But with some basic settings, policies and plugins, you can protect yourself from 99% of the attacks you might face.
Before we get into the gory details, it’s worth noting that there’s simply no way to make WordPress (or really anything) 100% impregnable. Even with the most sophisticated technology, teams of smart people and a lot resources dedicated to security, large corporate and government websites get hacked.
Which means that, in addition to taking precautionary measures, you also need to have a plan for recovering from an attack.
WARNING: Before you implement any of these suggestions, BACK UP ALL THE THINGS!
Stronger User Names and Passwords
Earlier this year, when there was a huge spike in brute force attacks against WordPress:
The top five user names being attempted are admin, test, administrator, Admin, and root. The top five passwords being attempted are admin, 123456, 666666, 111111, and 12345678.
Don’t use these. Instead, use a strong password generator tool for both user names and passwords. If you have trouble remembering difficult user names and passwords, I suggest a password manager like Last Pass.
Among some other tips and plugins, Daniel Smeek recommends hiding login error messages by adding the following code to functions.php:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Also, don’t email user names and passwords. And if you do have to give someone else access, create a unique user for them. If you simply won’t do that, change your user name and password each time you give someone else access. Finally, don’t store user names and passwords on your computer. You have a soft underbelly.
Avoiding common user names and passwords is a very simple way to protect against brute force attacks.
Avoid Public WiFi
Put simply, don’t connect to WiFi hotspots without a secure VPN in place. Hint: Your Starbucks probably doesn’t have a secure VPN in place. If you’re using WiFi at home or at the office, create a very strong password, implement WPA2 and don’t show your SSID.
The internet battle between good and evil continues to rage on. Which means you need to be constantly vigilant in applying updates to:
- Core WordPress installation
- Theme files
As I stated above, before you apply updates, make sure you have working backups of your site files and database.
I can’t tell you how many WordPress installations I see that are running really, really, really old versions of WordPress. Failing to update these files is one of the best ways to guarantee that you get hacked.
Choose a host that knows security. Specifically, WordPress security. WP Engine, which is more expensive than your standard economic hosting, is among the best.
If you want to save on hosting, you might consider password protecting your wp-login.php file.
If you’re tech-savvy, you might be able to add some security to your .htaccess file (you probably should have a developer do this for you). Here are some things you should consider adding (talking to your developer about):
- Disabling your server signature.
- Remove spam queries.
- Block spam bots (i.e. bots without user agents).
- Block SQL injections.
- Password protect WordPress login page or limit WordPress login to your IPs.
- Block malicious IPs.
If you want to see the specific code for how to implement these, Sam McRoberts lays it out in his Definitive Guide to WordPress Security. You can find a couple additional useful .htaccess configurations here.
When most WordPress users want to add some additional functionality to their installation, they immediately think: Plugins to the rescue!
Don’t think like this. Use plugins very judiciously. Read-up on plugins before installing. Get help from a developer.
Only after you’re confident in the safety, security and support of the plugin, and only after you’ve created a recent backup, you might turn to plugins to help with security. Here are a few to consider:
- Wordfence (Last Updated: 2013-7-19 as of posting) – Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
- Better WP Security (Last Updated: 2013-7-26 as of posting) – Helps with protection, detection and recovery.
- Limit Login Attempts (Last Updated: 2012-6-1 as of posting) – Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
- BulletProof Security (Last Updated: 2013-7-16 as of posting) – WordPress Website Security Protection. Website security protection against: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking.
Over in The LAB, a few years back, Greg recommended checking out Perishable Press as a good WordPress security resource. And Sam recommended the Exploit Scanner plugin. Perhaps they’ll update us on what they’re reading / using for security now.
The WordPress plugin directory has many more security plugins. Again, I encourage you to limit your reliance on plugins in general. And be sure that you are confident in the safety and support of those that you choose to install and activate.
As anyone who has been hacked will tell you, getting hacked and recovering from a hack is not fun. Taking the time to take some preventative measures and instituting some commonsense security policies at your firm will help you avoid 99% of the most common security issues you’re likely to encounter.
Have a WordPress security question or tip you’d like to share? Feel free to post below.