WordPress Security Tips
Security is a hot topic. It seems that not a week goes by without a news story about a large scale hack in some part of the world. Last week it was the turn of Yahoo to announce that 500 million accounts were exposed in a huge hack in 2014.
If you are a website owner, you should review the security of your site regularly. Whilst this guide focuses on providing WordPress security tips, it also contains general security information that all website owners will find useful.
Ensure WordPress and all plugins are up to date
We’ve already discussed the importance of keeping WordPress up to date.
WordPress is a very popular platform, as such it is a target for hackers who regular look at ways to exploit it. Thankfully the WordPress community constantly releases updates in order to fix any vulnerabilities.
So next time you login to your site, don’t ignore those warning messages about updates being available. If you do, you run the risk of your site having a number of security weaknesses for the hacking community to exploit.
Remove any unused WordPress plugins or themes
We’ve all done it; installed a new plugin to test or deactivated a current plugin and then not uninstalled it once we no longer have a use for the plugin.
Whilst your WordPress site will no longer make use of the plugin, the files still remain on the server. As suggested in point 1, there is a constant cycle of exploits being found and new versions of software released in order to fix these vulnerabilities. So if the files remain on the system, they remain exploitable.
If you have any plugins or themes that you do not use, including those bundled with the WordPress install, you should remove these ASAP!
Use strong passwords
It may sound obvious but the use of strong passwords is something we cannot recommend strongly enough.
Hackers constantly look to exploit weak admin passwords. So if you’re currently using password123, qwerty or your pet’s name, you should change this immediately. Likewise if you use the same password for everything you should start using a different one or at the very least regularly change it. Otherwise once a hacker has your password, they have access to all your services.
If you struggle to remember passwords, don’t write them down! You should consider either making use of a password manager or use another techniques such as phrases to make remembering a difficult password easier. WordPress have some good advice here. To generate a strong password, you can make use of a service like strongpasswordgenerator.com
Install a WordPress Security plugin
If you would like to read more on which WordPress Security plugin is right for you, you should read this article – Understanding the WordPress Security Plugin Ecosystem. Whilst a little out of date it is still very relevant
Add two-factor authentication
Even with a strong password in place, with the advances in modern computer technology, brute forcing can still occur.
Two-factor authentication is common place in banking – you’ve probably got one of those keypad devices tucked away in a drawer that you put your card in in order to access your online banking account. You can do the same to access the WordPress admin area.
Disable file editing
If a hacker manages to access your admin area, the easiest way to change your files would be to go to Appearance > Editor in WordPress.
To resolve this, you could disable the editor by opening wp-config.php and adding this line of code:
If you have implemented all the above points, you will now have a more secure WordPress site
Of course there are other steps you should take, regular backups for example should form part of your security strategy, along with further security hardening techniques, including the use of htaccess rules.
If there are other WordPress Security tips you’d like to share, please feel free to post them using the comments section below