Securing your WordPress site can be kind of intimidating. How complicated is WP security? What are you supposed to do? By trying to lock out the hackers are you also going to lock out all your readers?
Most of us have little or no idea what we’re doing. But WordPress security should be as easy as WordPress.
Say hello to the WordPress security plugin, iThemes Security. Install the plugin to secure your WordPress site quickly and easily. You don’t have to be a tech guru to have strong WP security.
We’re going to walk through all the features of the iThemes Security plugin and show you how to quickly and easily do WordPress security.
The iThemes Security plugin is currently free and available on the WordPress.org repository.
1. One-Click Protection
The simplest way to put iThemes Security to work is with a single click. Use the one-click protection to immediately turn on a host of WordPress security features that will protect your site without any setup or complications. You don’t have to know anything or do anything. Just one click.
That’s pretty slick security.
To get started, install the iThemes Security plugin from the Plugins > Add New page. Since Better WP Security is a free plugin available from the WordPress.org Plugin Directory, you can find it from the Search tab. Click Install Now and then Activate the plugin.
Once you’ve activated the plugin, click the new Security menu on the left side of the WordPress Dashboard. This page will prompt you to make a database backup, so select to make a backup.
After this step, you’ll see the One-Click Protection Page.
This one-click protection doesn’t do everything, but you don’t need everything. If you’re concerned about WordPress security but overwhelmed at the thought of settings and weird glitches and mucking up your site, then one-click protection is perfect. You could always do more, but one-click protection is a solid level of security.
Here’s what you do by turning on one-click protection:
- Non-admins can no longer see available updates.
- The default user with the vulnerable ‘admin’ username is removed.
- Your login screen now has WordPress brute force protection, something that’s been an issue recently.
- Your site actively blocks attackers trying to scan your site for vulnerabilities.
Some protection is better than nothing and the one-click approach of iThemes Security is a great first step. After clicking Secure My Site from Basic Attacks, you’ll see the list of WordPress security features enabled with this single click.
2. Change the Admin Username
WordPress is popular and that makes it a target for hackers. Something like 20% of the Internet is powered by WordPress, which makes it a juicy target. Thankfully you’re protected by a username and password—two unique pieces of information a hacker needs to get at your site.
Unless your username is ‘admin.’
That used to be the default username for WordPress and so loads of people had the same username. If you’ve had WordPress for a while you could still be using admin as a username. That’s a WordPress security no-no.
Which means hackers only need to come up with your password to get into your site. How good is your WordPress password security? Are you ready to risk it?
One simple way to combat this is to not use default usernames. Newer versions of WordPress don’t allow it and the iThemes Security plugin can change it for you. Simply pick a new username and the plugin handles the rest. You can also change the default user ID number, which is another common vulnerability that makes things easier for hackers.
This is a simple and quick change that protects your site from a basic attack. This is entry-level stuff, but it’s foundational protection you need to do.
3. Security While You’re Away From WordPress
You lock your house when you’re not at home, why not lockdown your site when you’re going to be away? The iThemes Security plugin allows you to set an away mode that will disable the backend of your site.
If you’re going to be on vacation you could lockdown your site for the entire time you’re going to be away. If you have a specific schedule and you never access your site at 2 a.m., you could lock it down overnight. This can be a good solution for offices with regular hours.
The Downside of Away Mode
The downside of Away Mode is that you’re not just locking out the hackers and the bad element wanting to harm your site. You’re also locking yourself out. That might be fine if we’re talking 2 a.m. or the week you’re mountain climbing or scuba diving far from Wi-Fi access.
But if your site has a problem or you get a sudden brainstorm at 2 a.m., you’re out of luck.
You set the away mode times and there are no exceptions.
Be Smart About Away Mode
So you need to think it through. If you’ve got a busy ecommerce site with lots of things happening, it might be crazy to lock yourself out. But if you’ve got a simple, stable site that doesn’t see a lot of changes, you might be fine.
If you want the protection but are nervous, give yourself an out. Don’t lock your site down for your entire vacation, instead set a daily lockout with an hour or two per day when it’s not locked down. If anything happens, you only have to wait until that specified hour to go in and fix things.
There’s a fine line between WordPress security and usability. This is one of those instances where security completely trumps usability. That might be too much for some people. But it might be just right for others.
4. Banning Users
One common and brain-dead obvious security feature is to block known criminals. In the real world we have no-fly lists, criminal background checks and sex offender registries. If someone has proved to be dangerous in the past or we suspect they might be dangerous, society has decided to keep an eye on them.
You can do the same with your website. iThemes Security lets you ban users. Blacklisted hosts or specific users can be completely banned and won’t even be able to visit your site.
The plugin has an industry-recognized blacklist you can use as a starting point, as well as allowing you to create your own list. It’s the latest in WordPress security, your very own no-browsing list.
Of course hackers are crafty. The list only blocks IPs and smart hackers will just stop using the blacklisted IP. But plenty of lazy hackers will keep on using the blacklisted IP because plenty of users are just as lazy. So don’t be lazy.
5. Change the Content Directory
A lot of dumb bots will take advantage of the commonness of WordPress and look for known weak spots. They’ll scan your content directory to see if you have any plugins with susceptible files, like the timthumb php security vulnerability from a few years back.
One simple solution is to change the default name of that directory. This will keep your content safe from those dumb bots. iThemes Security can do it with a simple click.
Unfortunately, this only works for new sites. If you change the content directory on an existing site, any links to content you’ve uploaded (pictures, PDFs, downloads, etc.) will break. So this is a good security measure for new sites, but not for current sites (unless you want to fix a ton of links).
Note: This is security by obscurity, which isn’t full security. You’re not actually protecting anything, you’re just hiding it. You’re hiding the content directory from bots and lazy hackers. That’s still a good thing to do, but it’s important to know it’s not complete protection. But it is one more step that can stop some attacks.
6. WordPress Security Through Backup
Any good security system will involve some backup. Why? No security is perfect. No matter how secure your WordPress site is, there’s always the potential for problems. So you want to be able to get your site back on its feet as quickly as possible.
The iThemes Security plugin encourages you to perform a simple database backup and you can even schedule a consistent backup. That’s a good basic step, but your WordPress database is only your content. You’d have to rebuild your entire set up, including themes, any edits you’ve made to the theme, plugins, widgets, etc. That can be a lot of work.
That’s why we created BackupBuddy, a full-service WordPress backup plugin that will backup your entire site. It can also help you restore and move your site.
So don’t rest after simply protecting your site. You also need to back it up.
7. Change the Database Prefix
Every default installation of WordPress uses the same database prefix. All of your database files start with “wp” which can makes it easy for certain vulnerabilities to play havoc with your database.
You can fix that by simply changing the prefix. The iThemes Security plugin lets you do it with the click of a button. They replace the “wp” prefix with something random.
Once again, this is security by obscurity. You’re not protecting anything, you’re hiding it. The bots and lazy hackers looking for the “wp” prefix won’t find it, so you can cut down on some of those bot attacks.
8. Hide the Backend
The login screen for WordPress is a big target for attacks. In April of 2013, there were a lot of brute force attacks trying to use common passwords and the ‘admin’ username to break into sites.
One way to stop those attacks is to make sure you’re not using the ‘admin’ username (like we already discussed) and use strong passwords. Another approach is to limit how many failed login attempts you’ll allow.
But an even better solution is to completely change the URL of the login page. The iThemes Security plugin can completely hide the backend of your site by changing the URL. The standard YourSite.com/wp-admin or YourSite.com/wp-login will give an error message.
Instead, you can come up with your own phrases, like simplifying it to YourSite.com/admin or YourSite.com/login. This change can actually make your site more user-friendly and still cut down on the brute force bot attacks.
A number of iThemes Security users said they saw no uptick in bot attacks during the big attack of April 2013 thanks to this feature.
9. Testing the Fence
If you want to see evidence of hackers at work, take a look at your 404 error logs. When someone can’t find a page on your site they get a 404 error and the page they tried to reach is logged.
It’s a good way to find broken stuff on your site and fix it.
But if you see a lot of weird stuff in your 404 error logs that’s not something broken—well, that’s probably hackers or spammers looking for stuff. It’s one more way they can systemically search your site for known issues. They’re trying to find vulnerabilities they can exploit. It might be an old plugin with a bad script, like that timthumb vulnerability from 2011.
It’s like a predator testing the fence to see if they can break through.
So why not stop them? That’s what the iThemes Security plugin does. It watches your 404 errors to see if any one user is racking up a lot of errors. If so, you can lock them out of your site.
10. Find the Problems
Prevention is an important part of security, but you also need to be doing detection. You need to know when something is going wrong. Keeping an eye on your 404 errors is a good step, and another good step is to know what files are being changed on your server.
The iThemes Security plugin can monitor your files and notify you when things change. You can include or exclude certain files or directories if there are things you know change on a regular basis.
Changing files might not mean anything. It could be you making changes or updating files. But if you get a change notification and you haven’t changed anything, well, you better check it out.
Detection is crucial part of WordPress security. You need to figure out what’s going on and stop malicious attacks as soon as you can.
11. Login Limits
Those April 2013 WordPress attacks were trying to log in to WordPress sites using common passwords and the ‘admin’ username. These ‘brute force’ attacks were using bots to systematically try thousands of username and password combinations.
WordPress doesn’t have any limit on how many times you can attempt to log in, so these brute force attacks would just keep on trying. If you used one of thousands of notoriously weak passwords, these hackers could gain access to your site in minutes.
A simple way to stop these attacks is to limit the number of failed login attempts. There are a lot of plugins that do this, though iThemes Security does a nice job.
Unfortunately, as the April 2013 attacks showed, blocking login attempts based on IP address alone isn’t effective. Those bots were using multiple IP addresses. If you block one IP address they’ll just try another.
That’s why iThemes Security is a good choice. In addition to limiting logins, it also encourages you to change the ‘admin’ username (that should really be your first step) and allows you to completely hide the login screen, two WordPress security features we’ve already talked about.
12. Use SSL to Secure Your WordPress Site
If you really want your site to be secure, why not use the same security ecommerce sites use to protect credit card data?
SSL is a technology that encrypts data sent between users and your website. It changes the ‘http://’ to ‘https://’ and is another layer of security that can keep your site safe.
The iThemes Security plugin allows you to force users to use an SSL connection on all or parts of your site. SSL might be overkill on your entire site, but the login page and admin area may be good places for extra protection.
Of course you can’t just turn on SSL. You need to actually have an SSL certificate. You can set this up with your host and you may be pleasantly surprised to discover that SSL is included in your hosting package. Take a look and see—it might be a feature you’ve never used and can now take advantage of to secure your site.
13. Miscellaneous WordPress Security Tweaks
Security is often about overlapping methods and layers. There are very few single acts you can take that will completely protect your site. Instead there are a series of actions you can take that will protect certain vulnerabilities or stop this small likelihood of attack, that when added together, give more complete protection. These different, overlapping pieces of security are like putting on layers in the winter.
Here’s a list of small tweaks you can make to your site that will help layer on your WordPress security. Each of these items can be done with a simple click with the iThemes Security plugin.
- There are a bunch of files used when you install WordPress that have no purpose for the public and could give away important information about your site. You can simply protect these files and not make them publicly available.
- When there’s no index file present in a directory, some servers will allow anyone to browse that directory. That’s a good way for people to be poking into things they shouldn’t. You can easily disable directory browsing, if your host hasn’t already.
- There are some database requests that can cause problems, such as trace, delete or track. Most sites never use this stuff, so if someone is they’re doing something malicious.
- Likewise you can get suspicious queries in URLs, which is usually someone trying to gain access to your site. Non-English characters in those queries are another suspicious sign, especially for English sites.
- It’s not wise to advertise the version number of your WordPress installation. Most themes no longer display this, but sometimes it’s in the meta tag in your site’s header.
- We’ve talked about the importance of using strong passwords before and how it’s not just your password you need to worry about. Every admin user needs a strong password, and even lower roles like editor could give someone access to do something malicious. You can force users to use strong passwords, setting it based on the level of the role (strong passwords may be overkill for subscribers to a membership site, but the other roles can still be forced to use strong passwords).
- Login error messages will often tell a user whether it was the username or password that was incorrect. That’s helpful information to someone trying to hack into your site, so you can simply remove those errors and give a generic message.
- Hackers often try to use long URLs laden with malicious details to hack your site. A good fix is to prevent those long URLs.
- If a hacker gets access to your WordPress site, one of the simplest ways for them to muck it up is to edit your theme or plugin files. You can cut that off by disabling the file editor. This means you can’t use the file editor either, but it’s better practice to use an external editor and upload your files via FTP than edit within WordPress.
These changes aren’t for everybody and some will have conflicts with server setups or plugins. You’ll need to see what works for you, but thanks to iThemes Security, each one is a simple click to implement.
14. Keep an Eye on Your Logs
A final measure of WordPress security is vigilance. We’ve talked about a whole host of security measures you can take for your WordPress site, all easily implemented with the iThemes Security plugin.
The final thing you can do is be on guard.
You shouldn’t simply put security measures in place and then ignore everything. You need to keep watch.
You should regularly check the logs in iThemes Security to see what’s going on. For most sites you’ll see bad login entries, 404 errors, lockouts and changed file records.
Don’t freak out when you see the numbers. They don’t mean your site has been compromised. But they are evidence of people trying to attack your site. That can be unnerving. Don’t take it personally. Most of these are mindless bots trolling the Internet for vulnerable sites.
These numbers show potentially malicious activity and you should be aware of it. But not all of it is malicious. The 404 errors and changed file records could have plenty of legitimate data. If you installed a new plugin, uploaded a picture or otherwise updated your site, you’ll get changed file records. What you’re looking for is activity you didn’t do. If you see something weird, you should look into it. Likewise the 404 errors could be showing broken links on your site. Check those out and fix them.
If you’re continually getting malicious 404 errors or bad login entries, you might want to tighten up your WordPress security. Lock out malicious users sooner and for longer periods. You can also permanently ban them from your site by adding their IP address to your banned users list. If you see an IP address in your old lockouts list and it keeps coming up, you might as well block them.
WordPress security is an ongoing issue. There’s no ‘set it and forget it’ option. The iThemes Security plugin can help with a lot of things, but you need to remain vigilant. Install the plugin, keep your WordPress installation and all themes and plugins up to date, and keep your eye on the logs.
Protect Your WordPress Site
That’s a lot of security for your WordPress site. The iThemes Security plugin definitely packs a punch and it’s easy to use. We’ve covered a lot of ground here and explained a lot, which can be overwhelming. But once you give the plugin a try you’ll see how simple it is/