Decent WordPress Security without Breaking the Bank
With platforms as ubiquitous as WordPress, there are always going to be issues with security. Fortunately, there are some great plugins, in both free and paid versions, that can help you achieve better WordPress security. As with any additional plugin; it will not make you impervious to attack, but they can certainly reduce your attack surface.
It’s not all about the plugins though, and there are some other tips and techniques to add additional layers of protection.
If you are thinking of starting a site powered by WordPress, or just want to secure your site more, you may find some useful tips here.
- Ensure the server running your site is secured and maintained
- Consider using serivces like CloudFlare to protect your origin IPs
- Use HTTPS
- Be careful what plugins you install
- Keep WordPress and plugins up to date
- Use good password policy
Self installing? Be secure from the outset
This is a big topic all of it’s own, and outside of the scope here, but it’s important to be aware of.
If you are installing WordPress yourself, and managing the server it’s running on yourself, then be sure to follow good security practice on your server. Read and digest WordPress’ official Hardening WordPress guide, and use this as your starting point. Ensure you have strong authentication on your server, with appropriate firewall rules, and pay special attention to file permissions. Ensure security updates are being installed in a timely manner, or ideally automatically, if your situation deems this approach acceptable. This is very much an area where you need to do your homework before deciding if this route is appropriate for you, as a misconfigured or poorly maintained server can certainly provide an entry point to hackers — there are lots of WordPress hosting packages available where all of the server side of things is taken care of already.
Protect your origins
When planning an attack,the bad guys do their homework. One of these steps will be to see where your site is hosted, and often this can be very easily achieved via DNS and Whois lookups. A DNS lookup will very often yield the true IP of your website. Referring back to the previous point, if this is a server you manage yourself, they now have the IP of your server, and they can add this to their list of places to look for holes. If you run your site behind a service such as CloudFlare, you set your DNS records to point to CloudFlare, rather than your real server IP. This masking can be a very useful barrier. The free CloudFlare plan also offers a range of other useful features, such as HTTP Strict Transport (HSTS) and DNSSEC.
There was a time when HTTPS certificates were expensive to acquire and difficult to maintain. Fortunately. this is no longer the case. Or at least, it doesn’t have to be. Using services such as CloudFlare or Let’s Encrypt, can provide an easy way to run your website over HTTPS. We recommend serving ALL content over HTTPS; but as a very minimum from a WordPress stance, you need the admin area running over HTTPS, otherwise login credentials may be easily snooped. Any pages gathering information from site users/readers should also be served over HTTPS. Additionally, from an SEO perspective, HTTPS will become increasingly more important for search rankings. As Google mention in this article.
Passwords & a little security by obscurity
It may seem obvious to some, but there are still an astonishing amount of people using very poor passwords across multiple services. You most definitely don’t want to be using a weak password that is easy to guess for your administration backend.
Some other tips here..
- When installing, change the default database table prefix from ‘wp_’ to something else. This could fool tools that expect these prefixes.
- Once you are finished with installation, create a new administrator account, avoiding obvious names, and remove the ‘admin’ account. Many brute force tools will try ‘admin’ and other commonly used usernames.
- Use aliases (Nicknames in WordPress) for your users as the display name, and set the setting for Display name publicly as (within WordPress user settings) to the nickname — this way, the actual username will not appear in posts, which means that would-be attackers can’t get your username from posts, and makes username enumeration by tools such as WPScan more difficult
Keep your WordPress site & plugins updated
One of the easiest ways for your site to be compromised is due to outdated WordPress core or outdated plugins and themes. It is very important to keep all aspects of your installation updated. Good housekeeping goes a long way to keeping things secure in many areas, and is especially true when it comes to WordPress.
Naturally it can be tricky to always check if updates are available and to keep on top of their installation — but fortunately, there are plugins available for this. Check out ‘Updater’ by BestWebSoft for example — this can really take the headache out of managing updates, and you can change the settings depending on your comfort levels of automatic updates; from emailing you when updates become available, up to and including updating WordPress core, themes and plugins entirely automatically.
Plugins, Plugins everywhere
There are thousands of plugins for WordPress available. It’s generally best practice to only install plugins from the Plugins section which you can find in your WordPress administration site, except in cases where you have a trusted third party. Look for plugins with a large install base, good reviews, and also ensure that they are being actively developed. Installing old versions of plugins or plugins which are not being maintained by the developers could punch holes in your sites’ security.
Run at least one of the main security plugins
There are lots of plugins in this space, which provide firewall and other features to improve your WordPress security. These plugins provide login brute force protection, file integrity monitoring email alerting, and a whole host of other features. — Wordfence is a good one, and there is a free version. Sucuri Security scanner is also worth a look.
Be sure you have good backups before you start tinkering with these plugins, as you can easily lock yourself out of your site. If this is a new area for you, try playing on a test site first, and be sure to understand what a setting will do before enabling it.
Install what you need, remove what you don’t
Breaches in security can often be as a result of errors in plugins and themes. It’s normal when starting out with WordPress to try out many themes and plugins. If possible, try these on a test site, but always remove plugins & themes that you no longer need. It’s just one less way for someone to get in.
Audit your site
Tools such as WPScan can provide a useful insight into any issues with your WordPress security. The bad guys know about these tools too; so it’s good to know what’s out there.
This has been a pretty high level, whirlwind overview of how you can achieve better WordPress security. As ever, nothing makes you 100% secure — do your research and take appropriate measures to keep your site safe. Hopefully this will help you along the way.
Got a top tip for better WordPress security? Or a favourite plugin perhaps? Let us know via the comments.