Using WordPress security best practices

Somewhere out there on the internet, a website is hacked every 5 seconds. Make sure you follow WordPress security best practices to make sure your site isn’t one of them!

WordPress Security best practices. On the internet, a website is hacked every 5 seconds

It is estimated that around 30,000 websites get hacked every day.

So what are the WordPress security best practices you need to follow to make sure your site doesn’t become another statistic?

Let’s look at the main types of vulnerability associated with WordPress.

Hosting comes top of the list, with about 40% of sites hacked in this way. After that its themes at around 30% of all sites compromised. Plugins follow on at around 22%, while weak passwords account for around 8% of WordPress security breaches.

It’s worth pointing out that over 80% of sites that are hacked have not been updated to the latest version of WordPress.

So what are the recommended WordPress Security best practices?

Keep WordPress up-to-date

This is the number one task in the list of WordPress security best practices. If your WordPress install is not up-to-date, there really is no excuse.

Any vulnerability flagged to the WordPress team and subsequently patched means the exploit is almost certainly in the public domain. This makes old versions far more vulnerable to attack and is one of the many reasons you should always keep your WordPress install up-to-date – see WordPress.org

Change the default admin account

Don’t make it easy for hackers. “Admin” is the default username offered at installation time, so naturally WordPress hackers try it first when trying to gain access to your site. Create a unique, hard-to-guess username and assign admin rights to this account, then delete the old admin user account.

Report any WordPress bugs and security holes

Every day new vulnerabilities are being reported and patched by WordPress team. If you do find a bug or security hole, do report it so everyone can benefit. Report issues here.

Use Akismet and close off comments after a set period

Activate the Akismet spam comments filtering plugin. It’s bundled with the WordPress install, free and does a good job of trapping spam for you. By all means choose an alternate Spam filter plugin, but don’t leave the door open.

Beyond this, on very active blogs, close off comments after a given period, as the more comments left open the more opportunity for spammers to target your site.

Hide the login link from your site

The login page is of course the first place hackers head for to break into your site. Removing the login link from your website is not foolproof, but it makes it that bit harder for hackers.

Limit failed login attempts

Brute force password discovery requires thousands of repeat login attempts. Use a plugin that prevents these brute force attacks by limiting the number of logins from an attacker.

Implement two-stage authentication

If a breach of your site’s security has particularly severe implications, for example you have an online store or you hold sensitive customer information, you can consider two-stage authentication. This is an additional layer of security that often relies upon the user providing additional information from a different channel, such as SMS. This real-time interaction between your site and the customer during login adds an extra level of difficulty for the would-be-hacker.

What about your network, host, themes & plugins?

Check your website theme and plugins

Around 50% of security vulnerabilities come through WordPress themes and plugins. So it’s worth having a review of all your plugins and themes. Using one of the very good security plugins —  we use WordFence — can help identify any problem themes or plugins.

Where are you working from and is it safe?

Accessing your site from an Internet café or via free Wi-fi can be a risk for obvious reasons. Make sure you are on a trusted network and that your computer is not infected with a virus or malware.

Restrict file permissions and write access

It is important to restrict who has access to files and who has write access, as this can be a major vulnerability. These restrictions are made directly on the server, or via an ftp client.  Your hosting company can help you do this if necessary.

Schedule website backups for recovery

Make sure you are having regular backups of your site. Backups should not be stored on the same server as your website. There are several really good WordPress plugins, — we use BackUpWordPress — but there are many others as well that do a good job.

Ask your host about their security measures

Having a good host is a crucial aspect. Most good hosts take security very seriously and will implement their own defences for WordPress.

WordPress security plugins

There are many free and premium plugins designed to help you secure WordPress. Check the reviews on the WordPress plugin repository to see which is a good fit for your site. Here are a few to look at, but there are many more:-

  • Wordfence – full-featured security plugin.
  • All in One WP Security and Firewall – adds a firewall to your site.
  • Bulletproof Security – protects your site via .htaccess.
  • Sucuri Scanner – scans your site for malware etc.

And finally…

Please refer to this site to keep up-to-date with WordPress Security best practices. We will update this post with any new recommendations as they come to light.

Need help securing WordPress?Rapid Enquiry