WordPress is a super flexible, customisable and constantly evolving content management system and for these reasons currently powers around 30% of websites. That’s a lot of websites!
Unfortunately this popularity attracts both good and bad attention. The rise in the use of the WordPress platform has been shortly followed by an increase in hacking attempts. Once your website is compromised it will be used to circulate spam and other malicious materials. If this happens you will lose the trust of your customers, put them at risk of being exploited and are at risk being blacklisted by the major search engines.
As well as being widely used, WordPress – despite all of it’s merits – does have vulnerabilities. Not following best practices can leave you exposed and despite the risks it is staggering how many website operators do not take any steps to secure their website thoroughly. Luckily it is quite simple to implement some basic defences to protect your website from being infiltrated. Best of all, these methods are free and just require a little time to put in place.
1. Keep WordPress updated
New potential vulnerabilities in the WordPress system are found all of the time. Fortunately there are thousands of developers in the world all contributing to patch these issues. All you have to do is ensure that you keep your website updated.
If you are wary of updating to the latest WordPress version (we’ve had a few sites break upon updating so we get it!), you can check to see what the update includes via the updates page in your administrator dashboard. If you don’t see anything security related then it’s pretty safe to wait until the next update. If you do see anything that is related to a vulnerability then we hope it is obvious that you should update immediately.
2. Keep plugins and themes updated
Similar to the above, plugin and theme development teams are always on the look out for new vulnerabilities in their code and regularly release updates to patch any new issues that arise. You simply need to keep on top of any updates that are issued to ensure that you site is as protected as possible.
3. Picking plugins wisely
When it comes to plugins you can go one further and choose which plugins you install wisely. There are so many WordPress plugins out there that allow your website to do so much more. Amongst these are a significant amount that are no longer actively developed. As time goes by and the WordPress core is updated, there is a larger chance that new vulnerabilities are created that aren’t being addressed, leaving your website vulnerable. Make sure that when you install any new plugins that they have been updated recently and achieve a good star rating. If the plugin doesn’t hit both these points, do a bit more research – it’s very likely there is another that provides similar functionality without the risk.
4. Install a backup plugin
If for some reason all of your steps to secure your website fail and somebody gains access, your final safety net is to have a backup that you can use to restore you website. Having your website backup automatically is really handy for lots of reasons. You are covered if an update breaks your website, if your site is taken offline by a plugin conflict or you get the dreaded white screen of death. We recommend Updraft Plus for a comprehensive backup solution that you can configure to backup automatically to remote storage like Dropbox or Google Drive.
5. iThemes Security Configuration
Another step in securing your website is to utilise a plugin that specifically addresses common WordPress vulnerabilities. For this post we’ve concentrated on the iThemes security plugin due to it’s comprehensive set of features (plus it’s free!). Once you’ve installed the plugin and visited the Security tab in the left hand menu, you’ll see a menu screen something like this:
We recommend configuring these aspects of the plugin:
– General settings: Enable the Blacklist Repeat Offender option. This automatically blocks bots and users by IP if they reach a certain amount of failed login attempts. This is good for catching anyone trying to access your account. Within this options page you can also see the list of banned IP’s and whitelist any users that accidentally got their login details wrong.
– 404 Detection: You just have to enable the overall page for this one. This will blog any users looking for common vulnerabilities that relate to a certain URL extension – normally an outdated plugin or theme.
– Banned users: We recommend you enable HackRepair.com’s blacklist feature. This compares the IP address of the user trying to access the website to a comprehensive database of known bots, blocking them if they are list.
– Database backups: We only recommend you use this option if you do not have any backup plugins already handling it. We’d also say that using a plugin like Updraft Plus provides more of a comprehensive solution.
– File change Detection: This option allows you to be notified by email every time an unexpected file change occurs on your website. This is a really useful feature as otherwise file changes would go unnoticed and it can be an absolute pain to find out what files have been edited when a hack occurs. We recommend when you enable this setting that you exclude the cache folder in the detection otherwise the notification emails can be a little annoying.
– Local Brute Force Protection: Enable this option and select the setting to immediately ban a host that attempts to login using “admin” username. WordPress by default creates a main administrator profile called “admin” and this is a perfect opportunity for hackers to use a technique called “Brute Forcing”. With the username known, a computer program can rapidly try endless password combinations in an attempt to compromise your website.
– System tweaks: Enable Protect System Files and the Disable PHP in Uploads options. There’s no reason to show the WordPress system files and disabling any code from being uploaded to your website is just good practice.
– WordPress tweaks: Select Remove Windows Live Writer Header, Remove RSB header, reduce comment spam, disable file editor and disable login error messages. Again, this is all useless information that WordPress presents to users that know where to look and has no reason to be there.
Once you’ve configuring all of the Recommended options, click Advanced in the top right of the plugin settings page. The final step is to go into the Hide Backend options page and change your login URL. This is great as it adds an extra layer of protection by hiding the usual WordPress login page and also makes it harder for users to find out what platform you’ve built your website on.
And that’s it! Following the above steps will go a long way in protecting your website from malicious hackers. You can always go one further though – we recommend looking at the Sucuri and WordFence plugins. These do similar things to iThemes but can be used together to strengthen your website security.
We take website security very seriously and include this configuration by default in all of our web design projects. We also take care of the ongoing management of your website security through our reliable website care packages. As always, if you have any questions please get in touch.