7 WordPress Security Tips & Tricks

WordPress currently occupies 27% of all websites online, that’s around 15,000,000 websites and because of this it’s open to malicious scripts that try to cause problems for you. But don’t let this scare you, if you follow our 7 security tips you’ll minimize the risk of being at mercy of a hack.

1. Keep WordPress up to date

You’ve probably seen us talk about keeping your WordPress version up to date in previous posts, that’s because it’s extremely important. Not only does keeping it up to date allow you to have access to the latest features, it also increase your website’s security.

Recently you may have noticed WordPress updates itself for hot fixes such as 4.6.1, but for major releases like 4.7 require you to update them. A hot fix will fix any issues in the major release or add small features not worthy of a major release. Of course these automatic updates are nothing to worry about, but if you do want to turn them off you can.

If you do want to update the site yourself, to be safe we suggest taking a back up of the database and if you want to be extra secure you can use a plugin like Backup Buddy which will backup your entire website.

2. Keep plugins up to date & remove unnecessary ones

WordPress Security Stats

Just like WordPress plugins also need updating regularly to keep your website secure as possible
According to Sucuri, one of the top security plugins for WordPress during Q1 of 2016 25% of all WordPress compromises came down to 3 of the most popular plugins: TimThumb, Revolution Slider and Gravity Forms.
First things first, if you’re using TimThumb for anything remove it immediately. For years now TimThumb has been causing havoc across the internet, mainly because after the developer stop updating it, it became vulnerable and people kept it on their website – allowing scripts to use this security flaw to break into the website. WP Beginner posted an article in June 2012 discussing what to do if it is on your website so this may help if you do still have it installed.
The other two plugins are ones we use regularly and when we are made aware of issues (albeit rarely) we make sure we update them. Generally the developers of both plugins are extremely quick to respond if an issue is found in a particular version.

With this statistic in mind you can understand why it’s best to keep all your plugins up to date. If managing this seems like too large of a task for you, we offer various care packages where we’ll handle the updates for you.

We also tell you to remove unnecessary plugins for the very same reason as keeping plugins up to date. If they aren’t needed, the code will be going out of date and you’ll be more than likely forget about them because they aren’t used regularly. When they go out of date they put your site at risk. So it’s best to just remove plugins you aren’t using.

3. Never use ‘admin’ as a user & have strong passwords

When a script is trying to get into your site by guessing your username / password it’s called a ‘brute force attack’. It gets the name from the method it tries to get in. You can find plugins which allow you to restrict how many failed attempts someone can make before they can try again which can help the issue. Another solution is to add a captcha to your login forcing users to confirm they’re human before it allows them to submit the form.

One of the first things malicious scripts will do is try the username ‘admin’ purely because its the first username people use for the admin user of a website. Try to use something a script won’t think of. Your name for example is much more secure than ‘admin’.

The second thing a script will do is attempt to guess your password. So having generic passwords like password123 won’t keep them out for long. We use a piece of software called 1Password to generate complex passwords that are going to keep scripts from guessing it. If you’re wondering what a complex password looks like, one I just generated is .p8VQ$pULTHAmTxkd3A. The mixture of symbols, numbers with upper and lowercase letters makes it extremely secure and almost impossible to guess. The longer they are, the better. If you want a free tool that can help you try the Strong Password Generator. We prefer 1Password as it allows us to store all our complex passwords.

Having strong usernames and passwords also applies to your FTP/SFTP accounts and databases.

4. Change the admin URL

Most WordPress websites have the admin URL set to /wp-admin/ which is extremely easy to remember. The issue with this being so common is it becomes the first URL that scripts will try when they want to brute force your site. To help get around this you can change the URL. Doing this means it becomes harder for scripts to find the login URL and apply brute force attacks.

5. Change the database prefix

The database of your WordPress website is probably the most important part of the site. It stores all of the information from posts to passwords, so its best to keep it secure as possible. When setting up sites we often make sure we use different names for the database user and the database name as well as having a long secure password as we discussed earlier.

If you want to take database security a step further you can change the database prefix. By default WordPress uses wp_, which of course is known by scripts trying to run SQL injections on your database. So by having something complex it restricts the scripts ability to inject malicious code into the database.

6. Disable the Plugin & Theme editor

Within the WordPress dashboard you can find a built-in plugin and theme editor, which is accessible to the admin users of the site. Obviously if someone does manage to hack into the site as an admin users or manages to create a user and logs into the site they can get access to this. So there is a very simple way to stop them being able to get that far. Disable that feature.

To do this you do need to edit the wp-config.php file so if you don’t feel comfortable why not get in touch with us and we can handle it for you.

If you do feel comfortable doing it all you need to do is add the following line of code to the wp-config.php file in the root of your FTP or SFTP.

define( ‘DISALLOW_FILE_EDIT’, true );

7. Keep track of website activity

No matter how many users you have using your website its a good idea to keep a track of what they’re doing.

You may ask why? Sometimes something little can cause a vulnerability on the website, so when it comes to solving it knowing whats happened on the website recently comes in handy. WP Security Audit Log is a simple and free plugin which keeps a log of everything that happens on your websites dashboard so you can view what your users are doing but more importantly, what hackers have done if they have got into the site.

There are hundreds more tips and tricks to keeping your website secure but we thought we’d share just a few bits of what we do to make sure all our sites are as secure as possible.

Written by Luke Reid Webbie

Luke is an aspiring Front-End Developer who also enjoys WordPress theming. Luke is eager to expand his knowledge & take in as much code as possible.

Other people's views

  1. I particularly like the first tip you’ve listed here. I agree that WordPress updates are continually solving user issues and by keeping current, we can preempt many technical issues before they rear their ugly heads to our visitors. Great read!

Have your say:

Your email address will not be published. Required fields are marked *

*