A Primer on WordPress Security

A Primer on WordPress Security

One of the biggest concerns of managing a website is keeping it secure. Since your website plays a major part in maintaining your reputation, it’s one of your biggest assets in growing your music career. In this post, we cover how using best practices, plugins, and other resources can improve your WordPress site’s security.

Best practices

WordPress itself is very secure. Since it’s open source and a huge collaborative project, there are hundreds of high-level developers constantly auditing its security. This is one of the greatest benefits to using WordPress. However, if you’re not using best practices, you lose out on a lot of that benefit. Below is a list of easy to follow best practices that can help increase your WordPress security.

Update login information

Changing up your login information is one of the easiest ways to increase WordPress security. The goal is to prevent someone with malicious intent from being able to access your admin panel through brute force attacks. A brute force attack is simply an instance where a hacker or automated software will attempt to “guess” your password over and over.

Rename or delete the default ‘admin’ user

It’s common knowledge that the default username for WordPress is ‘admin’. By keeping this user active, you’ve giving hackers 50% of the information they need to gain access to your WordPress dashboard. Changing this login information takes less than a minute, and might just save you the hassle of dealing with a compromised site.

If you still have an ‘admin’ user on your site, WordPress recommends the following:

  • Add a new administrative user under Users in your WordPress dashboard
  • Select Delete when mousing over the “admin” user
  • On the confirmation screen, attribute content to another user

wordpress-security-delete-admin

Use strong passwords

If your site is suffering from a brute force attack, you can bet that one of the first attempts will be “password123”. Weak passwords are a leading factor behind WordPress site compromises. If you’ve created a simple password so that it’s easy for you to remember, just keep in mind that it could be an open invitation to a hacker.

Strong passwords should:

  • Include no personal information
  • Not be in used on multiple sites
  • Contain a mixture of letters, numbers, and symbols

One of my favorite tools for creating strong passwords is the Strong Random Password Generator.

Be cautious with your login info

Email is a great thing that has made our lives much, much easier. But, time and time again, it has proven to be much less secure than we think. We recommend that you don’t send login information via email. If you must, you should change your login details as soon as possible.

Keep your themes and plugins updated

Running updates on WordPress and any themes and plugins you have installed is essential to ensuring you’re running the most secure version.

WordPress core is frequently updated to provide patches for security or to combat new types of attacks. Keeping your WordPress software up to date is one of the most important things you should be doing for your site security.

In addition, themes and plugins that are released and maintained by third party developers are also frequently updated. You can always check on the number of pending updates on your site by navigating to Dashboard → Updates in your WordPress dashboard.

While most updates are released to improve performance or add new features, they often include security patches and new preventative measures, so be sure to keep things up to date!

Install an SSL certificate on your site

We’ve covered SSLs extensively in the past. Essentially, an SSL certificate will prevent hackers from being able to understand data that may be intercepted as it is traveling between your computer and the website.

This encryption adds an extra layer of security to your site. For example, without SSL, if your password is intercepted, it will be visible in plain text. If an SSL certificate is installed and the password is intercepted, the data will be a garbled mess.

As detailed in our previous article about SSL certificates, most hosts now include them for free, or at a minimal cost. Reach out to your hosting provider to learn more.

Security plugins

There are several products that are designed to improve your site’s security via a firewall and site scanner. The three most popular are WordFence, Sucuri, and iThemes Security. Each of these plugins has a free level of site protection that is a no-brainer to install. Each company also maintains its own database of security threats, and frequently posts articles on the state of WordPress security, including the latest threats and security improvements.

WordFence is the most widely used and well known of the three plugins, with over 2 million installs.

wordpress-security-wordfence

Installing one of these security plugins will give you additional security benefits, including:

  • Firewall
  • The ability to lock users out for violating custom rules you configure
  • A scanner for outdated or compromised files
  • Live traffic monitoring
  • Email alerts when a user signs in, is locked out, or when there are potential problems with your site

Each of these plugins also offers a premium version of their plugin and service for a fee.

External resources

In addition to the best practices and plugins listed above, there are several external resources that you can take advantage of to help monitor your site.

Site Scanners

There are several tools available to check websites for Malware and other security risks. Many do not even require access to the backend of the site. Two of the most popular are Sucuri’s Site Check and WPScans’ Vulnerability Report.

wordpress-seucrity-sucuri-scanner

Running your site through these scanners on occasion helps ensure that your site is secure.

Vulnerability Database

The WPScan Vulnerability Database is an online catalogue of reported vulnerabilities in WordPress Core, themes, and plugins. You can search for specific plugins and themes before you install them on your site to ensure that you don’t compromise your site.

wordpress-security-vulnerability-database

Additionally you can sign up to receive email notifications as new vulnerabilities are added to the database.

WordPress backups

Keeping backups of your WordPress site is always a good idea. Several hosts will do this for you free of charge. If your hosting plan doesn’t include backups, there are several plugins available that will allow you to schedule automatic backups of your site. A few popular ones are:

Having backups readily available will help reduce the amount of work necessary to remove any compromised files, as well as reducing the anxiety that you might feel when updating themes or plugins.

We highly recommend backing up your site one way or another.

What to do if your site becomes compromised

You should act quickly if your site becomes compromised. Restoring a backup from a period prior to the compromise might be enough to remove whatever altered/additional files the compromise affected. You would then need to resolve whatever vulnerability allowed for the compromise to take place.

Get Help

Reach out for help if restoring a previous version of your site doesn’t resolve the compromise. There are several companies that clean hacked sites on a daily basis, and will get yours cleaned up quickly and safely for a fee. WordFence, Sucuri, and iThemes Security all offer these services, which can be well worth the cost. Your host may offer something similar was well.

Wrapping up

Dozens of great articles already exist on WordPress Security. I recommend you read the following to learn more about WordPress security:

You’ll need to be proactive to keep up with the ever-changing world of WordPress security. Doing a little work up front can prevent major headaches down the line. Following best practices and keeping an eye out for vulnerabilities is a great way to help make sure your site stays secure.