If you have a website based on WordPress, there is a pretty big chance that you have had to deal with a hacked website at some point. WordPress is the worlds most popular blogging and CMS-engine, and that’s why so many hackers focus on it. As a consequence, you should take WordPress security very seriously.
This article offers a few simple — but essential — tips to ensuring that your WordPress site is secure.
1. Keep WordPress updated
A very popular way for hackers to attack your WordPress site is to target known security issues in WordPress core. The older your version of WordPress, the more likely it is to have a lot of known issues. This is not to say that WordPress has a lot of bugs, but it’s a big piece of software, and errors will occur now and then.
Make sure you always check for new updates to the WordPress core, and apply updates as quickly as you can after they are released. Keep in mind though, that updates to the WordPress core may break functionality on your site. Always backup your WordPress installation (including the database) before you update the WordPress core.
2. Keep your plugins updated
Same way the WordPress core may have security issues, it’s also fairly common for WordPress plugins to have security issues. Exploiting those issues is another common way for hackers to gain unauthorized access to your WordPress site.
Frequently updating your WordPress plugins is just as important for good WordPress security as keeping the core updated. Especially due to the fact that plugins are not written by the WordPress team (with a few exceptions), but by 3rd party developers across the globe. The quality of WordPress plugins vary a lot, and, although most plugin developers are talented folks, it’s impossible for plugins to be entirely free from bugs and security issues.
3. Use a good security plugin
A standard WordPress install is fairly secure in itself, but it does not do a whole lot to actively fight off attackers. One very good strategy to strengthen security is to use a security plugin. There are quite a few plugins out there that strive to deliver good WordPress security, but I would personally recommend Wordfence Security.
Not only are the core features in Wordfence free to use (and a license is quite cheap), but it’s also packed with features that greatly benefit both security, speed, and stability for your WordPress installation. One of my favourite features (which is included in the free version) is the ability to effectively block brute force1 attacks. Another very common technique used by hackers.
4. Avoid certain usernames
A very commonly used technique in brute force attacks is to try and guess the password for commonly used usernames. It’s quite easy to avoid this type of attack if you follow these simple guidelines:
- Don’t use the default ‘admin’ account in WordPress. Simply set up another administrator account and delete the admin account.
- Avoid using the domain name as a username. For instance, if your domain name is www.mywebsite.com, then you should not use ‘mywebsite’ as a username.
- Refrain from using your real name as a username. If you are called Peter Jackson, then don’t create an account with the username ‘peterjackson’ or even ‘jackson’.
If you follow these very simple guidelines, you are a big step closer to avoiding brute force attacks on your WordPress site.
5. Use secure FTP
If you are using FTP (File Transfer Protocol) to gain access to your WordPress installation, then you should make sure that SFTP is used. If you are are not using SFTP, then usernames and passwords are sent unencrypted to the FTP-server, and that makes it fairly easy for potential attackers to gain access to sensitive information.
If your hosting provider does not support SFTP, then you should seriously consider switching to a hosting provider that does.
6. Make sure your computer is clean
Not many people think about this, but a fairly common way for attackers to gain access to your website is by using your computer (or phone or tablet) to gain access to your passwords.
Make sure you scan your computer for viruses and spyware frequently to avoid getting keyloggers or other nasty stuff on your computer. This is not only a good idea in terms of WordPress security, but it also protects you when you are accessing other online services like your Internet bank.
7. Backup often!
All the previous points will greatly improve WordPress security, but no website can ever be completely immune to attacks. That’s why you should always make sure that your WordPress site is backed up frequently. Using a plugin like BackUpWordPress is an easy way to automate backup of your site.
Keep in mind that it’s very important to make sure you are able to restore your website from a backup. Make it a part of your weekly routine to ensure that your backup is running, and regularly test that you are able to completely restore your website from the backups you store.
Let us help you
If you follow the 7 tips above, you are highly unlikely to have your site destroyed by hackers. Most of those points should be fairly easy for everyone to follow, but if you are not technically inclined (or would rather spend your time on something else) then we recommend that you hire someone to ensure that your WordPress site is secure.
At Thaihosting we offer a wide range of services to people who host their WordPress site with us, and we are always happy to give you some input on how you can make your site more secure. Get in touch with us if you want to know more.
This article sums up some of the key aspects of WordPress security, but there are a lot more things you can do to further harden your site. If you are interested in diving a bit deeper into the topic, then we recommend starting with this great article from the WordPress Codex.
Finally, doing a quick Google search on “WordPress Security” will yield a plethora of great articles on the topic. Be advised though, that you should check the publishing date of anything you find. Some resources may be outdated even if they are still highly ranked on Google.
Share your thoughts
If you have anything to add about this important topic, please tell us about it in the comments. We would love to hear from you if you have any cool tips to offer; if you have some first hand experience with how crippling a hack can be; or if you have a great story about how you recovered from a hack.
- A brute force attack is a fairly primitive kind of attack, where the attacker attempts to gain access to a website by attempting to guess the password for a given user account. This type of attack is usually automated, so attackers may try thousands of different passwords in a very short timeframe.