We know from experience that having your site hacked is not fun. That’s why, here at WooThemes, we take security very seriously.
In line with our serious approach to security, our products are carefully optimized to be as secure as possible. There are, however, still a handful of potential security risks, when running a website, that we have no control over. You, the website owner, need to pay attention to these potential security risks, in order to keep your website safe.
With that in mind, here are 10 things you can do to improve your WordPress security.
1. Use secure hosting
↑ Back to topNot all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked.
When choosing a web hosting provider, don’t simply go for the cheapest you can find. Do your research, and make sure you use a well-established company with a good track-record for strong security measures.
It’s always worth paying a bit extra for the peace of mind you get from knowing your site is in safe hands.
Here are some of our recommended hosting solutions.
2. Update all the things
↑ Back to topEvery new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
The same applies to themes and plugins. Make sure you update to the latest versions as they are released. If you keep everything up-to-date your site is much less likely to get hacked.
3. Strengthen up those passwords
↑ Back to topAccording to this infographic, around 8% of hacked WordPress websites are down to weak passwords.
If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.
For a password that’s easy to remember but very hard to crack, I recommend coming up with a good password recipe.
If you’re feeling lazy, you can also use a password manager like LastPass to remember all your passwords for you. If you use this method, make sure your master password is nice and strong.
4. Never use “admin” as your username
↑ Back to topEarlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.
If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.
If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.
5. Hide your username from the author archive URL
↑ Back to topAnother way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.
6. Limit login attempts
↑ Back to topIn the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.
7. Disable file editing via the dashboard
↑ Back to topIn a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
8. Try to avoid free themes
↑ Back to topWe’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
9. Keep a backup
↑ Back to topI can’t overemphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late.
Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.
If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory.
The WordPress Codex tells you exactly how to backup your site, and if that seems like too much hard work, you can use a plugin such as WordPress Backup to Dropbox to schedule regular automatic backups.
10. Use security plugins
↑ Back to topAs well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
Here are a handful of popular options:
- https://jetpack.com/features/security/ – Comprehensive WordPress security plugin.
- http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
- http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
- http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
- http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
- http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
- http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
- http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
Further resources
↑ Back to topTo learn more about hardening your website’s security, please check out these resources:
https://jetpack.com/blog/guide-to-wordpress-security/
http://codex.wordpress.org/Hardening_WordPress
http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site
Also, read our guide for more specific steps related to WooCommerce Security.
Don’t panic!
↑ Back to topThis may all sound pretty intimidating, especially if you’re a beginner. I’d like to point out that it’s not intended to scare anyone, it’s just important to discuss the topic of security regularly, as we want to make sure you stay one step ahead of the hackers!
You don’t have to do everything on this list (although it certainly wouldn’t hurt). Even if you just remove the ‘admin’ username and start using stronger passwords, your site will be that little bit safer.
About
Thanks so much for this very useful information.
I love wordfence. In my experience if you follow the above and generally keep and ear to the ground about possible issues for wordpress you should be fine.
Security is always an important topic and one that I take very very seriously. I wrote up a series a while back that outlines some additional recommendations for securing WordPress sites with complete instructions on how to implement them as well… feel free to check it out here http://admindaily.com/secure-your-wordpress-site-part1.html and add anything you like to this post, use it elsewhere etc…
FYI: Your Rackspace affiliate link is broken.
Fixed, thanks!
My usual top tip is to delete all inactive themes and plugins.
Reduces code bloat and potential security holes in one easy swoop. 😉
Absolutely. This is definitely something that should be done on all WP websites.
10 great tips! nice one
Great advice Dan!!!
I use websitedefender, it’s a free plugin. I think it’s very useful.
Does anyone have recommendation or any preferred security plugin?
I have been dealing with a persistent Brute Force attack of late which basically brings any VPS with 4 or 5 gb of ram to a grinding hault. – unfortunately over 2 week period can you please provide information on dealing with protecting the wp-admin (I have used the .htacess method) and also protecting the wp-login.php (I have used a FilesMatch htaccess method to again block access to this file. Obviously nothing above in this post will protect against this as its basically simply the sear size of this botnet, so would people use cloudflare to get rid of at least 50% of the unwanted traffic. I have blocked out 6 countries but the IP’s come from United States now and UK etc so you cant exactly block everyone and this puts massive pressure on the firewall then to check all these IP’s. Any advice?
This can largely be averted by your webhost or at the server level. For example using CSF in WHM will stop all of that mess.
http://configserver.com/cp/csf.html
You can also use DenyHosts if you are running a Linux machine without WHM.
Both of these tools will essentially see an IP making numerous failed login attempts and then block/ban that ip for a set period of time and possibly ban it as well.
Check out https://www.atomicorp.com/
Thanks guys, unfortunately this botnet is simply hitting WordPress not just login attempts so protecting the wp-admin and wp-login.php script is not working for me. I have used the IP rules in csf however the IP and the agent changes every 5 seconds. Ongoing now for around 2 weeks to this issue is mind boggling in its size.
@Petroski this looks like something useful so I might look into this now.
I stand by Better WP Security, its feature rich and manages many of the exploitative areas this article covers!
You guys should check out BruteProtect: http://bruteprotect.com/ it’s like Akismet for brute force attacks. Excellent plugin, running on all of our sites now and keeping them safe.
Awesome looking plugin, thanks for sharing!
Some great tips and links thanks guys.
I also recommend using Vaultpress (http://www.vaultpress.com) for real time backup. It’s not the cheapest option but it’s great to have the potential for a complete site restore at the touch of a button if you do get badly hacked. So far (touch wood!) I’ve not had it find any vulnerabilities but given that it’s created by Automattic I presume it is worthwhile. I find the peace of mind it provides very reassuring!
At our agency we use Manage WP to notify us when our client’s wordpress and plugin versions go out of date so that we can update and patch them.
There are sometimes a few fixes to apply when we do this so its well worth being notified about and doing properly.
Tom
CandidSky
http://candidsky.com
great tips…thanks
Thanks ! – Danke !
http://t3n.de/aggregator/wordpress-sicherheit-10-tipps-die-dich-ruhiger-schlafen-lassen
Good read.
I would add 2 things:
1. Recent report by Checkmarx shows that 20% of top 50 WP security plugins actually carry their own vulnerabilities, which makes them a part of the problem. Personally I contribute this to lack of standardization, which is IMO an acceptable “price of progress” for many OS products, but not for security solutions.
http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins3.pdf
2. To prevent pingback DDoS I would also suggest removing xmlrpc.php from root or restricting in via htacess. (unless you are actually monitoring pingback for your site)
http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos
Security has been a growing concern for us, many thanks for the list of tips.
Great tips Dan!
Tevya is right; Bruteprotect is an amazing plugin.
Inactive plugins, themes etc. should be deleted. No need to leave loopholes.
Very nice article and post to help to improve my wordpress website security. I have implemented all the tips which you have share in your that cool post. Thanks for share.
Thanks for sharing to make my WordPress site secure. Again Thanks.
Great article.
I’ve used a few of these but am trying to nail down the best few plugins whhich offer as much protection without duplication. Not easy but so far have:
Brute Protect – As some mentioned previously, an excellent Akismet-like plugin for Brute Force.
WP Security from Acumetix A lot of duplication from what I can see with All in one WP Security (see below) but does have some features not found in that plugin.
Hide My WP (on CodeCanyon) – I haven’t properly tested this one yet (am in the progress of doing so on a site just now), but from what I can see, it could be a real game changer. Depending on your site, it could take a while to configure, but from what I can see, it looks like it is possible to completely ‘hide’ the fact that a site is built in WordPress, when viewing page source code, amongst other things.
All In One WP Security & Firewall – A really good all-rounder, that seems to be very active on the update front. It has one feature I’m really interested in trying but am unsure if it’s viable on a WooCommerce site, and that it the Cookie based Brute Force Protection. In a nutshell,
“This feature will deny access to your WordPress login page for all people except those who have a special cookie in their browser.”
Anyone know if this is an issue ie would it be royal pain for customers?
I’ll look into some of the others in the article, but for now, those are what I use.
Update ALL the things?
Some nice simple steps that everybody can implement.
Very usefull informations, thanks a lot for that!
Some new tips for me, especially how to disable the file edit option. Thanks for sharing.