Continuing with our WordPress optimization series, today we will be discussing WordPress security. In the previous part of the series, we talked about steps that you should take when and after installing WordPress.
WordPress security is not rocket science. However, it does require some extra steps on your part. While WordPress is inherently a secure piece of software, it does face a lot of malicious attacks and security threats because of its popularity.
As such, for the safety of your website, it is a good idea to be aware of some basic WordPress security measures. This article deals with the same.
First up, the basics.
Basic WordPress Security Tips
Here are some key basic WordPress security considerations that you should bear in mind:
- Always use strong passwords for your WordPress accounts. Also, make sure you change your passwords regularly.
- Avoid using the default username “admin”. This is because “admin” is way too easy to guess for any malicious attacker.
- Try to keep just one administrator account, and for all other users, use different and lesser user roles such as Editor or Contributor.
- Always keep your WordPress core, plugins and themes updated.
- Avoid using too many themes or plugins; if there are any themes or plugins that you do not use, delete them rather than deactivating and leaving them.
Brute Force Attacks
A brute force attack is when an attacker attempts to log in to your site by trying to guess the password. It involves repeat login attempts until the correct combination of username and password is guessed.
Obviously, in such cases, having a strong password and not having an obvious username is helpful. That said, there are many WordPress plugins that you can install to prevent and successfully combat brute force attacks.
If you are a Jetpack user, you need not look any further. Jetpack has a Protect module that can successfully defend your site against brute force attacks. Learn more here.
Alternatively, you can use a popular plugin such as Login LockDown. It logs every failed login attempt, and after a given number of failed attempts, it simply blocks the offending user’s IP address.
WordPress Core and Database
Securing your WP core files as well as the database is of utmost priority. While you can replace your theme or plugin, fixing a hacked database is rarely an easy task.
For hardening your core files against damage, the best way is to prevent code execution in core WordPress folders such as the uploads and content folders. If you disallow code execution in such directories, you can prevent remote corruption of data. A plugin such as Sucuri Security can do the trick for you.
Other than that, regularly scan your core files with the official versions for any unwanted or undesirable changes. This way, you can be sure that your core files are not altered by an unknown source. A plugin such as Wordfence Security comes with free scanning abilities that can do this task easily.
For hardening your database, you should change the table and database prefix from wp_ to something else when installing WP. This is because the default wp_ prefix is fairly common and can be prone to more attacks. If you are installing via Softaculous, it is very easy to change the database and table prefixes.
WordPress Themes and Plugins
The biggest and more important rule for WordPress themes and plugins as far as security is concerned is not to install anything that you cannot absolutely trust.
For instance, you should use WP themes only from the official repository, or from trustworthy and reputed sources. Poor quality themes might have spyware or adware bundled and that can hurt your site.
Same logic applies to plugins too. More importantly, you should ensure that the theme or plugin that you are using is under active development and is regularly updated to prevent security issues.
To check the quality of WordPress themes, you can use a tool such as Theme Check. Basically, most bad WP themes come loaded with adware in the form of hard-coded links to websites that you would not want to link to (eg. warez sites, adult sites, etc.) Theme Check can detect such links and inform you of the same.
Useful WordPress Plugins
Now, what about some WordPress plugins that you can use to harden and secure your website?
There are various WordPress security solutions out there, both paid and free. Wordfence Security, as mentioned above, is an extremely popular plugin that you should surely consider using. It comes with a free firewall as well as regular virus scanning.
That said, if Wordfence Security does not work for you, iThemes Security is another similar and equally popular WordPress plugin. Additional names include Bulletproof Security and All in One WP Security and Firewall.
Going further, a plugin such as WP Bruiser can protect your login forms as well as all other forms — contact forms, optin and landing pages, and a lot more. This way you can combat spam and also ensure the safety of your site’s login and other pages as well as forms.
All said and done, you should also have a proper backup and restore strategy for your WordPress site. Even after taking the best of steps, your website can be compromised.
Naturally, it helps to be prepared and therefore, you should always keep regular backups of your site.
Plus, while you can ensure your WordPress installation and themes or plugins are in order, what about cPanel woes? What if your hosting provider is using sub-standard software and that ends up getting your site compromised? Obviously, the solution is simple: be sure to pick a web hosting provider that can ensure that the software being run on its servers is not missing on the security updates.
That brings us to the end of this part related to WordPress security. In the next part of this series, we will be discussing optimization and enhancement measures for WordPress plugins as well as ideas using which you can pick the best WP plugins. Stay tuned!
Up Next in the Series:
Our Guiding Principles
- Provide consistent, stable and reliable web hosting services.
- Ensure rapid ticket response and quick resolutions to issues.
- Never saturate or over-provision servers to ensure stability and speed for our customers.
- Use only high quality enterprise-class hardware to ensure minimal downtime from hardware failures.
- Provide clear pricing with no hidden fees or gotchas.