administrators have great power and the ability to do a lot of damage in WordPress. Even if you trust the person you’re giving administrative access to, it still isn’t their site. Frankly, most people don’t need admin privileges. Give users of your WordPress backend the appropriate access.

If you’re having someone write a guest post for you, give them author-level access. If you have an SEO professional editing content and links, give them editor access. Reserve administrator access for individuals who really need that level of access; your web developer or an IT technician at your company would be good examples.

Make sure to revoke access when that person no longer needs access to your system. Change the password and email address associated with the account, you can always reinstate access if needed. Keeping a tidy and organized user list is a great way to limit the possibility of a successful attack.

6. Backup!

At the end of the day, no matter how well you harden the security for your WordPress infrastructure, there is always the possibility of a successful attack occurring. Even corporations who spend hundreds of thousands, or even millions, of dollars a year on security still fall victim to attack. What’s the best way to recover? BACKUP!

Sorry for the caps lock, I’m not yelling, I’m just trying to emphasize the importance of backing up. Most people think they are immune to attack because they are off the radar. Most people think it can’t happen to them. I promise you, you’re not immune, botnet attacks are growing and getting stronger every week. Our product BruteProtect will stop these botnets, and I highly recommend it. We see an average of 3 attacks per day on even the most obscure websites.

However, security isn’t just about stopping attackers, it’s about protecting your data. Even with BruteProtect, Clef, and all these best practices in place, someone can still make a mistake. Someone could accidentally delete a database table, overwrite theme files, or make some other ignorant or unwitting mistake.

There are a dozen tools out there for backing up. I would combine a plugin level tool like VaultPress, BackupBuddy or BackWPup with a server-level backup solution. Most hosting providers provide either free or premium backups. If you’re not backing up today, it should be your number one priority for this week. Don’t let any more time go by, it’s very easy to implement a backup solution, so get on it!

In conclusion, there’s a ton more that can be done to prevent a successful attack, but these six tips will safeguard you from the majority of vulnerabilities. Depending on your website, you might want to invest more time in security, and even hire a consultant. If you run an e-commerce store, though you’re just as vulnerable, you have far more at stake than my mother’s quilting website. Don’t take anything for granted and don’t assume you’re safe. Be cautious and cognizant, and happy WordPressing!


9 Responses

  1. Robert M
    March 29, 2014 at 12:01 am #

    Very useful. Will look into your plugin for our company web site.

    • Jesse Friedman
      March 31, 2014 at 5:39 pm #

      Great glad to hear it!

  2. Điều Hòa
    March 29, 2014 at 6:21 pm #

    Thank for share ! Good ideal

    March 31, 2014 at 7:42 pm #

    Thanks for sharing.
    Yes — the #4 “Don’t publish under your administrative account” is probably overlooked the most.

    While, keeping in check with a rule of not using default ‘admin’ as the username – people use different usernames & still have it linked to with the author bio or the post meta & most of the time; they’re administrators

    I think its best to disable public author archives & no `ahref` authors.

  4. Johnny
    April 1, 2014 at 12:23 pm #

    WordPress core contributors have actually stated that it’s NOT insecure to disclose your WordPress username:


    • Spitsa
      April 8, 2014 at 2:56 am #

      @Johnny Those are opinions, not facts. It’s an opinion that it is not a security risk, not a fact. They are 2 different things. The fact is, if a person knows your username, it CAN be used for bruteforce attempts. That is a fact. It’s not an opinion. The best security is based on FACTS. Not opinions.

      Soapbox closed.

  5. Ukash
    April 3, 2014 at 1:01 am #

    Ukash Ekonomik Kart ekibi olarak makalenizi okuduk ve çok beğendik yazınızın devamını diliyor başarılarınızın devamını bekliyoruz.

    • Ukash
      April 3, 2014 at 1:02 am #

      Ukash as a team really enjoyed your article thank you very much.

  6. chinnia89
    April 9, 2014 at 8:08 am #

    I had a great read !!

    #4 is the one we generally forget or tend to ignore. Thanks for reminding that again !!

WooCommerce - the most customizable eCommerce platform for building your online business.

  • 30 day money back guarantee
  • Support teams across the world
  • Safe & Secure online payment
%d bloggers like this: