Securing Your WordPress Website

Laptop with padlock icon on the screen with lady bugs

In today’s website ecosystem, security should be the first thing to consider, not only for your website but also for the sake of your visitors. Many websites today become compromised due to many reasons, but one of the leading causes is not performing routine maintenance. This often includes not updating server-side software, such as PHP or Apache, as well as other items like the WordPress core, themes, and plugins. Maintenance isn’t the only thing you need for securing your WordPress website. Below, I highlight some other key areas to help keep your WordPress site safe and secure.

Begin with Securing Your WordPress Login Page

The default login URLs for WordPress make it easy for bots and people with bad intentions to be able to attempt a brute force style attack to try to log into a site. This allows large networks of malicious bots to easily scan your website for vulnerabilities and take advantage of known exploits that could allow them access to your website.

We recommend using a plugin like WPS Hide Login to change the login page URL to something that makes more sense for you and to avoid using things like admin or login. It is best if you choose a login page name that doesn’t reflect anything someone could find on your website to help keep that information as difficult to guess as possible.

To prevent a brute force attack, we also encourage using a plugin called Login Lockdown that will ban IP addresses of people who fail to log in correctly. This will increase the overall security of the login page by preventing further attempts to log into your site from the same IP address when previous login attempts have already failed.

Enable Two Factor Authentication

Multiple factors can be enabled to provide a login service to your website. These break down into some simple categories.

  1. Something you know ( username, password, pin number, etc.)
  2. Something you have ( mobile device, key generator, security key fob)
  3. Something you are ( biometric information, such as your fingerprint or facial features)

Enabling a two-factor authentication service on your site is another great way to limit the approved people who can log into your site. Securing your WordPress website this way would require that you not only know the username and password but then confirm this information with something that you have on you to verify your identity.

Google Authenticator is a good solution for this.

Username or Email address?

Using an email address to log in instead of a user name is best because many times people display their username in their blog articles by default. Email addresses that aren’t used on the site itself are much better to use. For example, don’t use the email address you have published on your site as your contact email as your login email.

If you prefer to use usernames, then I would strongly encourage that you avoid terms such as admin, administrator, or editor, as these can be just some of the same usernames that attackers will use to try to gain access to your site.

Passwords

We recommend using a password manager such as LastPass or 1Password to help generate secure passwords for all of the sites you use so that you can keep them safe. You can also use them to help fill in those logins as needed.

Avoiding weak or short passwords helps prevent both brute force style attacks as well as dictionary attacks. Both of previously mentioned services also offer a two-factor authentication service to not only access your saved passwords that they keep on an encrypted server, but also provide two-factor authentication for many other services that you log into and can generate the codes for you.

Plugins

As I mentioned at the beginning, maintenance is a crucial part of securing your WordPress website. However, another way for securing your WordPress website is by making sure you are using and/or installing plugins that have been updated recently and have a decent number of reviews and installations. This indicates that a plugin is actively updated and patched for security issues.

  1. Make sure you only have plugins installed that you are actively using. Don’t leave temporarily used plugins just laying around.
  2. I really can’t stress this one enough. Don’t use a file manager plugin on your site. These plugins are usually the first plugins to be targeted by attackers to drop malware into a site. They allow direct access to your server’s file system and can be used to modify crucial portions of the files of your website.
  3. Check and see if the plugin has an active security notice by searching the WPScan Vulnerability Database.
Say no to file managers

SFTP/FTP Users

Control the access that all users have to your site and be sure to audit the user accounts that you allow access to your site so that you don’t have old accounts just sitting around. Update these user passwords about every three to six months. More often is preferred and don’t use the same password again. A password manager can generate a random password for you that you can then use to update.

Monitor Your WordPress Site

Keep an eye out for any odd content changes on your site, as this can be a great indicator that something needs to be looked into further. Most times, this will occur due to an updated theme or plugin. One of the most common things is to make sure you update your plugins. Securing your WordPress site means also monitoring your it for security issues will help keep you aware of any plugins that have been compromised or if any malware has found its way on your site so that you can take care of the problem before its too late.

Database Tables

Most default WordPress installations use a prefix of wp_ for their database tables and this should be one of the things you address to make sure that you use a unique prefix. Many services out there such as FlyWheel and WP Engine generate a random prefix for you when you first set up a new site, but in many other cases, this is not true. It is highly recommended to avoid using default prefixes wherever possible.

Firewalls

Firewalls will help protect your website from Distributed Denial Of Service ( DDOS) attacks, as well as prevent known bad IP addresses from reaching your site. Services such as CloudFlare are free to use and come with that functionality built-in as well as offer a Content Delivery Network (CDN) for your site to use to help increase your overall site performance.

Hosting

There are a lot of hosting providers out there, but when it comes to security we recommend using FlyWheel. FlyWheel prevents the modification of core WordPress files so that attackers can’t add malicious code into the files.

Backup

Ski Instructor Meme encouraging you to backup your data or you're going to have a bad time.

Keeping a fresh daily backup of your site at the ready will make it easier to fix any problems that come up from the site being hacked or accidentally breaking the site due to a recent update or deleting that crucial file. Having a daily backup of your site as well as just before you modify any theme or plugin files helps you in several ways. You should keep these backups in a safe location and we recommend using the 3, 2, 1 backup method.

  • 3 copies of your data (monthly, daily, and on change)
  • 2 copies on different storage media (on the site and your computer)
  • 1 copy offsite (Google Drive, Dropbox, or another service you can easily access)

Relying on your hosting’s provided backup solution isn’t the best idea as it could be missing files or content that you recently added or in some cases may have failed to back up at all. Having an alternative backup solution in place is recommended. You can use some free services such as ManageWP or Updraft.

Conclusion

How many of the items do you currently have implemented? Use the list below to check them off!

  • Monitor Your Site Daily
  • Use Strong Passwords
  • Removed Inactive Plugins
  • Keep Your Site Up To Date
  • Use A Password Manager
  • Have A Backup Plan In Place
  • Secured Your Login Page
  • Enabled Two Factor Authentication

Take the worry out of the maintenance and monitoring and join Maintainn today. We’ll keep your WordPress website up to date for you and monitor it for any security issues so that you can focus on the rest of your day with a peaceful mind. If your hosting provider doesn’t offer you the latest version of PHP and you are looking for a great all-inclusive solution to your security efforts, be sure to check out our current promotion and take advantage of our great hosting and maintenance package!

Read more articles in

3 thoughts on “Securing Your WordPress Website”

  1. Thanks for your article. I didn’t think that outdated plugins can cause security issues after reading the article. I will pay more attention to this.

    1. Yeah, you bet they’re really harmful, bot are attacking WordPress built websites all day long, if your site gets indexed in their list and you have a well-known and published vulnerability with your plugins (usually means you are using an outdated plugin because plugin and theme owners fix them ASAP) you are gonna get hacked obviously.

  2. Good one, most important WP security terms that I can think of are these:
    1- Strong & long length database name & database username and password.
    2- 5+ charactered table prefix.
    3- Using plugins from trusted sources and developers.
    4- Staying up-to-date as much as possible.
    5- Not storing wp login and ftp information in weak places.
    6- Hiding generators tags.
    7- Using a plugin like Wordfence to block intruders.
    8- wp-config.php and .htaccess 440 or 400 file permission to block outsource access.
    9- Using escape in html fields.
    10- Force users to use strong passwords.
    11- Benefit from a highly configured software and hardware firewall on server.
    12- Using an uptime monitor to detect ddos attacks and site getting downs.
    13- Always change the default WP-Admin login path.
    14- Always keep daily backup outside of the main server of your site to restore in case of getting hacked.
    15- Try to use two-way authentication for login.
    16- Make sure not to use deprecated social login integration plugins.
    17- Use the latest version of php.
    18- Disable uploading non-relevant files.
    19- Limit max upload size from public forms.
    20- Disable crawlers access to plugins folder via robots.txt
    21- Disable directory listing in .htaccess.
    22- Try to use a premium CDN plan.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top