How do you secure a WordPress site? The internet is a wild, open space. If your website is stuck out there alone with no security, it will be hunted down and hacked! If you have out sourced the creation of your website to a designer then they should secure your website for you but its always worth going into that conversation with some knowledge so that you get the security you want and need. If you are creating the website yourself this guide will help you with the fundamentals of security but it should not be taken as a complete guide on security. These are things all website owners should do but each site is so specific that its impossible to go into detail on every little thing.
One of the great benefits of using WordPress is that there are security plugins you can use to secure your site without knowing too much about the ins and outs of application security itself. Obviously the more functionality your site has the more security features you need to implement but lets start out by looking at some of the overarching security fundamentals.
1. Secure your site with SSL
SSL stands for Secure Socket Layer. This is a secure protocol that dictates how data is authenticated, encrypted and decrypted when sent over the internet. It keeps the data travelling between 2 sites private. An SSL certificate signifies to a user that you have invested in keeping their data secure. They can tell you have the cert if your site runs over HTTPS as opposed to HTTP. They will also see the lock in the toolbar that indicates the site is secure. While not all sites send data and therefore don’t necessarily need an SSL certificate, it is becoming the norm that no site should be served over HTTP. SSL certificates are fairly cheap and some hosting providers will provide a free cert when you sign up. You can also use Lets Encrypt for a free certificate, however some hosting providers won’t support this certificate.
2. Keep Software up to Date
In order to hack into a website, a hacker needs a way in or a foothold. This “way in” is referred to as a vulnerability. One such vulnerability that an attacker can leverage to attack your site is security bugs in out-dated software. When plugins, themes and core functionality get updated it is usually to fix 2 different issues – bugs in the functioning of the software and holes in the security of the software. If you don’t keep these pieces of software up to date you are possibly exposing your site to an attacker who knows how to use the vulnerability to get into your website. By using the most uptodate software you greatly reduce the chances that an attacker will find a way to hack into your site. You should always take a back up before performing any updates on your site.
3. Limit Login Attempts
It is normal for a user to attempt to login up to 5 or 6 times, they could forget their password or enter it incorrectly. They should not to be allowed unlimited attempts at guessing it though. The problem with allowing unlimited login attempts is that it leaves the door open for an attack called a Brute Force attack.
A brute force attack is an automated attack on a login that attempts to find the username and password. The attacker runs automated scripts that contain multiple combinations of usernames/passwords against the login fields. Brute force attacks are very successful if there is unlimited attempts at logging in allowed and if the credentials are pretty easy to guess. Things like dictionary words are really simple for a brute forcer to guess.
The best way to stop your login being brute forced is to limit the number of attempts a user has at logging in and to use a good long password and non-standard usernames. An example of an easily guessed username/password combo would be Admin/Admin or Admin/Password1. Don’t use these! Remember also, that this applies to any members only area that you have set up that requires a password to gain entry. If your password is weak, it may as well not exist as it provides little to no protection.
There are plugins available to limit the login attempts on a WordPress backend. A really good (and free) is the Limit Login Attempts Reloaded plugin. Limit Login Attempts Reloaded stops brute-force attacks and optimizes your site performance by limiting the number of login attempts that are possible through the normal login as well as XMLRPC, Woocommerce and custom login pages.
4. Change your WP login url
Every single WordPress site is setup with the backend admin panel located at yoursite.com/wp-admin. This makes an attackers life very easy as they can target a brut force attack right at your default login. It is worth changing your login to a different URL that isn’t so well known. If an attacker doesn’t find your login url, he can’t attack it!
You can manually change the URL if you have some website/coding experience or you can use a plugin that will make the change for you. You generally specify a new url for the login and the plugin will create this for you, while disabling the old wp-admin urls at the same time. You will need to remember your new login URL as you will not be able to login at wp-admin again unless you disable the plugin.
5. Perform Backups Regularly
Backups don’t keep out an attacker or do anything to stop them getting in. A backup is your golden ticket in case the world comes to an end! A backup is basically a copy of your website and all associated databases and files that you can restore to your server in case of an emergency. Your backups are worth the entire investment you’ve made in your website. The day may come when you get hacked, when something goes wrong with an update, your server crashes or your hosting company goes bust – without good backups, you lose everything. If anything happened to your website, it would cost you dearly in time, money and reputation. Whilst other security measures are essential, backups are the ultimate insurance: they mean that, if the worst were to happen, your website (plus all related files and databases) stay safe, and can be restored in no time. Updraft plus is a great backup and restore plugin that stores your back up in the cloud to any one of many cloud storage facilities like Dropbox, Google Drive, Amazon S3 or even an email account.
Im going to reiterate that this is BY FAR not an exhaustive list of security steps that you should take to protect your site. Every site is very different and has very different needs. If you are worried about the security of your site and feel like you need someone professional to take a look at it then reach out to me. My day job is trying to break the security implemented on websites so I know a thing or two about what will keep them safe.