Keeping WordPress secure is important in order to ensure that your site isn’t compromised. Uptime is maximized, your data is safe, and your site runs as quickly and reliably as possible.
Today we’ll look at 10 ways to help improve and maintain your WordPress site’s security, starting with the simplest and working through to some more advanced tips to help you secure WordPress.
A key area that attackers will attempt to access is the WordPress administration interface. If a malicious user is able to login as an admin, they’ll be free to do whatever they like to your site.
Some will attempt to login using a brute force attack, by setting up a botnet (many computers which the attacker controls) to repetitively attempting to login to your site, using different username and password combinations.
Here are some changes that you can make to help secure the WordPress admin interface:
1. Use a Unique, Secure Username and Password
Avoid using the default admin username. While you’re able to choose your own username when setting up a new WordPress site, if you’re on an older installation (which you should really upgrade – we’ll cover that later), or you’ve already set your username to admin, you can use a WordPress Plugin such asUsername Changer to change your username to something more secure. You can also create a new user with admin rights and remove the old ‘admin’ username.
Try to avoid common usernames such as administrator, your website’s name or your name.
For passwords, it’s important to choose a complex password comprised of letters, numbers and characters. Don’t choose a password that’s similar to your username, website name or a simple word with a few changes. Avoid dictionary words, and preferably use a random string of characters. A good password management tool will help you securely generate, store and use these complex passwords.
Alternatively, an easy way to remember a password, whilst maintaining sufficient complexity, is to use a phonetic password generator (such as this one).
2. Use Two-factor Authentication
Two-factor authentication (known as 2FA, or sometimes 2-step verification) requires a user to login with not just their username and password, but also a unique code that’s generated for one-time-use and sent to a device (typically a smartphone) via SMS or an iOS/Android app.
3. Verify the User Is Human
reCAPTCHA forms, which ask the user to input what they see in an image as text, are a useful way to stop botnets from attempting to brute force login to your WordPress site. Botnets typically can’t automate this part of the login process, therefore it helps prevent them from accessing your site.
4. Password Protecting wp-login.php
If you’re a more advanced WordPress user or developer, and you’re comfortable with some server-side changes, you can require a server-side login before the WordPress login screen is displayed.
This provides another layer of security, and we’ve covered how you can do this in our Preventing Brute Force attacks against WordPress websites article.
Whether you’re developing your own theme or plugin for your site, or using something from a third-party, it’s important that the code used is secure, and doesn’t open the door to potential attacks.
Insecure code, and not following best practices, may result in attackers being able to gain control of some or all of your WordPress site.
There are a few ways we can help ensure code integrity and security:
5. Keep WordPress Updated
Since WordPress 3.7, minor releases – which cover security and maintenance – are automatically applies. However, you can also extend this to automatically install major WordPress releases, by adding the following to your site’s
Whilst this may seem like a good idea, it may result in incompatibility between the newly installed version of WordPress and your existing themes and/or plugins. It’s always a good idea to maintain a testing environment for this sort of thing.
There are third party tools which can connect to your WordPress website and let you manage all of your WordPress installations from a single, unified interface. Best of all, you can perform one-click installs of WordPress, theme and plugin updates:
6. Choose Your Theme and Plugins Wisely
It’s important to choose themes and plugins that are actively maintained and regularly updated. Whilst this isn’t a guarantee of security, it should mean that if there are security vulnerabilities found in a theme or plugin, it’ll be addressed and updated quickly.
Also check the detailed descriptions of plugins, as some will be audited by third parties (such as Sucuri) for security, which can help give you peace of mind.
7. Developing Themes and Plugins
Whether you’re new to WordPress development, or have been working with WordPress for some time developing themes and/or plugins, it’s important to follow key WordPress security best practices.
From sanitizing data, using nonces and adhering to WordPress Roles and Capabilities, it’s important to keep up-to-date with WordPress development best practices:
With your WordPress installation more secure due to improving user authentication and the quality of our code, it’s also important to ensure you have well supported, secure, hosting.
8. Use Managed Hosting
There are several companies now offering Managed WordPress hosting, such as WP Engine, SiteGround and Media Temple. Whilst you’ll typically pay a premium over more traditional shared or unmanaged hosting, a managed host will help keep your site secure.
For example, WP Engine will automatically update WordPress and key plugins, if there are known security vulnerabilities, as well as disable plugins known to cause performance and security issues. As with most managed WordPress hosts, they provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.
Some users might find this approach intrusive, it does provide peace of mind and expertise to ensure your WordPress website remains functioning.
9. Ensure File and Folder Permissions Are Correct
If you’re not using a managed web host, it’s important to ensure that WordPress files and folders have the correct ownership and permissions. Not only does this allow WordPress to keep itself updated, it also prevents attackers from exploiting poor file security and taking control of your site.
As a basic guide, WordPress folders should always have
0755 permissions, and WordPress files should always have
0644 permissions – although this can vary from host to host.
If you’re getting errors when attempting to install plugins, or upload new media, don’t be tempted to set any folder permissions to
0777. Instead, work with your web host to ensure that PHP is run with the correct user, and that the folders are owned by the same user.
If you’ve got shell access, you can run a few commands to ensure WordPress is secure:
If you know the user and group that should have ownership of the WordPress files and folders, use:
10. Server Side Hardening
For advanced users managing their own web hosting, you can also:
- Ensure your database user has access to SELECT, INSERT, UPDATE and DELETE privileges only
- Use strong database usernames and passwords
- Disallow server-side file editing within WordPress, by adding
define('DISALLOW_FILE_EDIT', true);to your
Some web hosts will be able to perform some of these actions for you – it’s always worth asking.
In this article we’ve covered 10 tips for securing your WordPress website, ranging from basic user authentication through to coding practices and hosting setup. For more advanced users, we’ve touched on some of the advanced hardening techniques that can be used to ensure WordPress is as secure as possible.
Another option which is worth considering is the use of a security plugin such as WordFence or BulletProof Security. There are many to choose from, and they all have their advantages and disadvantages, so it’s best to do some research to find one which best suits your requirements.