This guide serves as a “starter” guide for securing your WordPress installation. If there are any additional steps you recommend, please feel free to reply with them. This guide is by no means a “complete”guide however, it will get you started with some basic WordPress security measures.
1. Keep your WordPress Installation Updated!
This is crucial, and increasingly more & more WordPress websites are left unattended. The WordPress crew works diligently to issue fixes & updates for problems that pop up here & there. When an exploit is discovered, WordPress will release and update when that exploit is found from the core installation.2. Keep your plugins updated!
Let’s face it, we all love the plugins for WordPress that allow us to pretty much morph WordPress into whatever we could imagine. The amount of plugins has being developed has increased significantly over the past few years. What has also increased significantly is the number of developers no longer supporting their plugins. this is a major problem because if the plugin is exploited, a security hole remains open & unfixed. Solution #1: Update your plugins on a regular basis Solution #2: Only use plugins that the developers still support.
3. Forcing SSL logins
To force SSL (Secure Sockets Layer) on your WordPress website, you will need to choose from the following options below. Be sure to add the lines of code above the following line:
/* That’s all, stop editing! Happy blogging. */
Standard User Login To force an SSL connection for logins:
define(‘FORCE_SSL_LOGIN’, true); WP-Admin Login To force logins & WP-Admin logins to use SSL:
define(‘FORCE_SSL_ADMIN’, true);
4. User Accounts
Still using that default “Admin” account to login with? If so, STOP. Every single hacker & malicious user looking to exploit WordPress knows this is the default account. Since they no longer have to try to guess your username, they only have to worry about brute forcing your password now. By continuing to use the default admin username, you’ve removed a layer of security.
5. Securing your wp-config.php file
Still have this file in the public_html directory? If so, it’s time to move it. By default, WordPress can read this file from 1 directory level above the public_html, which would be your /home/ directory. This file only needs to be readable by your user account & the server itself. It’s permissions generally can be set to 440. Using .htaccess, you can also secure your wp-config files using the following rules:
< files wp-config.php > order allow,deny deny from all < /files >
6. Passwords. Make Them Stronger!
- Don’t use common words: password, letmein, etc.
- Change them frequently. Once per month is ideal.
- Don’t use the same password on all of your sites.
- Don’t share your passwords with anyone.
- Choose a password of: 15-20 Characters, upper/lower case, numbers & special characters.
Here’s a decent random password generator that can help: http://strongpasswordgenerator.com
7. Password protect the WP-Admin Directory w/ cPanel
Using the cPanel directory password protection utility is a great way to add an additional security layer to the wp-admin login. When visiting the wp-admin portion of your WordPress site, you will be prompted for a username & password combo that you set inside of cPanel for the respective directory. We have a video guide on how to password protect a directory in cPanel.
8. Brute Force Attack Plugin – Limit Login Attempts
Limit Login Attempts is a great addition in “locking out” or “limiting” login attempts to your site. Using this in addition to password protecting the wp-admin directory adds 3 layers: Layer 1. Changing the default “admin” account via phpMyAdmin Layer 2. Password protecting the wp-admin directory using the cPanel utility Layer 3. Using a plugin such as Limit Login Attempts behind to password protection.
9. Exploit Scanner Plugin
The WordPress plugin “Exploit Scanner” is a great plugin that scans your WordPress site for known malicious files & file extensions. The plugin will also scan your database for tables containing anything suspicious.
10. 3rd Party Scanners/Monitors
Sucuri.net Sucuri.net has a free scanner located right on their main page. It’s extremely thorough for a “free & limited” scan. They do offer premium packages for their services that may be of interest to you.
Link: http://sucuri.net
SiteLock: SiteLock is a security scanning & monitoring solution for your website & business. You website is scanned & verified daily by SiteLock. When purchasing, you will be able to display a SiteLock seal on your website that verifies your business as well as the last scan.
Link: https://www.sitelock.com
(SiteLock is available through many web hosting providers at a discount price, so be sure to check with your hosting provider first!)
Conclusion:
As you can see from the steps above, securing your WordPress website is not as simple as just installing some “all in one” security plugin. While some such as “Bullet Proof” may be decent, using an “all in one” plugin is just an extremely bad approach for security. If that one approach happens to get exploited, all layers that that one plugin uses are out the window; useless. With the number of WordPress websites increasing by the thousands each day, hopefully this guide will shed some lite on how to better secure your installation of WordPress.
If you have any web hosting questions please feel free to reach out to us. We're happy to help.
Shared Hosting | Reseller Hosting | Managed WordPress Hosting | Fully Managed VPS Hosting
Our Guiding Principles
- Provide consistent, stable, and reliable web hosting services.
- Ensure rapid ticket response and quick resolutions to issues.
- Never saturate or over-provision servers to ensure stability and speed for our customers.
- Use only high-quality enterprise-class hardware to ensure minimal downtime from hardware failures.
- Provide clear pricing with no hidden fees or gotchas.