WordPress Security is one of the most important things a website owner needs to worry about, right behind the site’s content, what the site looks like, and who’s hosting it. I own Press Wizards hosting and deal with security issues that are easily preventable on a daily basis. WordPress has its root in blogging, but has grown into a mature, enterprise-level content management system (CMS). Securing WordPress is one of the most popular topics discussed, so let’s review the top areas of concern: WordPress and plugin updates, backups, WordPress security plugins, password security, and user roles/management.
1. Keep WordPress and Plugins Updated to Close Security Holes
Keeping WordPress up to date is vital, as is ensuring that all your active plugins are kept up to date as well. While there are some fearful that updating WordPress or plugins will “break things”, a hacked site is the most common outcome from outdated versions. If a newer version is released, it always contains bug fixes, which ensure your website works properly, and often contains security patches, which close a hole in the security of your site. Both of those are reasons enough to keep WordPress and plugins updated – and if anything does break or need adjusting, they are usually minor and quick to address.
More serious issues that come up from updates may be for a very good reason, and once in a while, there’s a very old plugin that no longer works right, hasn’t been updated in years, and it’s time to replace it with something more current, not hackable, and is still updated/supported. Bottom line, update your site or risk losing it to hackers running script bots (automated scripts that scour the Internet for vulnerable sites).
The free plugin I recommend to help with this is Advanced Automatic Updates. It has settings to keep WordPress, plugins, and themes updated automatically, and sends an email every time it updates. For large or busy sites, I’d recommend creating a staging site, and running this plugin on the staging site, to test for issues after each update. If all looks good, then manually update the live site. For smaller sites, I run the plugin on the live site, and rely on backups in case of any major issues, restoring from the backup and then troubleshooting the issues.
Note that premium plugins and themes are not easily updated. Themes and plugins from the WordPress repository will auto-update, but themes from Themeforest or other theme sites are not, and usually have their own update process. For Themeforest themes, if your theme supports it, ensure that your Themeforest account and API are saved in the theme options, so it can be updated with one click. For others, they may email you when an update is available, and you’ll have to manually download the update, and upload the theme files again. For helping with this, I recommend the Easy Theme and Plugin Updates plugin.
2. Store Backups Offsite to Protect Your Website from Being Permanently Erased
Having validated backups is vital for ensuring your website can recover from any issue, whether they are WordPress security related or not. Be sure to test your backups, doing a restore every few weeks, and ensure that you or your webmaster not only know how to restore your site, but that the backups were successful and error free. I’d recommend automated scheduled daily database backups, and daily or weekly backups of your content folder, which contains your uploads, themes, and plugins. You’ll want to keep five to seven of your most recent backups. Backups can be stored on the web host, but it’s best to store them offsite in a dedicated cloud storage account like Dropbox. If anything happens to your hosting account or files, the backups will be safer if stored offsite.
I recommend automated scheduled backups to Dropbox with easy restore options using the plugin UpdraftPlus. It has paid add-ons available providing additional functionality, view their website for details. It works very well for both small and large sites. There are lots of other free and paid backup options including BackWPUp, BackupBuddy, and VaultPress. I’ve used them all and UpdraftPlus is free, reliable, and easy. For a paid option (you’re really paying for the support when you need it), I’d recommend VaultPress ($5/mo) or BackupBuddy ($80/year for 2 sites).
3. Use WordPress Security Plugins and Services That Keep Hackers Out
There are quite a few WordPress security plugins for WordPress. All of them have strengths in some areas and do things differently in other areas. In general, there’s three areas to focus on:
- Firewall: Proactively blocks the bad stuff before it reaches your website, and denies access to your website or its files.
- Hardening: The process of locking down different areas of WordPress so that if something reaches your website and tries to do something that could be bad or pokes around to see what it can do, it is blocked.
- Scanning/tracking: A plugin that can monitor core files, detect changes, malware, or hacked files, and alert you, offering help to clean them out or delete them.
Most of the security plugins take all the technical details of the WordPress hardening recommendations, and make them easy to configure. The primary areas of hardening to focus on are deactivating unused areas so they aren’t vulnerable, limiting log-in attempts so a bot can’t hammer your site with password guesses, and filtering requests from bad sources. The top quick changes to harden your site that these plugins can help you do include limiting log-in attempts to five bad logins before locking out that IP, changing the default “admin” username to something else, changing the database prefix from “wp_” to something else, and enforcing strong passwords for all users.
I use and recommend the free All in One WP Security and Firewall plugin for every site. It works well, locks down the site and is fairly easy to set-up with just a few checkboxes. I’d also strongly recommend using the free version of Cloudflare, a cloud proxy which includes broad threat protection, free SSL use (use flexible mode without needing your own SSL cert), as well as a high-performance caching content delivery network (CDN). Their paid plans start at $20/month for your first site and $5/mo for each additional, and include mobile and image optimization and a web application firewall (WAF).
Some of the other popular plugins include WordFence (great lock-down features, superb file scanning, and including easy caching options), iThemes Security (lock-down, scanning, and backups), BulletProof Security (firewall and login monitoring, backups), Sucuri Security Scanner (activity tracking, malware detection and repair), and the paid Sucuri Security Firewall (protects against known vulnerabilities even if updates aren’t done yet).
Firewall specific plugins I’ve used include WordPress Simple Firewall and NinjaFirewall (a free web application firewall that is configured within WP, but runs before/outside WordPress, a very unique concept).
For e-commerce and high traffic sites, I’d recommend reaching out to me for help in using a few of these plugins together in a crafted way to ensure a high secure/performance configuration.
4. Create a Strong Password Policy So Bots Can’t Guess Your Login
No matter the amount of security and hardening done, one of the most common ways attackers gain access to your site is via guessing a valid user’s password. Attackers can try thousands or millions of passwords before the automated scripts discover the right one and send an alert. This goes beyond your WordPress login, and can give attackers access to your entire site(s) via your host’s Control Panel, FTP, SSH, or Telnet login, too. Use strong passwords for any and all usernames, and enforce strong passwords for all other users.
Having a password that is long, complex, and not easily guessable (based on words etc.) is the best security practice of them all. You should use one of two password generation methods… for those that like to memorize their passwords, use multiple words to make up a long password – see the xkcd Password Strength comic and resulting word-based password generators. I strongly recommend you use the amazing free password management tool Last Pass to generate long complex passwords that you never need to remember. The tool generates and then auto-fills in your usernames and passwords for you, across all websites you log in to. There’s also 1Password that you may like to try to see which you like better.
Don’t use the same password on other websites or services, because if one gets hacked, then that username, email, and password could be tried on other sites in automated ways and see where else it works. Change your passwords every three to six months to limit the possibility of someone hacking/using old passwords you used to use (see this other xkcd comic).
5. Understand WordPress User Roles and Purge Users to Prevent Rogue Access
One of the other most common ways a site can be attacked is from allowing rogue users to have unnecessary access. Be sure you periodically go through and clean out your WordPress users. Many times there are old employees that will still have unlimited access.
WordPress has built-in user roles to limit access and capabilities. Be sure you’re not giving users too much access, limiting “Administrator” access to only those that absolutely need it (you, your webmaster and others who need to configure technical settings on the site). If you’re adding users that will be writing blog posts but shouldn’t be able to publish posts or pages themselves, set those users to the Contributor role, and an Editor or Administrator will need to review and schedule the publishing of their posts. For those that can write and publish their own posts or pages but not other people’s, set them to the Author role. For those that need to publish or edit everyone’s posts or pages, set them to the Editor role. They can do everything except install plugins or themes and other administrator level capabilities.
WordPress Security Checklist
Here’s the short summary of the above highlighting what you can do to secure your WordPress sites today.
Install and configure each of these free WordPress plugins:
- Advanced Automatic Updates to keep your site and plugins updated.
- UpdraftPlus to schedule backups of your database and your wp-content folder.
- All in One WP Security and Firewall to harden and increase the security of your WordPress installation.
Then, sign up and use these free services:
- Cloudflare for threat protection, free SSL, and performance boost from their cache/CDN.
- Last Pass for strong password generation and management.
Lastly, keep a close eye on who still has access to your site, ensure that all users are using strong passwords, and limit the role they are assigned.
Security is not a simple thing, but the above simple steps can take your site from being in trouble to running rock solid for years to come. I welcome your thoughts or stories in the comments below, let me know how else you tackle security on your sites.
If you need help with a hacked site, want help configuring the plugins or Cloudflare, or would like specific recommendations for your site, please contact me.
7 Comments
Very good simple write-up, well done! One point I would like to expand a bit on is point 4, strong passwords. Unfortunately sometimes the security of a website does not depend solely on you especially in a multi user website. Hence in such case it is recommended to use plugins such as WP Password Policy Manager to configure password policies so you ensure all users use strong passwords.
My 2c
Great tips! I use WordFence but I’m going to go through this post and see what else I need.
Wow, am I glad I read this post. I was in the middle of a bot attack, receiving emails every couple of hours that someone was trying to log into my WP dashboard (I was using the free version of WordFence). I went ahead and installed the All-in-one plugin and clicked through the screens to set it up and follow its recommendations (including changing the url of my login screen). It was very easy (I’m not a web developer) and the attacks completely stopped. What an amazing plugin. Thank you for writing this up.
It’s always good to know that our readers are getting value and solving problems with what we’re putting out. Thanks for the update Kimberly and glad you’re are protecting your site. It’s getting scary with all of the things that are there. -Melonie
One follow-up question. One of the plugins mentioned, All-in-One-WP-Security & Firewall, is no longer available. I wonder if that means bugs were found that couldn’t be fixed? When a plugin disappears or ceases to be updated regularly is it advisable to remove it from my site?
I’d recommend checking on why a plugin was removed to determine if a switch needs to be made. If a plugin isn’t regularly updated, I’d reconsider using it at all, especially security plugins. (All In One WP Security is still available and is the one I still use and recommend.)
[…] on all of these different types of protection. You can learn more about the right plugin for you here. In the end, security is all about staying up to date with the latest updates and always backing up […]