WordPress is reported to power over 25 percent of all websites that are found on the web, making it the most popular content management system used on the internet. That is an outstanding statistic which speaks to the utility and usability of WordPress. Bloggers and businesses alike use it because it’s free, it’s easy to use, and it’s very useful. In fact, this blog uses it. Much like the popularity of Windows, however, the downside of this success is that WordPress is a huge target for hackers, plugin application exploits and spam attacks.
Bad people do bad things. The intent of this article is to help you protect your WordPress site against a wide variety of online threats originated by bad people. My hope is that you’ll learn to harden and secure your WordPress website and give bad people a bad headache instead of the other way around.
Before discussing the easy to use tools that are available to increase the security of websites, there are some essential security steps that every website should include as a baseline, whether using WordPress or something else. These include: backing up and restoring your application and database, using strong passwords, and choosing trusted plugins and/or modules.
After we’re done covering the essentials, we’ll explore how to increase WordPress security by securing the WordPress admin area. Finally, I’ll cover advanced topics such as: setting up a firewall, and blocking proxy servers and bad bots.
I’m writing this because a secure website is a mission critical task that is essential for succeeding on the internet.
Backing Up Your Website
Keeping a current backup is one of the most important, if not the most important, thing that you can do to not only protect your computer at home, but your website on a remote server. It’s the equivalent of having a guardian angel for your information. If a hacker tries to kill it – your backup will protect your information and you’ll be able to restore it. You can manually backup WordPress, but the easiest way to back up everything (files and database) is by using a WordPress plugin. Although there are several different plugins available, a solid plugin which is the most powerful, flexible, and popular is called Updraft Plus. This one plugin will allow a site backup and restoration to and from various cloud services, in addition to the traditional local machine.
Choosing a strong password is also an important thing that you can do to keep your site safe and secure. It’s not uncommon to find that compromised sites have weak passwords such as, 1234, or other easy to guess phrases. Good strong passwords contain numbers, upper and lowercase letters, and in WordPress, they can also contain symbols. Using a long random mix of upper and lowercase letters, numbers, and symbols is a great way to create secure passwords. Also know that the longer the password, and the more random the chosen set of characters, the more secure your website will be.
“But Jeff, I can’t remember those crazy random endless passwords!”
There is a solution my friend. Instead of trying to remember strong passwords, try using a password manager, such as 1Password, Dashlane, KeePass, or similar utility. Doing so can simplify your online routine, and allow you to enjoy a ham sandwich while watching a football game without WordPress worries.
There are three things to remember in WordPress. The admin password is the Holy Grail for hackers and is set when WordPress is installed. A password must be set for each new user, and passwords should be strong and changed frequently.
WordPress does a good job of creating strong passwords, so go ahead and use it if you wish. You can also create a custom password, if desired. There are many ways to create a strong password, but the easiest way is to use a phrase that you can remember – and then hackitize it. Substitute numbers for letters or vice versa, and “DrPepper for everybody!” becomes “DrP3PP3r43ryb0dy!” Viola!
When installing WordPress, remember to change the default admin username from admin to something unique and difficult to guess. Attackers typically assume that the administrator’s username is admin, so changing it to something, anything else, is going to block many automated attacks. In addition to admin, don’t use your domain name, and don’t use common names like administrator, demo, editor, author, login, and so forth.
Also, keep in mind that once you’ve installed WordPress, the admin username can’t be changed via the user profile screen. To change the admin username after it’s already been installed, you can create a new admin-level user with a hard to guess username and strong phrase based password, log out as the original admin, log back in as the new admin user, and then delete the original admin user. From that point on, you can continue using your new account.
Choosing Trusted Plugins
Plugins are the easiest way to add or change functionality to your WordPress website. But, not all plugins are created the same. Some plugins are well written, well documented, and maintained not only for security but also updated and validated against new versions of WordPress. The use of common sense goes along way with determining if you can trust a WordPress plugin. As alluded too, if the last update to a plugin was three years ago, or there isn’t a history of maintenance, or compatibility with the current version of WordPress is not listed, or if the number of installs is very low, or has very poor review, or if the developer doesn’t have any documentation, or doesn’t answer questions – then you may want to pass on downloading and installing a plugin.
Secure and Harden WordPress
Cerber Security and Limit Login Attempts
In order to harden WordPress, we should limit access to the login page, stop user enumeration, and protect the wp-admin directory from unauthorized access. We should also disable the XMLRPC protocol. One of the best plugins to protect the login page is WP Cerber. The WP Cerber plugin protect WordPress against brute force attacks and provides control over use activity. You can also restrict access to the login page by IP, the number of login attempts, and change the URL used to access the login page.
Stop User Enumeration
You must also address the danger that occurs when permalinks are enabled in WordPress. If a hacker makes an author ID request, the request is redirected to the associated author archive URL, which reveals the login username. This is not good, as an attacker can then use the user ID and possibly use other exploits to gain control. You can prevent this by turning off permalinks – but this defeats search engine optimization. But wait, there’s a better option. A good plugin exists called Stop User Enumeration, which will prevent this exploit. It will stop exposing the login username of any author, and will allow permalinks to remain active. Simply install the plugin and activate it and the attack vector will be closed.
Block Bad Queries
There are also relentless attacks that can put your site at perpetual risk as well as waste and occupy server resources, bandwidth and memory. As your site gains popularity, such attacks will slow down requests from legitimate users. Again, there is a simple plugin that you can install to block and stop a great deal of bad traffic. Block Bad Queries, or BBQ is the name of the Plugin. It’s a simple way to increase the security of your site from a wide range of bad requests. Install it and activate it.
I recommend WP-Ban as a simple and effective plugin to block access to IP, IP ranges, domains, and entire countries. It’s important to review your server logs and take note of activity directed against your site. Using WP-Ban, you can be very granular in blocking access to specific IP’s, ISP’s, and geographic areas. I highly recommend this plugin for ease of use.
Use a Firewall
Perishable Press created a plugin called 6G. Optimized for WordPress-powered sites, and is very effective at blocking a vast spectrum of bad bots, exploits, malware, and other idiotic crap. If you know how to change and control traffic using .htaccess files instead of a plugin – you’ll experience better performance. There are guides that can be found using your favorite search engine to edit .htaccess files for WordPress. Controlling access at the server level, rather than thru WordPress, is better for site performance and requires less server resources because it obviates the need for loading PHP, database, configuration files or anything else. With that being said, this article is about “simple and easy’ for less technically inclined WordPress site operators. Editing htaccess files is a bit beyond “easy” and “simple” – but you should limit access to the wp-admin area and other resources
WordPress is a great content management system (CMS) used by bloggers and businesses alike. There are other free CMS systems that are more secure, but none that are as easy and enjoyable to use, or for readers to view. This article was written in an attempt to help you utilize the inherent simplicity and power of WordPress to harden and secure your content, without engaging in system or server administration techniques that are beyond the grasp of most people to whom this article is intended. You can find such techniques online if you’re interested.
Please let me know in the comments if you found this article useful, or if you have questions that I might be able to answer.