WordPress Security Guide

Back in 2004 when I loved a UK spy program called ‘Spooks’, the Internet was starting, slowly, to become more of an everyday buzz word. Facebook was founded and WordPress had started it’s journey to becoming the dominant platform for running websites! Security was still important but not at the scale it is today!

When I watched ‘Spooks’ for an hour on a Monday night I was in this world of espionage where spy’s ran around London! It was great! But the best bit for me was the computers! The hacking, the surveillance, CCTV, backdoors in to systems! This love of computers has never left! Even today I love watching an old episode of Spooks!

But in todays world it seems more relevant! Everyday we hear stories of sites being hacked, personal data being stolen, money being conned from old people. It is a real threat to us all.

In 2021 WordPress powers in the region of 39% of the Internet. That is huge, and it is growing! This popularity means that the biggest, most attractive, most visited websites, that handle eCommerce, membership sites, clubs, magazines and much more rely on WordPress!

But this popularity means that it has also become the focus of attention for the dark side of the Internet! Every WordPress update, every plugin, and every theme, provides a potential gateway for a hacker to access and take control of a website! It’s scary! If you have a serious website and your business depends on it for sales or contact with clients then you need to take security seriously!

The total security of your website can be broken down into various layers. We can start with the first layer which is very much under your control as the owner of the website. This is the domain of the site ‘admin’, the person who can log into your website via the WordPress login and make changes to settings, themes, plugins, and off course content!

WordPress Login Security

As the site admin you will no doubt know the WordPress Login page very well. In a standard WordPress installation it is where you gain access to the admin dashboard, and it is one of the places of interest to the hacker who wants to access your site!

The Internet has thousands of WordPress websites where the login page is their achilles heel. The default WordPress username is ‘admin’ and many, many sites still use it. This means that half the battle is won! The hacker knows how WordPress works, so their first port of call is to use a username of ‘admin’.

Next, is the password! Anyone who understands how important the password is will never use the same password on more than one site, and will create a strong password using a mixture of letters and numbers, varying the case, and sprinkling in special characters, like $#@, spaces, and make sure it is between 10 and 50 characters long – the longer the better!

I can hear the argument, “but how can I remember a password that is so long”!

The best way is to create a phrase! Something memorable so that it tips of the tongue. So, as an example we could use the phrase “The Sky is very blue” and convert it in to “The5ky1sVeryBlue”. I think you can see what I mean! This is too simple though, but it gives you a taste of what you could use!

A hacker will bombard your site with usernames and passwords in an attempt to discover the correct combination. This is known as a ‘Brute Force Attack’ and I think you can see that the combination of a username ‘admin’ with a password of ‘123’ is not going to keep anyone out! Some of this is common sense, but you would be surprised how the human brain ops for the easy way out!

So. How do we fix these issues? First login as your current admin user, so that you are looking at the WordPress Admin Dashboard.

Change WordPress Admin Username

Let’s start by fixing the ‘admin’ username problem. In the dashboard click on the ‘Users’ menu item and you will see a list of the current users. If this is a new installation then it might just be a single user, the admin. If this user has a username ‘admin’ then you need to change this! If not then your hosting provider has already changed the default for you!

The problem here is that you cannot change the username of a user. Instead you add a new user and delete the old one. Click on the ‘Add User’ button at the top of the page and enter the new admin username. Ideally make this something a bit more complicated by adding an underscore and numbers, then add personal details, email, name, etc. Finally, at the bottom select the ‘administrator’ role from the dropdown, and save the new user.

Now that you have your new admin user go back in to the user list and delete the original account. If you leave it then hackers can still access the old ‘admin’ user account!

WordPress Updates

Before we move on to look at other security improvements, lets address the issue of updates. Periodically, WordPress itself, themes, and plugins will release updates. You may think that updates just bring new features and bug fixes. This isn’t true. Updates can also include security updates. Fixes that close a vulnerability that could allow a hacker to access your website.

Being logged in to the admin dashboard makes it easy to see and perform updates. The ‘Plugins’ menu option will show a red badge with the number of plugins that need updating, and under the ‘Dashboard’ menu option ‘Updates’ will show you all current available updates, including core, plugin, and theme updates. You can then easily select the updates you want to perform and click the updates button.

So. Now that we have a more secure admin user account and your WordPress set-up is updated. We can now look at additional services that can make your WordPress website even more secure.

Limit WordPress Login Attempts

Having a different username and a nice long password is going to slow down a ‘Brute Force’ attack. But why not make the hackers life even more difficult? WordPress has a number of plugins that can limit WordPress login attempts. In other words if the attacker fails to login correctly after a certain number of attempts e.g. 3, then they will be locked out for say five minutes! If after the five minutes they return and fail again then they can be locked out for even longer!

WordPress Two Factor Authentication

This is very powerful because it takes away the reliance on just the username and password because by adding a third check that is much more difficult to guess! This may be a sequence of numbers generated on another device, such as your mobile phone or tablet. I’m sure that you’ve come across this. In fact new laws mean that companies like PayPal now need to prove the id of the person logging in, and send you a code to your phone that you then need to enter!

WordPress by default does not include 2FA, as it’s known. But like everything WordPress related there are many plugins that provide these services.

I personally believe that the best way to implement these services is to use a plugin that provides a suite of security tools, such as Malcare, Sucuri, or WordFence!

WordPress Backups

I know that some of you will be curious why WordPress Backups are mentioned in a security discussion. WordPress Backups are an important tool if your website is hacked. The worst case scenario of a site being hacked is that it is completely destroyed. But if you have daily or hourly backups performed then you can return your site back to being almost identical to how it was before the hack! You may lose the odd post, but this is much less painful then rebuilding the whole site!

Once again the easiest route to creating a WordPress backup is to install a suitable plugin. For example, BlogVault and UpDraftPlus both include FREE versions available from inside the plugin directory, as well as more powerful premium versions.

Hope you have enjoyed this so far. The next post we will look at more advanced security steps that can be taken!

 

Leave a Reply

Your email address will not be published. Required fields are marked *