7 WordPress Security Best Practices
As hacks and security breaches become more of a concern for anyone running a WordPress website, it's important to know you can drastically improve your security by using a few WordPress security best practices. If you don't already have a WordPress security strategy in place, this post will help you understand seven ways you can secure and protect your WordPress website.
As hacks and security breaches become more of a concern for anyone running a WordPress website, it’s important to know you can drastically improve your security by using a few WordPress security best practices.
If you don’t already have a WordPress security strategy in place, this post will help you understand seven ways you can secure and protect your WordPress website.
WordPress Security Best Practices
- 1. Use a strong password with the help of a password manager.
- 2. Two-Factor ALL THE THINGS.
- 3. Regularly change your WordPress salts.
- 4. Use secure file permissions.
- 5. Use sFTP whenever possible.
- 6. Use SSL on all of your WordPress sites.
- 7. Keep your WordPress site and everything on it up to date.
Understanding the Threat: What is a Hacker?
Unfortunately, there are people and systems actively working to hack websites. The word “hacker” may bring a few ideas to mind, including:- The ever-elusive hooded teenager working in a dark basement
- Government agents infiltrating criminals or foreign governments
- Underground networks fighting for freedom, equality or to expose corruption
Why Would Someone Want to Hack My Website?
There are currently tens of millions of websites on the web. WordPress powers about 26% of them. Unfortunately, the sheer number of WordPress sites makes it a target. Recently, Sucuri released a Hacked WordPress Report, with roughly 94% of the sites they worked on in the third quarter of 2019 were WordPress sites. Charts like this can make users will worry that WordPress isn’t secure — it is. In the chart above, Sucuri found that in most instances, compromises had little or nothing to do with WordPress core. Instead, [pullquote]WordPress compromises had to do with improper deployment, configuration and overall maintenance by the webmaster and hosts.[/pullquote] Even with these known WordPress security issues, WordPress is SECURE if you keep it up to date and use these WordPress security best practices.How Can I Keep My WordPress Site Secure?
When it comes to WordPress security, it’s not about if you get attacked, but rather how to prevent WordPress hacks from being successful. So what can we do? You can drastically improve your WordPress security by reviewing a few WordPress security 101 tips and by implementing these WordPress security best practices.1. Use Strong Passwords With the Help Of A Password Manager
Here’s a quick quiz. Do you know at least one of your passwords? Have you used that password for another login somewhere else? If you answered yes to both of these questions, your password strategy could use a serious audit. What makes a good password?- Long
- Random
- Unique
2. Two-Factor for ALL THE THINGS.
[pullquote]Two-Factor Authentication is not a mere nuisance, it’s Real Security. [/pullquote] Have you used two-factor authentication and do you know how it works?Two-factor authentication is a process of verifying a person’s identity by requiring two methods of verification: either something you know, something you have, or something you are.While it’s easy to think two-factor authentication is annoying, it’s time to get past the inconvenience and educate everyone we know about the value of using this method to secure your logins. If someone is able to snag your credentials, it won’t do them any good if you have two-factor authentication enabled. Not only would a hacker need to have your username and password, but also your mobile device to successfully login. Add two-factor authentication to your WordPress login, and then two-factor all the things, everywhere you can (including your email, financial accounts, even your social networking if it’s available). With iThemes Security Pro, you can easily add WordPress two-factor authentication to your WordPress login.
3. Regularly Change Your WordPress Salts & Keys.
WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters. To better protect and ensure encryption of the login information stored in your WordPress cookies, WordPress includes secret authentication keys and salts in your wp-config.php file. Essentially, WordPress salts and keys are additional passwords for your site that are long, random and complicated—so they’re nearly impossible to break. There are several plugins out there including iThemes Security Pro that can change your WordPress salts and keys for you.4. Use Secure File Permissions.
How secure is your site if anyone can view or write to your server files? It’s not. Secure WordPress file permissions are a must. For example, these file and directory permissions are a no-no.- Directory – 777
- File – 666
5. Use sFTP Whenever Possible.
If you edit files on your website, it’s a good idea to start using sFTP rather than FTP. If you don’t directly edit the code, make sure your web developer is using the highest security protocols for accessing server files. While SFTP and FTP protocols both transfer data, that’s where their similarities end. Just as a primer, FTP stands for File Transfer Protocol. FTP transfers data between two remote connections, in plain text. Whenever a user opens up a regular FTP session, the entire transmission made between the host and the user is sent in plain text. Anyone who has the ability to snoop around on the network can read the data, including your password information. sFTP is a secure form of the FTP command. sFTP ensures that data is securely transferred privately with the use of the SSH2 protocol. When using sFTP instead of the FTP, the entire login session, including the transmission of passwords, is encrypted. So it’s much more difficult for someone snooping around on the network to observe and collect passwords.6. Use SSL on all of your WordPress sites.
What is SSL? Why should you use it? We’ve all seen the green padlock in our browser next to the URL we are accessing, but why is it so important? [pullquote]SSL stands for Secure Sockets Layer, and creates an encrypted connection between your web server and your visitors’ web browser.[/pullquote] Here’s a quick primer on SSL/HTTPS terminology:- HTTP stands for Hyper Text Protocol. When using HTTP to transfer information, it’s relatively easy for a knowledgeable person to intercept, and view it.
- HTTPS stands for Hyper Text Protocol Secure. When using HTTPS if anyone is able to intercept it, they still won’t be able to decipher it because it’s encrypted.
- SSL – Secure Socket Layers is the security during the transfer while using HTTPS.
7. Keep Your WordPress Site and Everything On It Up To Date.
Keeping up with WordPress maintenance is the final part of having a solid WordPress security strategy. Just like your lawn needs to be mowed or your car needs oil changes, you have to do regular maintenance on your WordPress website, which means actively keeping up with updates to WordPress core, themes and plugins. [pullquote]Version updates often have important security patches and bug fixes, so it’s important to always run the latest version of WordPress and any themes or plugins you’re using. [/pullquote]- Keep WordPress core up to date.
- Keep plugins and themes up to date.
- Regularly update your passwords.
- Routinely audit your sites for plugins, themes and users that aren’t being used, and remove them.
- ALWAYS have a recent WordPress backup. Having a backup of your site can not only save you time if something does go wrong, it can also save you a costly experience. Use a WordPress backup plugin like BackupBuddy to create automatic WordPress backups and store backup files off-site in a secure destination.
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Placeholder text
Placeholder text
Get started with confidence — risk free, guaranteed