7 WordPress Security Best Practices

As hacks and security breaches become more of a concern for anyone running a WordPress website, it’s important to know you can drastically improve your security by using a few WordPress security best practices. If you don’t already have a WordPress security strategy in place, this post will help you understand seven ways you can secure and protect your WordPress website.

WordPress Security Best Practices

• 1. Use a strong password with the help of a password manager.
• 2. Two-Factor ALL THE THINGS.
• 3. Regularly change your WordPress salts.
• 4. Use secure file permissions.
• 5. Use sFTP whenever possible.
• 6. Use SSL on all of your WordPress sites.
• 7. Keep your WordPress site and everything on it up to date.

Understanding the Threat: What is a Hacker?

Unfortunately, there are people and systems actively working to hack websites. The word “hacker” may bring a few ideas to mind, including:

• The ever-elusive hooded teenager working in a dark basement
• Government agents infiltrating criminals or foreign governments
• Underground networks fighting for freedom, equality or to expose corruption

While all of these “hacker” scenarios do exist, they’re unlikely to target your personal WordPress website. [pullquote]You may be tempted to personify attacks, but the reality is, a “hacker” is more like a mindless robot.[/pullquote] By robots, we mean “bots,” or automated code that has a connection to the internet. Just like a robotic arm at a manufacturing plant is programmed to do specific tasks, these bots work every second of every day to perform their programmed tasks as often as they can, on as many sites as they can. The logic of hacking bots can often be summarized as “find a site and launch this specific attack.” The goal of attacks is often to make the attacked site into yet another bot that can be given tasks. The tasks can range from attacking other sites to sending spam or phishing emails. In other words, these bots don’t know what your site is about nor do they care. To the creator of the bot, each compromised site gives them access to more resources to create a revenue stream in one way or another.

Why Would Someone Want to Hack My Website?

There are currently tens of millions of websites on the web. WordPress powers about 26% of them. Unfortunately, the sheer number of WordPress sites makes it a target. Recently, Sucuri released a Hacked WordPress Report, with roughly 94% of the sites they worked on in the third quarter of 2019 were WordPress sites. Charts like this can make users will worry that WordPress isn’t secure — it is. In the chart above, Sucuri found that in most instances, compromises had little or nothing to do with WordPress core. Instead, [pullquote]WordPress compromises had to do with improper deployment, configuration and overall maintenance by the webmaster and hosts.[/pullquote] Even with these known WordPress security issues, WordPress is SECURE if you keep it up to date and use these WordPress security best practices.

How Can I Keep My WordPress Site Secure?

When it comes to WordPress security, it’s not about if you get attacked, but rather how to prevent WordPress hacks from being successful. So what can we do? You can drastically improve your WordPress security by reviewing a few WordPress security 101 tips and by implementing these WordPress security best practices.

1. Use Strong Passwords With the Help Of A Password Manager

Here’s a quick quiz. Do you know at least one of your passwords? Have you used that password for another login somewhere else? If you answered yes to both of these questions, your password strategy could use a serious audit. What makes a good password?

• Long
• Random
• Unique

[pullquote]If you know your passwords, they’re likely too weak.[/pullquote] That’s why using a Password Manager to manage your passwords is the best way to keep all your account logins secure. With the help of a Password Manager, you can generate long, random, unique passwords, and securely store them with the help of a browser extension. So the only password you’ll have to remember is your master password to log into your password manager. Password Managers:

• LastPass
• 1Password
• Dashlane

With the help of a Password Manager, you can start using good password security for your login. Check out more WordPress password security tips.

2. Two-Factor for ALL THE THINGS.

[pullquote]Two-Factor Authentication is not a mere nuisance, it’s Real Security. [/pullquote] Have you used two-factor authentication and do you know how it works?

Two-factor authentication is a process of verifying a person’s identity by requiring two methods of verification: either something you know, something you have, or something you are.

While it’s easy to think two-factor authentication is annoying, it’s time to get past the inconvenience and educate everyone we know about the value of using this method to secure your logins. If someone is able to snag your credentials, it won’t do them any good if you have two-factor authentication enabled. Not only would a hacker need to have your username and password, but also your mobile device to successfully login. Add two-factor authentication to your WordPress login, and then two-factor all the things, everywhere you can (including your email, financial accounts, even your social networking if it’s available). With iThemes Security Pro, you can easily add WordPress two-factor authentication to your WordPress login.

3. Regularly Change Your WordPress Salts & Keys.

WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters. To better protect and ensure encryption of the login information stored in your WordPress cookies, WordPress includes secret authentication keys and salts in your wp-config.php file. Essentially, WordPress salts and keys are additional passwords for your site that are long, random and complicated—so they’re nearly impossible to break. There are several plugins out there including iThemes Security Pro that can change your WordPress salts and keys for you.

• iThemes Security Pro
• WP Config File Editor

4. Use Secure File Permissions.

How secure is your site if anyone can view or write to your server files? It’s not. Secure WordPress file permissions are a must. For example, these file and directory permissions are a no-no.

• Directory – 777
• File – 666

What you’re actually able to set may vary from server to server, but you can usually adjust file and directory permission through your hosts control panel and FTP client. You should have your files somewhere between 400 and 444. And your directories somewhere between 700 and 744. The iThemes Security plugin includes a way to quickly check the status of your file permissions if you’re not sure.

5. Use sFTP Whenever Possible.

If you edit files on your website, it’s a good idea to start using sFTP rather than FTP. If you don’t directly edit the code, make sure your web developer is using the highest security protocols for accessing server files. While SFTP and FTP protocols both transfer data, that’s where their similarities end. Just as a primer, FTP stands for File Transfer Protocol. FTP transfers data between two remote connections, in plain text. Whenever a user opens up a regular FTP session, the entire transmission made between the host and the user is sent in plain text. Anyone who has the ability to snoop around on the network can read the data, including your password information. sFTP is a secure form of the FTP command. sFTP ensures that data is securely transferred privately with the use of the SSH2 protocol. When using sFTP instead of the FTP, the entire login session, including the transmission of passwords, is encrypted. So it’s much more difficult for someone snooping around on the network to observe and collect passwords.

6. Use SSL on all of your WordPress sites.

What is SSL? Why should you use it? We’ve all seen the green padlock in our browser next to the URL we are accessing, but why is it so important? [pullquote]SSL stands for Secure Sockets Layer, and creates an encrypted connection between your web server and your visitors’ web browser.[/pullquote] Here’s a quick primer on SSL/HTTPS terminology:

• HTTP stands for Hyper Text Protocol. When using HTTP to transfer information, it’s relatively easy for a knowledgeable person to intercept, and view it.
• HTTPS stands for Hyper Text Protocol Secure. When using HTTPS if anyone is able to intercept it, they still won’t be able to decipher it because it’s encrypted.
• SSL – Secure Socket Layers is the security during the transfer while using HTTPS.

In the early days of the web, administrators needed a way to share information they put online. They developed the HTTP protocol for this, but quickly learned that is was easy to intercept and view information. They then agreed on a procedure to secure the information they were sharing, and this is the HTTPS protocol. This is where SSL certificates and SSL come into play. The SSL certificates on each computer involved with the transfer have unique keys or locks. The data is transferring through Secure Socket Layers. You can picture the data is traveling through a secure tunnel with padlocks at both ends so nobody else is privileged to your information. SSL certificates range in price but are absolutely necessary to keep information on your website secure. There are also several places to buy SSL certificates, but the easiest route is to buy it from your host, and let them install it. You can also check out our WordPress HTTPS Training.

7. Keep Your WordPress Site and Everything On It Up To Date.

Keeping up with WordPress maintenance is the final part of having a solid WordPress security strategy. Just like your lawn needs to be mowed or your car needs oil changes, you have to do regular maintenance on your WordPress website, which means actively keeping up with updates to WordPress core, themes and plugins. [pullquote]Version updates often have important security patches and bug fixes, so it’s important to always run the latest version of WordPress and any themes or plugins you’re using. [/pullquote]

• Keep WordPress core up to date.
• Keep plugins and themes up to date.
• Regularly update your passwords.
• Routinely audit your sites for plugins, themes and users that aren’t being used, and remove them.
• ALWAYS have a recent WordPress backup. Having a backup of your site can not only save you time if something does go wrong, it can also save you a costly experience. Use a WordPress backup plugin like BackupBuddy to create automatic WordPress backups and store backup files off-site in a secure destination.

If you manage multiple WordPress sites, there are tools to help make WordPress maintenance easier like iThemes Sync. Instead of logging into each individual website to run updates, you have one central dashboard to run multiple websites at once. iThemes Sync also can send notification emails when new updates for your WordPress site are available so you never miss an important security update. However you do it, please make sure you’re keeping your WordPress website, and everything on it, up to date.