WordPress is an amazing platform. Since its launch twelve years ago, it has grown to power over 25% of the ten million most popular websites – an impressive achievement by any measure. (The next most popular content management system is Joomla, with just 2.8% market share.)
The popularity of WordPress means that there’s a vast pool of first- and third-party resources to draw upon for everything from themes, to plugins, support, and more. It is for those reasons – and many more – that we recommend WordPress as a cost-effective web platform solution for our clients.
Another reason we use WordPress is for its security, which has become even more solid with each update. But with great popularity comes great challenges in ensuring that only the right people have access. We’ve compiled this list of our favourite techniques for securing a WordPress site, ordered from easiest-to-do to more challenging.
1. Use a Good, Unique Password (Easy)
We know, we know: you’re tired of hearing people tell you to change your password. Nobody likes coming up with a password that satisfies the requirements for a complex password, and you certainly can’t memorize those complicated jumbles of letters, numbers, and symbols, especially when you need to make a different one for every account.
Unfortunately, until something comes along that provides secure and unique identification, we’re stuck with the lowly password. The best we can do is to make managing that as easy as possible.
First, we recommend using password management software to generate, store, and back up your passwords. For Macintosh users, the built-in Keychain works very well. It’s encrypted, so it’s locked-down, and you can sync it securely with iCloud.
For Windows users, or for mixed device environments, a really great third-party solution is 1Password. It generates super secure passwords and stores them – encrypted, of course – so that they can be easily used when they’re needed. They’ve built apps for Mac, iOS, Android, and Windows.
We know that “G4X7Uq3Xr2H3JsvKgDCc” is harder to deal with than “admin123”, but these apps can make it nearly effortless. Plus, once all of your passwords are in iCloud Keychain, 1Password, or whatever app you prefer, it becomes easier than trying to remember individual passwords.
2. Keep Plugins, Themes, and the WordPress Core Updated (Easy)
Among the most reliable ways of keeping your WordPress site secure is one of the easiest: keep everything up to date.
While it’s obvious that WordPress updates will include security fixes, it’s just as important to keep plugins and themes up to date as well. Plugins and themes get to run their own code, and if the authors of them aren’t careful, there can be small mistakes that can allow an attacker to gain access to your site. And, because the source code for plugins is openly available, it can be trivial for the best hackers to find a weak spot.
For example, in 2014, a widely-used plugin called Revolution Slider did not have the appropriate checks in place to ensure that it wouldn’t download private WordPress core files. This problem was fixed in an update, but if a website was running an old version of Revolution Slider, it was easy enough for a hacker to automatically try downloading the file that contains the database keys for the website. If they were able to get that, they had complete access to the website.
Plugins like Revolution Slider don’t always have to be installed on their own, too. Some themes bundle one or more plugins for various theme functions. So it’s very important to keep everything up to date. While WordPress typically updates minor versions of its core files automatically, we like a plugin called Advanced Automatic Updates to keep plugins and themes up to date as well.
3. Make Sure You Don’t Have an “admin” User (Moderate)
As we mentioned earlier, nearly every WordPress site looks similar under the hood. One of the most common patterns is that the main administrator has the username “admin”, because this is the WordPress default. Nefarious programmers can create scripts that search for websites which look like they’re built with WordPress and automatically try different passwords for the “admin” user. This is known as a “brute force” attack.
You can reduce the likelihood of automated attacks affecting your WordPress installation by simply not having a user with the name “admin”. Use nearly anything you’d like, just not “admin”.
If you already have an “admin” user in your WordPress installation, you can safely remove and replace it.
And, of course, make sure that all of your users have strong passwords.
4. Install Jetpack and Enable Protection (Moderate)
For an extra layer of protection against “brute force” attacks, you can install Jetpack, a plugin created by WordPress’ parent company Automattic. Jetpack includes security features to protect your WordPress website.
For example, it can lock out visitors after they’ve attempted to crack your password several times in a row. It can also prevent robots from trying to log in, and monitor your site for problems. Best of all, it’s free.
And now for two advanced tricks that are more technically demanding. (It’s worth getting someone who knows a thing or two about web development to assist with making these changes.)
Advanced trick #1. Don’t Install WordPress in the Domain “Root” (Challenging)
If you’ve followed our first four tips for greater WordPress security, you will be at a significantly reduced risk for breaches (though, you should note, nothing on the web is guaranteed).
However, if you’d like to tighten your website’s security even more, it’s time to break out some more advanced tricks.
WordPress is typically installed in the “root” of the domain – that is, all of the files required to power it are located at
http://yourwebsite.com/. There’s nothing inherently wrong with this, but because many automated hacking scripts expect WordPress to be in the root, it can be beneficial to place it in a subfolder instead, like
WordPress has published instructions for moving a site to a subdirectory. Please note that these steps should only be performed by someone very familiar with FTP, .htaccess, and PHP.
Advanced trick #2. Don’t Have a User #1 (Very Challenging)
Those robot hackers we talked about earlier have gotten smarter in recent years. Instead of just looking for an “admin” user, they now also look for users in the order in which they were created.
Each user has a corresponding, sequential ID number – your first user is user 1; your second, user 2, and so forth. Hackers and their programs can automatically look for the user name that is associated with each ID. Because WordPress starts counting at 1, and because most websites don’t have hundreds of authors, it typically takes less than a second to find a valid user name.
Changing the ID that corresponds with each user is not an easy process, and should not be attempted by anyone who does not have a high level of MySQL working knowledge. Making a mistake here can cause catastrophic problems. You can find instructions on the WP Whitehat Security website.
Trust us: there’s very little worse than waking up to find that your website has been wiped and replaced by some lewd images or gambling spam. If that happens, it can spoil your reputation with search engines and your clients, and it can be very challenging to recover.
No security tip is guaranteed to protect your website. But taking the four simple precautions above can harden your website against possible intruders. And that allows you to stop worrying about the security of your website and get back to marketing and blogging. If you’d like any assistance with any of these techniques or if you’re working on a website redesign, feel free to give us a call, we'd love to help.