How secure is your WordPress website? Is your site an easy target for hackers? With a few steps and by adopting a few WordPress security best practices, you can significantly reduce your vulnerability to attack. In this post, we’ll cover a few tips for securing a WordPress website.
1. Keep WordPress core, plugins and themes updated to the latest version.
Did you know that some of the most common WordPress security issues are related to running outdated versions of WordPress core, themes and plugins? That’s why keeping everything updated is so important.
Right now, if you log in to your WordPress website to check, how many update notifications do you see in your WordPress admin dashboard? You’ll find this number in several places, including the top admin bar, in the sidebar menu and also as a notice (if you’re running an outdated version of WordPress).
When your WordPress website is running outdated versions of plugins, themes and WordPress, you run the risk of having known vulnerabilities on your website.
Constant update notifications may seem annoying and it’s easy to put off running updates, but try reframing updates as being directly related to the security and health of your website.
Updates to WordPress core, themes and plugins often include patches for security issues as well as fixes for bugs and new features. That’s why these updates are a good thing.
WordPress Update Checklist
Here’s a checklist for running WordPress updates so everything goes smoothly:
- 1. Before you run updates, make a current backup of your website. Don’t have a backup solution? Use a WordPress backup plugin like BackupBuddy to backup your entire WordPress installation, including the Media Library, as well as all theme and plugin files.
- 2. Review the changelog for the version update before updating. Developers use changelogs so users can know the changes included in a version update. You can find changelogs on the Updates page in your WordPress dashboard by clicking the link “View version x.x.x” details link.
- 3. Navigate to the Updates page in your WordPress admin dashboard. Click the Updates link in the sidebar of your WordPress dashboard or the icon in the top navigation bar to see the Updates page.
- 4. Click the Update buttons to run the updates. You’ll see individual Update buttons for plugins, themes and WordPress core (if you have a pending WordPress core update), along with a list of the plugins and themes you’re about to update.
- 5. Confirm everything is still working as expected on your website. While it’s usually not necessary, it’s a good idea to do a run-through of your website to make sure nothing is broken or looks strange after the update.
Tools to Help Save Time When Managing Version Updates
If you manage more than one WordPress website, the process of running updates can get time-consuming since you have to log in to each individual website to make updates. Thankfully, tools like iThemes Sync exist to help you manage multiple WordPress sites from one dashboard.
The iThemes Security plugin also offers WordPress version management to protect your website when outdated software is not updated quickly enough.
Users can get a notification email containing details about WordPress updates that were installed automatically. iThemes Security will also alert you if it detects any server or site configuration issues that could prevent automatic WordPress updates from working.
2. Never install plugins or themes from untrusted sources.
Only install WordPress plugins and themes from trusted sources. You should only install software you download from WordPress.org, well-known commercial repositories or reputable developers and their websites.
If you find another version of a WordPress plugin or theme that isn’t being distributed directly from the developer’s website, do your due diligence before downloading and installing it on your website. Reach out to the developers to see if they are affiliated with the website that is offering their product at a free or discounted price.
3. Review your WordPress password security.
This tip bundles a few password-related best practices. A successful WordPress security strategy should include steps to strengthen your WordPress login—this ultimately relates to the passwords used to login to your website.
Why? Your WordPress login is the most commonly attacked WordPress security vulnerability because it provides the easiest access to your website’s admin dashboard.
Use a strong, unique and complex password.
How good is your WordPress password? Here’s a WordPress password strength quiz:
- 1. Have you used the password again someplace else, for a separate account?
- 2. Are you using “admin” as your WordPress username?
- 3. Is your password a dictionary word?
- 4. Have you shared your password with anyone else?
- 5. Does your password have fewer than 12 characters?
- 6. Does your password include numbers, symbols and both upper & lower case letters?
- 7. Are you using two-factor authentication for your WordPress login?
Your WordPress password should meet the following requirements:
- Include numbers, capitals, special characters (@, #, *, etc.)
- Length (12 characters – minimum; 50 characters – ideal)
- Can include spaces and be a passphrase (Just don’t use the same password in multiple places)
- Changed every 120 days, or 4 months
Enforce Password Requirements + Refuse Compromised Passwords
Another important best practice for online security is using unique passwords for every account and website login you have. Why does reusing a password matter so much? If you use the same password for all your accounts and even one of those websites is compromised, you are now using a compromised password for all your accounts. Hackers can use data dumps of compromised passwords paired with your email address or username to gain access to all your accounts. That’s why it’s best to not even take the risk.
The more users on your website that are reusing passwords, the weaker your WordPress login security actually is. In a recent list compiled by Splash Data, the most common password included in all data dumps was 123456. The WordPress login security of your website is only as strong as the weakest link, so be proactive with strong password requirements.
For the Refuse Compromised Passwords setting, iThemes Security takes advantage of the HaveIBeenPwned API to detect whether or not a password has appeared in a data breach.
Limit Failed Login Attempts
By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on failed login attempts, a hacker can keep trying an endless number of usernames and passwords until they are successful.
You can increase your WordPress login security by installing a WordPress security plugin like iThemes Security Pro to limit the number of failed login attempts on your website.
The iThemes Security Pro WordPress Brute Force Protection feature gives you the power to set the number of allowed failed login attempts before a username or IP is locked out. A lockout temporarily disables the attacker’s ability to make login attempts. Once the attackers have been locked out three times, they are banned from even viewing the website.
4. Add two-factor authentication to your WordPress admin login.
Two-factor authentication is a system that requires two items to log in to your account: First is the usual username and password, but the second is a unique code that’s delivered via another format. The secondary code can be delivered via text, email, single-use codes, mobile apps or other formats.
Whenever you can, you should turn on two-factor authentication. It adds an extra step to the login process, but that layer of security protecting your accounts is worth it.
5. Start making regular backups of your website.
Another way to ensure WordPress security is to backup your website. Backups ensure that if your website is ever compromised, you’ll be able to get it back. Also, since WordPress doesn’t include a built-in backup system, you’ll need to implement a backup strategy on your own (most host backups aren’t sufficient).
A good WordPress backup plan includes:
- Scheduled backups that occur automatically
- Scanning those backups for malware (an infected backup is no good)
- Storing backups files off-site in a secure, remote destination
- The ability to restore your website from a backup
BackupBuddy, our WordPress backup plugin, is our tool for backups—we actually created it out of necessity after losing our own site after a server crash and having no backup.
With BackupBuddy, you can set up backup schedules so backups run automatically. You can also activate Stash Live for real-time WordPress backups that actively track changes to your website so you always have a current backup.
6. Install a WordPress security plugin to handle security tasks.
As we’ve already noted a few times, using a WordPress security plugin can help with several WordPress security tasks that would otherwise take a log of time and technical knowledge.
A WordPress security plugin can help to fix common security holes and strengthen user credentials. The iThemes Security Pro plugin also includes a new real-time WordPress security dashboard to track WordPress security-related stats and activity.
7. Use a quality web host.
Not all web hosts are created equal and choosing one solely on price can end up costing you way more in the long run with security issues. Most shared hosting environments are secure, but some do not adequately separate users accounts.
Your host should be vigilant about applying the latest security patches and following other important hosting security best practices related to server and file security. Your host should be vigilant about applying the latest security patches and following other important hosting security best practices related to server and file security.
8. Add SSL.
When someone visits your WordPress website, a line of communication between their device and your server begins. The communication isn’t a direct line, and the information passed between the visitor and your server makes several stops before being delivered to its final destination.
To better understand how encryption works, consider how your online purchases get delivered. If you’ve ever tracked delivery status, you have seen that your order made several stops before arriving at your home. If the seller didn’t properly package your purchase, it would be easy for people to see what you purchased.
When a visitor logs into your WordPress website and enters payment information, this information isn’t encrypted by default. So just like your unpackaged purchase, there is an opportunity for the login credentials and credit card details to be discovered at every stop between the visitor’s computer and your server.
Luckily, unencrypted communication is a WordPress security vulnerability that is easy to mitigate. Adding an SSL certificate to your website is a great way to encrypt and package the communication on your site to ensure that only the intended recipients can view the sensitive information being shared.
9. Uninstall and completely delete any unused plugins and themes.
Do you have any unused plugins and themes just sitting on your WordPress website? These are plugins or themes that are currently marked as “Inactive.”
It’s a good idea to uninstall and completely delete any of these unused plugins or themes as they can pose a security risk if known vulnerabilities exist within the plugin or theme. You can speed up this process by bulk selecting all inactive plugins/themes and then clicking the Delete action from your WordPress admin dashboard.
10. Set up WordPress security logging.
WordPress security logs are another way to keep tabs on activity on your website related to your security. A WordPress security plugin like iThemes Security can set up logging to track several activities and can email you about certain suspicious activities.
Security logging in iThemes Security can track:
- Brute Force Attacks – Suspicious/failed login attempts on your WordPress admin login screen.
- File Changes – File Change detection tells you what files have changed in your WordPress installation, alerting you to changes not made by yourself.
- 404 Detection – 404 detection looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly. This also gives the added benefit of helping you find hidden problems causing 404 errors on unseen parts of your website.
- Lockouts – IPs locked out due to too many 404s, brute force attacks, etc.
- Malware Scans – Results of malware scans on your website.
- User Logging – Tracks changes/actions made by registered users on your website.
- Version Management – Tracks updates made to themes, plugins and WordPress.
Tips for Securing WordPress
Hopefully, this post has given you a few tips for securing your WordPress website. By learning a few WordPress security best practices and implementing a few of the tips above, you’ll have a more secure website.
- 1. Keep WordPress core, plugins and themes updated to the latest version.
- 2. Never install plugins or themes from untrusted sources.
- 3. Review your WordPress password security.
- 4. Add two-factor authentication for your admin login account.
- 5. Start making regular backups of your website.
- 6. Install a WordPress security plugin to handle security tasks.
- 7. Use a quality web host.
- 8. Add SSL.
- 9. Uninstall and completely delete any unused plugins and themes.
- 10. Set up WordPress security logging.
Kristen has been writing tutorials to help WordPress users since 2011. You can usually find her working on new articles for the iThemes blog or developing resources for #WPprosper. Outside of work, Kristen enjoys journaling (she’s written two books!), hiking and camping, cooking, and daily adventures with her family, hoping to live a more present life.