Knowing how to secure WordPress is one of the most important components of keeping your site safe and protected from hacks. In this post, we cover five quick and easy tips you can use today to secure your WordPress site.
How to Secure WordPress: 5 WordPress Security Tips
1. Delete your “admin” user.
The username “admin” is just a generic name created by WordPress. The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.
To remove the admin user, follow these steps:
- Create a new user for yourself.It is important to come up with a username that is unique to make it more difficult for someone to figure out. (When coming up with your new username, you might also consider how you want your name displayed on the frontend of your site. For instance, if your name is John and that’s how it will be displayed on your posts, using John as your username would not be the best idea.)
- Make sure you create a strong password for this user and set the role to admin.
- Once you’ve created your new user, log out of the admin user and log into your site with the new user. Then you will be able to go into your users and delete the original admin user.
2. Keep WordPress core and all your plugins and themes up to date.
Updates to WordPress and your themes and plugins often include security updates. Vulnerabilities are found and corrected as quickly as possible in new version releases. Keeping WordPress and your plugins and themes up to date will help prevent vulnerabilities on your site.
When you log in to your WordPress dashboard, you’ll see a notice in the admin bar at the top of the screen with the number of available updates for your site. In the example screenshot below, there are 9 available updates for plugins and themes on this WordPress site.
If you manage multiple WordPress sites, use a tool like iThemes Sync for your WordPress maintenance tasks. Sync gives you one central dashboard to update WordPress and all your themes and plugins across all your sites.
3. Delete unused plugins and themes.
It’s also important to remove any plugins and themes from your site that you aren’t actively using. You should be doing WordPress housekeeping at regular intervals to remove any unused plugins and themes. Why? Unused plugins and themes on your site are vulnerabilities on your site which can be exploited by hackers.
When you delete an unused WordPress plugin, also make sure that it is completely removed, from both the site and your database. Some plugins leave information behind in your WordPress database.
4. Periodically update your WordPress salts and keys.
WordPress uses cookies (or information stored in your browser) to verify the identity of logged in users and commenters.
WordPress also includes secret authentication security keys and salts in your wp-config.php file. A WordPress salt is a random string of data that hashes the WordPress security keys in the wp-config.php file. Basically, these WordPress security keys are additional passwords for your site that are long, random and complicated, making them nearly impossible to break.
If you open your wp-config.php file, you’ll see the Authentication Unique Keys and Salts section with seven security keys.
A link is provided in the file which will generate unique salts and keys for your site.
Copy those unique keys and replace the samples in your wp-config.php file.
If you want to check out a bit more of the technical explanations of WordPress secret keys and salts, here are a few helpful resources:
- The WordPress Codex – Security Keys
- The WordPress Codex – Cookies
- Wikipedia: HTTP cookie
- PHP: Cookies
- SSL and Cookies in WordPress 2.6
5. Ensure all users are using strong passwords.
Strong passwords are ones that are difficult for someone to guess and make it harder for brute force attacks to be successful.
When you create your password, be sure to keep these things in mind:
- You want the passwords to include both alphabetic and numeric characters, not just one or the other.
- You don’t want the password to be a word that could be found in the dictionary.
- You want the password to be long; the shorter the password, the easier it is to figure out.
- You don’t want to use any variation of your name, company name or website name.
Coming up with a complicated and strong password can be difficult on your own. However, there are many tools available to help you with this.
- Strong Password Generator – Strong Password Generator creates strong passwords for you and allows you to determine the length of the password, whether or not to avoid punctuation used in programming and more.
- LastPass – LastPass can not only generate strong passwords for you but can store them in their vault, saving you from having to save them somewhere where someone else can find them.
- 1Password – 1Password, similar to LastPass, both generates strong passwords and stores them for you.
It is especially important for all admins on the site to have a strong password. If their account is hacked, the hacker gets complete access to your admin dashboard as well. However, it’s also important that all users on the site have a strong password.
Consider Using a WordPress Security Plugin to Secure Your WordPress Site
These steps are a quick and easy way to start securing your WordPress site, but we also recommend you use a WordPress security plugin, such as iThemes Security Pro, to help secure WordPress.
Many of the best ways to secure your WordPress site can be more easily addressed by using a WordPress security plugin than by doing it manually. With a plugin like iThemes Security Pro, you can quickly change your WordPress salts and keys, enforce WordPress password security, activate WordPress two-factor authentication and more.
The iThemes Security plugin also includes a WordPress security check to run an audit of your site’s security status.
Have More Questions on Securing Your WordPress Site?
If you have more questions on how to secure WordPress, leave a comment below or iThemes Community members can open a support ticket from the iThemes Help Desk.
Get iThemes Security Pro Now
Elise likes to say she supports the support team here at iThemes. Her job is to make sure the support team has everything they need and to help them out any way she can. When not working, Elise spends time with her two dogs (Iggy Pup and Bowie) and her cat (Indie), her three nephews or her “little sister.” She has an English Literature degree and still spends a lot of her time reading, especially the classics. She also enjoys baking treats for the iThemes office!
A word of warning about resetting salts. It’s obviously good advice with one _huge_ caveat: some applications use wp_hash() for their own purposes, storing hashed values to check against later or passing them on to third parties over an API.
(Please note that the following information was correct recently but may be incorrect at the time of reading)
One notable example is GravityForms, which seems to use wp_hash() for a PayPal transaction ID. When it gets this transaction ID back from PayPal (e.g. with subscriptions), it rehashes the key data and compares them.
If you change your salt, these values will no longer match, and your notification hooks will stop firing.
So keep this in mind when changing salts. And keep a record of all the prior salts you’ve used, just in case!