WordPress Security Tips and Tricks
WordPress is one of the most common CMS platforms website users use to manage their content. As a result, websites on WordPress are often the target of various web attacks. Below are some WordPress security tips and tricks that go a long way to ensuring your website is protected.
Don’t create ‘common’ usernames
Starting off with a tip that you should follow when first installing WordPress. You should not look to create your username as ‘admin’, ‘administrator’ or any other common usernames.
Common usernames are easy to guess. In addition, as of WordPress version 4.9.2, WordPress will prompt you whether or not a username exists in the system on the login page!
For example, attempting to log into WordPress using an incorrect username and password will prompt the following message.
Attempting to log in using a correct username but invalid password will present the following.
Clearly WordPress is giving an indication whether certain usernames exist in the database. Don’t give hackers a head start by letting them guess your username!
As with any credentials, try and create a unique username that’s not easily guessable but memorable to you.
Admin Passwords
By default, WordPress will generate a strong password for you when running through the install process. You should ensure that you choose a password of equal or better strength. There is simply no excuse for having short passwords in this day and age. As shown in the screenshots above, if your username can be guessed and your password follows suit, you leave your website particularly vulnerable.
There are many extremely secure online Password Manager systems where you can store your passwords such as Passpack and 1password. These systems are built on strong client side encryption, so only you have access to your sensitive information. Password Managers often come with various levels of authentication including password, master/secret keys and packing keys. This means you won’t have to worry about your account being breached.
Generally, you should look to use a random password generator of no less than 20 characters to use as your password. This will minimise the risk of any brute force attacks made against your WordPress user account.
As a golden rule of thumb, it is advised to change your password regularly. Ideally this should take place no less than once every 3 months.
Admin Login URL
WordPress will provide the wp-login.php URL that can be used to access the admin as standard. Because of this, attackers can land on this page and start a brute force attack against your system.
Whilst strong usernames and passwords will minimise the risk of your account being compromised, attackers will still have a chance to guess your details if they can access this page.
There are many security plugins that are available to download that change the default login URL. The URL can be changed to something unique, and this is usually set by you, the user, within the admin area.
Again, this URL should be a unique URL and not just /admin, /administrator, /manager or any other common examples.
It’s also a good idea to deny complete access to this page using server configuration. Of course, you’ll need to whitelist your own IP to allow you and your colleagues access the login page.
If your server uses Apache as the web server, locate the .htaccess file within the root directory.
You can then paste in the following contents.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Then replace IP Address One and IP Address Two with actual IP addresses you require access to the login page. You can also whitelist more addresses in this file should you need to.
Use HTTPS
Any website that requires a transfer of sensitive data from the browser to the server should install an SSL certificate. This ensures that sensitive data such as passwords and credit card information are encrypted and don’t get sent in plain text.
Furthermore, Google have stated that they’ll promote websites in the search results that have a SSL certificate installed.
Certificates nowadays do not cost much money and are a vital component in gaining customer trust. Even free, flexible certificates from the Cloudflare and Let’s Encrypt services would suffice.
Update WordPress
A pretty self explanatory one. If WordPress notifies you of an update available, you should update the platform sooner rather than later.
Whilst updates mainly include features and bug fixes, you can bet that WordPress will have also fixed some security vulnerabilities.
Plugins
Plugins are great for a whole variety of reasons. Without writing about how many plugins you have installed, you should ensure that the plugins you do install are trusted.
Before downloading any of them, take the time to look at ratings and read the reviews. Make sure that the majority of people who’ve used this plugin haven’t experienced any issues or reported any security vulnerabilities.
As with the WordPress core, you should update plugins as soon as you can should there be an update available.
Disable theme and plugin editors
WordPress provides access to theme and plugin code in the admin. For themes, this editor is located under Appearance -> Editor and for plugins, under Plugins -> Editor.
To prevent these core files from being edited in the admin, you can disable the editors within the WordPress wp-config.php file.
This can be achieved by adding in the following line to the config file.
define('DISALLOW_FILE_EDIT', true);
This will prevent modifications to the WordPress code if a user account is compromised. It also prevents any users without programming knowledge accidentally making edits that could break website functionality.
Health check your repository
At the time of writing, WordPress has experienced a recent malware attack where dodgy pieces of code have ended up in WordPress’ theme and core files.
It’s important to try and nail down the cause of why malicious code has managed to get injected into your code. In the meantime, you can minimise the effects of the code if you use Git to version control your repository. By running a health check like in this post, you can remove unwanted code quickly and effectively.
Conclusion
Security is a fundamental aspect to any system that contains sensitive data. WordPress websites in particular need the love and care they deserve. By following the WordPress security tips and tricks above will ensure you take a great leap in properly protecting your website.
Note: This article is based on WordPress version 4.9.2.