Keeping your WordPress site secure

WordPress currently powers over 40% of the Web which is a massive number of Websites. One of the key selling points for using WordPress is how easy it is to get started, particularly for non-technical people.

I started using WordPress around 2008 as an easy way to build websites for clients because I could easily install a site in a few clicks of the cPanel and install one of many free themes in the WordPress directory. It’s safe to say that without WordPress, my web development career would have taken a lot longer to bootstrap.

The ease of use and familiarity many people have with WordPress has contributed to it’s massive install base, but a massive install base is also another way of saying it’s a massive attack surface. Hackers don’t have to look very hard to find WordPress sites to attack. Couple that with the ease of installing many complex themes and plugins, and a lack of basic security knowledge means attackers will likely never run out of potential targets.

This article aims to point out some of the potential vulnerabilities that a WordPress site could contain and some simple ways of mitigating them to help make your WordPress site much more secure. It should be understood that nothing is 100% secure, and the security landscape changes every day, but by following a few easy steps you can minimise the chance that your WordPress site will fall victim to attack.

1. Keep up to date

WordPress has an active community of developers and experts that are constantly working to improve the platform. Any time a fix is released or a new feature is available for either WordPress itself, or any of the themes or plugins you have installed, you’ll notice an update notification appear in the dashboard.

It’s important to regularly install these updates as it will remove potential software vulnerabilities before an attacker as a chance to exploit them.

You should consider taking regular backups of your website just in case something goes wrong, however in most cases the WordPress update process is pretty solid.

2. Install a Firewall

A Firewall is either a software application or a dedicated device that filters incoming traffic to a site and blocks potentially malicious attacks. There are a number of Firewall products on the market and I’d recommend testing a few of them to find one that meets your need. As with most things in WordPress you’ll find both free and paid Firewall plugins and it’s worth taking some time to evaluate them for your own specific needs.

Personally, I prefer Wordfence as it’s a solid free plugin and they also have a very active community of security experts working to keep WordPress safe.

Wordfence also provides a malware scanner built in and can detect when something on your website has been changed maliciously. You might think that it’s unlikely that your site will fall victim to a malware attack, but attackers use automated tools to scan the Internet looking for vulnerable targets and will try to infect as many of them as possible. Once your site is infected it can be very difficult to completely clean it.

3. Enforce strong passwords

Users are quite often the weak link in a security chain. You can have all the security products in the world running on your site but if your users have weak passwords then it’s all for nothing.

I previously wrote an article about testing the security of your passwords because it’s quite honestly trivial to crack simple passwords using freely available tools, and you can be sure that the attackers have access to these same tools as well.

When you create a new user account on your WordPress site, WordPress will automatically generate a fairly secure password for you and it’s recommended to use this, or at least something similar.

You should not use easy to guess passwords, or any words in the dictionary, even passwords with certain letters swapped out for numbers or other symbols are easy to crack. Enforcing strong passwords for your users makes it much harder for an attacker to crack their accounts.

4. Use multifactor authentication

Multifactor authentication helps to protect your account logins by utilising more than way to authenticate a user. If an attacker can compromise your login password they can access your admin dashboard having full control of your site, with MFA enabled an attacker will not only need to compromise your password but they’ll also require the additional authentication method as well.

Typically MFA requires something you know, ie. your username and password, as well as either something you are, or something you have.

Something you ARE could be a biometric scanner, for example requiring your fingerprint to prove your identity.

Something you HAVE is usually an additional device like a smartphone app. The smartphone app generates random numbers that you use within a set timeframe to authenticate.

There are a few ways to set up MFA on a WordPress site, one of which is the login security settings in Wordfence. Wordfence can setup additional authentication to your phone using an app like Google Authenticator. Once configured, you’ll not only require your secure WordPress account password, but you’ll also need to enter the additional random code provided by the Authenticator app before accessing your dashboard.

5. Limit admin accounts

Administrators are the power user of a website. Someone with the Admin role can pretty much do anything on a WordPress site including installing and deleting plugins, changing themes, creating new users and more.

In day to day use there really is very little reason for a user to need Admin privileges. Limiting which users can administer your site not only reduces the chance that someone will accidentally make a mistake and break your website, but if an account is compromised, a lower privileged account can help prevent the damage an attacker can cause.

You should carefully evaluate what privileges your users need. For most people, the Editor role is perfectly fine.

6. Evaluate themes and plugins

I’ve seen many websites where the person who built it will install dozens of themes and plugins looking for the right look and functionality for their site. Plugins in particular can introduce a lot of unnecessary complexity for a website and in many cases the additional functionality is not needed at all.

Plugins should be evaluated before being installed, you should determine

  • Do you really need the plugin?
  • How many active users does the plugin have? More active users can be a sign that the plugin is well supported.
  • How recently has the plugin been updated? Plugins that haven’t been updated in months or years are not actively maintained and should be avoided.

Plugins and themes should also be deactivated and deleted when they’re not being used.

7. Choose HTTPS

HTTP is the communication protocol that websites use to send information between you (the client) and the web server. HTTP sends information in clear text, meaning if an attacker was trying to intercept the communications, by perhaps eavesdropping on WiFi, they will be able to capture things like your username and password when logging into your website dashboard.

HTTPS is a secure replacement for HTTP that encrypts the connection between your website and the user, so if an attacker tries to eavesdrop they will not be able to read the data.

Years ago, HTTPS, or SSL, certificates used to be really expensive and difficult to configure, however that’s no longer the case. You can install an SSL certificate for free using a service like Lets Encrypt or by using a service such as Cloudflare who also provide free SSL certificates.

While this article isn’t meant to be a comprehensive list of security best practices, the few easy to follow steps I’ve described here will go a long way to keeping your site secure, or at the very least, making it much more difficult for an attacker to compromise.

Security is an on-going process, and something that is thought to be secure today can be vulnerable tomorrow.

Keeping your website secure from attack is not just about protecting your own assets but it’s also about raising the quality of the Web and keeping everyone secure.

See also