This is a guest contribution from John Philips.
10 Vital WordPress Security Tips
Security should be of paramount concern to any blogger or website owner. It may seem like a tedious task, but it could protect your website from becoming a hacker’s playground. If your site has a revenue stream, then some time invested into security could also protect your livelihood. This article overviews a few key security tips for WordPress blogs. There’s an ever growing collection of useful plugins, but it’s dangerous to think that there is a single solution to website security. It’s important to maintain an ongoing interest in security to provide a reliable defence against hackers.
1. Secure Hosting
If you unknowingly opt for a provider which is infamous for its hosting vulnerabilities, you’ll be cursing your decision at a later date. Research is the key, so allocate some time to find a reputable company with a strong security strategy. Price is likely to be the main comparison point between providers, but sometimes paying slightly more can prove to be a sensible long-term decision.
2. Work on a Secure Network with a Clean PC
One of the joys of web-based software is ease of access. It might be seriously tempting to amend a blog post when you’re enjoying a coffee in your local café, but accessing WordPress on an unsecure network could seriously compromise your security. At home, where you probably have a more robust network, you should also be sure that your machine is free of malware, spyware and viruses. A sneaky key logger could undo all of your other security measures.
3. Keep Updated
Ensure that your themes, plugins and WordPress itself are all updated regularly. There are developers out there working to protect your site, so don’t miss out on crucial updates that patch the latest security vulnerabilities.
4. Strong Passwords
Passwords consisting of mainly names and correctly spelt words are extremely susceptible to brute-force attacks. Use characters, randomly mix up your capitalisation and avoid names and words. If ‘petname1’ is memorable for you, why not use ‘P@naMe01!’ – it might seem silly, but having some kind of association in your mind will enable you to remember it. Alternatively there are software solutions that store and encrypt your passwords; Roboform and LastPass are both great options.
5. Enable Secure SSL Login Pages
Logging into WordPress through an encrypted channel will provide another layer of protection. Be sure to check with your hosting provider to see if you have an SSL certificate, or are utilising Shared SSL. Then add this line of code to your wp-config.php file:
define(’FORCE_SSL_ADMIN’, true);
If you want an easier option, then there is a plugin that allows SSL control of your site: WordPress HTTPS (SSL)
6. Don’t Use ‘Admin’ as a Username
From version 3.0 onwards you have been able to update your WordPress username, so you’re no longer limited to using the default of ‘admin’. There have been widespread attacks in the past, which have exploited the fact that millions of users still have ‘admin’ as their username. The easiest way to do this is to create a new user account in WordPress and give it admin access, you can then simply delete the old account.
7. Hide Your Login from the Author Archive
It’s possible to find out a WordPress user’s login, simply by viewing the author archive page’s permalink – i.e. http://www.example.com/author/username/
However, it’s fairly straightforward to remove this. The simple solution is to use the WP Author Slug plugin.
8. Limit Login Attempts
Limiting the number of login attempts from a single IP address can thwart some hackers, especially if your site has been targeted by a brute-force attack. Thankfully there’s a handy plugin – Limit Login Attempts.
9. Disable File Editing
It can be really useful to edit your theme’s files within the dashboard. However, once you’re happy that you no longer need to edit these files, then it’s sensible to remove this functionality. This will prevent hackers from changing these files. All you need to do is access your wp-config.php file and add the following line of code:
define( ‘DISALLOW_FILE_EDIT’, true );
10. Create Regular Backups
It’s a mundane task, and one that is often neglected. Backing up could potentially save your site from the website graveyard, it’s a vital step even if you’ve taken all the appropriate security measures. Thankfully, there’s a fantastic plugin that automates the task and removes the mundaneness – BackUpWordPress. It’s a very popular plugin that’s famed amongst the WordPress community for its simplicity and ease of use.
Summary & Other Security Plugins
No single plugin will completely protect your site, therefore the above steps shouldn’t be ignored. It’s also important not to have plugins installed that you don’t use. Feel free to try out some of the plugins below, but if you’re not using them it’s best to uninstall them. Some of the multi-purpose plugins are fantastic, but they might aim to correct certain things you may have already fixed, so assess their features to decide if it’s worth installing.
Login Lockdown – blocks IP addresses for a given time after repeated failed login attempts.
Lockdown WP Admin – hides WordPress Admin (/wp-admin/) when a user isn’t logged in.
Sucuri Security – checks your site for malware, spam, blacklisting and other security issues.
Acunetix WP Security – checks your WordPress website/blog for security vulnerabilities and suggests corrective actions.
iThemes Security – Formerly Better WP Security, this plugin offers over 30 ways to secure and protect your WordPress site.
Still want to know more about WordPress security? If so then check out: http://codex.wordpress.org/Hardening_WordPress
John Philips is from SSLs.com. SLLs.com resells SSL certificates from the likes of Comodo, GeoTrust, and VeriSign.
Good security list. Point #6 is obvious, but I also know of people who set the password as ‘Password’. Not a very smart thing to do.
The recommended plug-in to hid the login name from the author archive has not been updated in two years. It would be great to have a more recent solution recommended!
Thanks
L
Hi Laura,
I understood the uneasiness in trying an outdated plugin, but the good thing is that it works as intended in spite of not being under active development. It’s a very simple plugin and doesn’t need an update every now and then, unless a future update of WP breaks it.
Thanks
I’d be careful with Limit Login Attempts (and I used to recommend it all the time). Several people reported problems with it over the last couple of months, and there hasn’t been any resolution from the developer — none that I’ve seen yet at least.
I was one of the people affected, and problems didn’t happen with all of my sites using it (though I’ve since removed it from all of them). On sites where there were problems, I found that certain “users” were able to get around the limits despite supposedly being blocked. Others have reported the same issue, among others, ever since WP 3.9.1. And with the plugin being severely outdated and little response on the support forum from the plugin author, it’s not worth the risk to me anymore. I’d go with another brute force protection option if at all possible. The one that’s been most recommended to me is Wordfence, and my plan is to start moving most of my sites to that soon.
Thanks for the great post. I use most of the tips given here and also found some new ones like point #9. Thanks again.
Hi excellent tips!
For the security, I would also recommend Incapsula.com It helps a lot!
Using enabled secure ssl login pages is the better option and highly secured as compared to other plugins.
Hi Darren, Thank you for these tips. Can you recommend a plugin that really stops spam Comments. Akismet does a reasonable job, but still need something else.
Checkout CleanTalk. Managing comments has never been easier for me.
I think The sits is very important for the Web page Designe and Customize. its is very helpful sites.
Great tips, always like to be nice and secure.
Always make sure you regularly back up your site, that way if everything goes wrong you have a copy…
thanks darren its a great gold mine for newbies like me in wordpress although my brother looks after such things its a great post
Instead of using Limit Login Lockdown, There is a plugin that has multiple security features including limiting the login. I am also thinking of getting SSL since it wont only give the needed security, but also improve SERPS, as said by Google Webmasters forum.
If the site has huge traffic then it is recommended to use vaultpress and its good the feel safe even if there is any attack on the wordpress.
Superb tips,
Google is making a great job by including https as one of its 200 ranking factors. It is great as far as security is concerned.
Another addition to the post would be Wordfence, it helps you to keep the known bad guys away accessing your site.It is fully loaded with features.
Using SSL and few security plugins like loginlimits etc helps in improving security of WordPress blog. Also user need to change the username when installing WordPress from default username “Admin”. You have also mentioned useful tips for increasing WordPress blog security.
Thanks for all the wonderful suggestions John. I just started my blog and was concerned about the security aspects. I’ll check all the plugins out.
The backup plugin is something I was looking into. How do you think the one you suggested compares to BackupBuddy (paid) or UDraftPlus (free)?
There are so many choices when it comes to WordPress. It’s both good (for the number of choices we have) and bad (for the difficulty in making a choice) at the same time.
Thanks John for this post.
Your post is really really meaningful for me as i am new in wordpress atmosphere, now i feel that my blog is safe.
Thanks again.
Best security tips for newbie bloggers .
I have installed Lockdown WP Admin plugin but its giving error .
It is compatible with WordPress 3.9.2 ??
Definitely these are really awesome and useful tips for every blogger. The best thing is BackUpWordPress plugin to create regular backups of your site.
I have learned many new security settings, thanks for sharing.
Thanks for the tips. I would also suggest two factor authentication such as provided with Google Authenticator plugin. My favorite solution for spam is a plugin named CleanTalk which works great.
Is there a trick a blogger can do to the .htaccess file to make their WordPress blogs more secure? I believe I heard something like that before for WordPress, but unsure. Not all of us bloggers and site owners know the backdoor to modifying our .htaccess or other files on the server to protect ourselves.
Thanks for sharing some useful tips to protect our blog from any security threat. i have also use a plugin to protect my blog.
Luckyly I never had problems with my WP security but these are very helpful tips that I will definitally use to protect my site even more. Thank you!
thanks for WordPress Security Tips. i am use a plugin to protect my blog. i am following all tips and my blog is safe.
Thanks for the wordpress secure tips. Export the posts and backup every month is important.
My personal blog has been hacked many a times and I never get to know how they do it. Means the WP interface is perfect. Everything is perfect. But still. Thus I had to buy those expensive security plugins.
I must say i find your tips to be really helpful, as a newbie with WordPress any insight on it is very helpful to me to better understand it, thanks again
This is new for me,let me try this one. Thanks for sharing this great post.
After reading this post I was successfully reminded that in the long run good security measures are very important. I went ahead and installed some of those plugins that were suggested. I had actually been meaning to get some automatic backups going the last couple days so this served as a great reminder. The Limit Login Attempts page says that it hasn’t been updated in over two years so is it still good to use?
Thank you for this useful article.
Like you do, we also recommend to use an ssl certificate for WordPress – especially if you work a lot in internet cafes etc. you should never send your password over an unencrypted HTTP connection.