Our blog

The fifteen keys to WordPress security

January 13 2017

WordPress functions configuration file
SHARE ON: linkedin

Is your WordPress site vulnerable to attacks or viruses? You can never be completely sure, of course, that you aren’t being hacked. That’s the anonymous and unregulated nature of the internet. Whenever you visit a site or give out information online, you’re taking a risk. You can’t be sure that you’re secure online, but you can be well-equipped. A strong WordPress security system can be crucial for protecting a commercial site, which you want to become prominent, from being hacked or infected with a virus. This introduction to WordPress security will cover 15 areas of defence.

1. SSL

SSL stands for ‘Secure Socket Layer’, a layer of encryption making information to and from your site invisible to any third party. This protects the privacy of you and the people who use your site, keeping their sensitive data such as bank details, passwords and contact information. Websites that are SSL certified contain the URL protocol ‘https’, which gives the users of the website confidence that their details will be free from theft.

2. Secure WP Config File

The wp-config file holds your website’s database connection information and other configuration details. You can manually add code to this file to deny access to those surfing your website who happen to come across it.

3. Omit Admin File

WordPress names the primary domain account ‘admin’ by default. This may be useful in reminding you what your role is on your site, but it also gives any hackers information about who’s site this is, and how to hack into the account. In response, you can either delete the account or rename it something else. This makes it that bit harder for hackers to take over your site.

4. Relocate and Rename Login Page

The login page is a potential place for brute force hacks, where hackers use software to try passwords by trial and error until they find yours. But they can’t hack a site they can’t find. There are plugins that allow you to rename or relocate your login site, such as ‘Rename WP-Login’. Make sure to check with your webhost first, though.

5. Double Factor Authentication

Double factor authentication involves having a code sent to your phone when you login, so that only the person who has your login details and your phone can gain access to your account. This makes much harder for hackers to break into your account.

6. Strong Passwords

Use numbers, punctuation and capital letters to strengthen your password and username. ‘c4t0’N1n3TAil5’ is more secure than ‘cat-o-nine-tails’. Also, don’t use your first name, or ‘password’ as your password.

7. Remove Unnecessary Plugins

Don’t let unnecessary plugins and themes build up. As your website grows and changes, some plugins might become unnecessary, and will go unused unless you delete them. This kind of housekeeping doesn’t just keep your site tidy, it also ensures that your site runs as fast as possible as well as clearing away vulnerabilities.

8. Secure Hosting

Invest in a secure hosting provider. WP Engine is a Wirebox favourite, with an emphasis on proprietary security technology. It also has the benefits of automatic updates of new versions of WP, hack blocking, automatic security audits and code reviews. WP Engine will also fix a hacked site for free. That’s not something to sniff at.

9. Regular Backups

Regular backups, while time consuming and monotonous, are a great preventative measure; just like wearing a seatbelt, it’s one of life’s necessities. WordPress makes backing up your site easy, and you can even use plugins to do the job. Then you’ll be protected from organised crashes of your site, as well as loss of data.

10. Use Trusted Themes

Only use trusted sources and plugins. Get your themes and plugins from sites you know you can use without concern for your security. Otherwise, your site might get a nasty virus. This will prevent viruses from getting through security on a ‘trojan’ web app.

11. Monitor attacks

You can log incoming security attacks on your website by using website malware scanning software. This means you can defend against attacks as they arise, rather than clearing up afterwards. WP Security Audit Log is one of the applications you can use to achieve this.

12. Hide WordPress Version

If you don’t regularly update your WordPress version (As you should: see ‘Securing Your Site’ in this article), you can hide your WP version so that it isn’t obvious to hackers what version you’re using and the vulnerabilities they can exploit. You can hide your version in the generator meta tag in the header, in query strings on scripts and styles, and in the generator tag in RSS feeds.

13. Security Plugins

A security plugin is a wall, protecting your site from hackers. Installing one will sure up any weak points in your site’s security system, defending against malware, suspicious activity and security breaches. There are loads out there so find one that meets your security needs and concerns.

14. Update Regularly

Make sure that all your WP versions, themes and plugins are up to date, because if they aren’t then they may not be protected against current viruses, or hackers may be able to use known weaknesses in the old plugins or themes to gain access to the backend of your site. They can then change or derail the site, or steal data from your site as well as the sensitive information of the viewers or users of your site.

15. Limit Login Attempts

To prevent brute force attacks, limit the number of login attempts before your account blocks any further attempts by that particular IP address. This will put a time limit on hackers, meaning that they will get bored and go somewhere else.