7 WordPress Security Tips & Tricks

Just like WordPress plugins also need updating regularly to keep your website secure as possible

According to Sucuri, one of the top security plugins for WordPress during Q1 of 2016 25% of all WordPress compromises came down to 3 of the most popular plugins: TimThumb, Revolution Slider and Gravity Forms.

First things first, if you’re using TimThumb for anything remove it immediately. For years now TimThumb has been causing havoc across the internet, mainly because after the developer stop updating it, it became vulnerable and people kept it on their website – allowing scripts to use this security flaw to break into the website. WP Beginner posted an article in June 2012 discussing what to do if it is on your website so this may help if you do still have it installed.

The other two plugins are ones we use regularly and when we are made aware of issues (albeit rarely) we make sure we update them. Generally the developers of both plugins are extremely quick to respond if an issue is found in a particular version.

With this statistic in mind you can understand why it’s best to keep all your plugins up to date. If managing this seems like too large of a task for you, we offer various care packages where we’ll handle the updates for you.

We also tell you to remove unnecessary plugins for the very same reason as keeping plugins up to date. If they aren’t needed, the code will be going out of date and you’ll be more than likely forget about them because they aren’t used regularly. When they go out of date they put your site at risk. So it’s best to just remove plugins you aren’t using.

When a script is trying to get into your site by guessing your username / password it’s called a ‘brute force attack’. It gets the name from the method it tries to get in. You can find plugins which allow you to restrict how many failed attempts someone can make before they can try again which can help the issue. Another solution is to add a captcha to your login forcing users to confirm they’re human before it allows them to submit the form.

One of the first things malicious scripts will do is try the username ‘admin’ purely because its the first username people use for the admin user of a website. Try to use something a script won’t think of. Your name for example is much more secure than ‘admin’.

The second thing a script will do is attempt to guess your password. So having generic passwords like password123 won’t keep them out for long. We use a piece of software called 1Password to generate complex passwords that are going to keep scripts from guessing it. If you’re wondering what a complex password looks like, one I just generated is .p8VQ$pULTHAmTxkd3A. The mixture of symbols, numbers with upper and lowercase letters makes it extremely secure and almost impossible to guess. The longer they are, the better. If you want a free tool that can help you try the Strong Password Generator. We prefer 1Password as it allows us to store all our complex passwords.

Having strong usernames and passwords also applies to your FTP/SFTP accounts and databases.

The database of your WordPress website is probably the most important part of the site. It stores all of the information from posts to passwords, so its best to keep it secure as possible. When setting up sites we often make sure we use different names for the database user and the database name as well as having a long secure password as we discussed earlier.

If you want to take database security a step further you can change the database prefix. By default WordPress uses wp_, which of course is known by scripts trying to run SQL injections on your database. So by having something complex it restricts the scripts ability to inject malicious code into the database.

Within the WordPress dashboard you can find a built-in plugin and theme editor, which is accessible to the admin users of the site. Obviously if someone does manage to hack into the site as an admin users or manages to create a user and logs into the site they can get access to this. So there is a very simple way to stop them being able to get that far. Disable that feature.

To do this you do need to edit the wp-config.php file so if you don’t feel comfortable why not get in touch with us and we can handle it for you.

If you do feel comfortable doing it all you need to do is add the following line of code to the wp-config.php file in the root of your FTP or SFTP.

No matter how many users you have using your website its a good idea to keep a track of what they’re doing.

You may ask why? Sometimes something little can cause a vulnerability on the website, so when it comes to solving it knowing whats happened on the website recently comes in handy. WP Security Audit Log is a simple and free plugin which keeps a log of everything that happens on your websites dashboard so you can view what your users are doing but more importantly, what hackers have done if they have got into the site.

There are hundreds more tips and tricks to keeping your website secure but we thought we’d share just a few bits of what we do to make sure all our sites are as secure as possible.