Here it is people – the complete guide to WordPress security. In this guide I’m going to cover everything you need to know to keep your WordPress site secure. Security requirements will vary – if you’re running a large store, the last thing you need is someone gaining access to your site, gaining access to your customer details, hacking your site and spamming people or even downtime for any length of time.
Whatever size of WordPress site you’ve got or whatever your security requirements are, I’ve got you covered in this guide. Before we get started, I need to go over some security basics.
Your security is ultimately only as good as your weakest link. Many people reading this will be worried about bot attacks – I cover that later – but if someone wants to hack into your site, the biggest weakness is YOU.
Do you do any of the following?
- Use the same password for your WordPress site and other sites?
- Stay logged in to your WordPress site? (clicking that little ‘remember me’ button?)
- Leave your computer unlocked?
- Write your passwords down anywhere?
- Record your passwords on your computer or online?
- Use an account called ‘admin’ on your WordPress site?
- Log into your site using plain HTTP rather than secure HTTPS?
- Fail to update plugins or themes?
- Buy themes which have bundled plugins?
- Give admin access to temporary developers?
- Install plugins or themes you downloaded illegally, e.g. through torrents?
- Use FTP rather than SFTP?
These are the most common weaknesses hackers are exploiting to gain entry to sites, servers and data. How likely you are to be attacked with these various weaknesses depends on how valuable gaining access to your site, servers or data is to would-be hackers. I’m not saying you should stop doing all of these – security is often a balance between being secure and getting on with your work. You often, for example, will need to give admin access to developers but follow this guide and you’ll rest assured that they haven’t left any backdoors on your website.
Firstly, you should ensure you don’t use the password you are using for your WordPress sites for any other websites. Unfortunately, many websites store passwords in plain text meaning an unscrupulous employee could access your password or even sell it on the black market. If you think this is far-fetched, think again. The advent of Bitcoin means hackers are able to sell password lists without giving away their personal identity making password theft far more likely to happen.
Secondly, never leave your computer unlocked – it’s simply really bad practice. Get in the habit of hitting Windows+L or CTRL+ALT+DELETE and then hitting ENTER. Both these methods lock your computer quickly. If you’ve got a mac hit CONTROL+SHIFT+POWER to lock your mac immediately. This only works if you’ve got a password set up for your computer account so make sure you do. If you’re storing passwords on your computer or you’re staying logged into your WordPress website, this adds significant security. You can also set up a screen-saver which locks your computer after a few minutes of activity, so you should do this too in case you forget to lock your computer for some reason. Here’s a guide for locking your PC using a screen saver and here’s a guide for locking your Mac using a screen saver.
Thirdly, if you’re going to record your passwords somewhere – on paper or on your computer or online, keep the paper safe (under your keyboard is not safe) and password protect and encrypt the file that holds your password. If you store your password file online with cloud storage, listen out for hacks made against that company and if one succeeds, change your passwords.
Finally, ensure you have decent virus protection installed on your computer, be diligent about what you download or click on in emails, learn how to prevent phishing attacks made against you and install some anti-malware software like Malware Bytes for the PC or Mac.
I go into more detail about securing everything else below, but get these basics right or you could get hacked at any time, regardless of the other steps you make.
Choosing, remembering and storing passwords
When choosing passwords, there are two major mistakes people make. The first is to re-use a password they use on another website – remember, other sites may be storing your passwords in cleartext (ever been emailed your password?) and the second is that they use a really simple password – e.g. dave123. If you do either of these things, your passwords are at risk of being hacked.
The best technique for passwords is to use a completely random string – bash on your keyboard for a bit and include some numbers and special characters. e.g. asd8u0io9478adupioAUI8034 is a great password (don’t use it now though!)
BUT how are you ever going to remember that password? Well, you don’t have to. You can remember ONE really strong password and store an encrypted, password protected file containing your passwords on your computer or on Dropbox.
You can use BoxCryptor (free for personal use) to encrypt and password protect one of your folders on Dropbox. That way, you always have access to your password file but it’s always protected.
To create strong passwords you CAN remember, use a combination of these techniques:
- Use a three or four word phrase that is memorable to you but NEVER guessable from reading your social media profile, reading your snail mail or knowing you in person
- Use a mis-spelling of one or more of the words
- Replace characters of your choice in this password with another non-alpha-numeric character – e.g. you may choose to always replace ‘x’ with * or ‘i’ with ! or 1 or |. By choosing a couple of character replacements personal to you, you make it far harder for password crackers to guess your password
- Capitalise certain characters – e.g. you may choose to capitalise the 2nd letter of the first word, the 4th letter of the 2nd word and the 1st letter of the 3rd word. You then need to remember the password and 241 for 2nd, 4th, 1st characters to be capitalised.
- Intersperse non-alpha-numeric characters into your password – e.g. if you have a four word password (with certain characters replaced and some capitalised) then you could separate those words with different characters.
Preparing for the worst and backing up your WordPress site off-site
Hacking isn’t the only way your WordPress site can be destroyed – it could be destroyed by a storm, a fire, bankruptcy of your hosting company or user-error – e.g. you might run the wrong command on your server and delete everything by mistake, so backing up is not only to protect you from hacking. If you’re not backing up your WordPress site, DO NOT rely on your host doing it for you. It’s easy to set up.
- Install Updraft Plus (it’s free)
- Set up off-site backups inside Updraft plus – they have a myriad of options included in the free version. I prefer backing up to Dropbox. NOTE: The free version of Updraft plus backs up your files in clear-text meaning if someone gets access to your dropbox, they will get access to your database password (stored in wp-config.php). If you have everything else set up properly (specifically don’t allow remote MySQL log ins), your server will still be secure even if this happens. For ultimate security, back up to an encrypted storage drive. You can also backup using SFTP to another server you own/rent.
Preventing WordPress bot attacks
This is probably the most common complaint from new WordPress users. This problem really came to light back in 2013 when a massive Botnet was discovered which was growing by the day – basically, it’s hacking into poorly protected WordPress sites using the ‘admin’ username and commonly used passwords. Every hacked WordPress site was then added to the botnet and used to hack other sites.
- Never, ever have an account called ‘admin’. If you have an admin account, you can safely remove it by creating a new user called something else, give that user admin privileges, log out then back in as that other user then delete the ‘admin’ account and assign all posts and pages to your new admin user.
- Install Wordfence (it’s free) and configure it properly to lock out failed attempts, email you every time a user with admin privileges logs in and some other nice things
- If you go for the paid version of Wordfence, there are some more features (e.g. block Russia, China and the Ukraine as that’s where a lot of hackers originate) but the free version is fine
Stop hackers snooping on your WordPress login traffic and passwords
If you don’t have an SSL certificate on your website, this means every time you log in to your website your username and password is being sent in plain text. That sounds scary right? Anyone could read it? Well, not quite anyone. People who could access your passwords include anyone with access to any router between your computer and your server. e.g. If you’re at home, that’s your own router (sneaky child? borrowing the neighbours ‘free’ wifi? accesing your WordPress site from Starbucks or an internet cafe?), your ISP (probably safe-ish, but depending on security there, any employee could sniff your password) and then routers on the way to your server as well as your hosting company.
To prevent this, you need an SSL certificate and you need to ensure all logins use SSL. SSL used to be expensive, but not any more. Get yourself a free Cloudflare account and within 24 hours you’ll have an SSL certificate you can use to prevent traffic and password sniffing. Cloudflare is also useful for preventing bot-attacks since it remembers offending IP addresses and protects you from future attacks from that IP address.
- Get a Cloudflare account
- Modify your wp-config.php file to force SSL login and SSL for all dashboard access. There’s a guide here, but basically – add the following two lines to your wp-config.php file:
Now all logins will switch to using your cloudflare SSL certificate and no-one will be able to snoop your passwords as they will no longer be in plain-text.
Mitigating Wordpress back-door attacks
This is a tricky one to prevent completely. This is why you should always have daily backups running to an off-site location. A back-door attack is where some code on your site (e.g. in a plugin you installed) contains a security vulnerability. There have been quite a few problems like this recently including the Rev Slider vulnerability and just today the Fancybox vulnerability, both providing complete access to your server.
To avoid this, you need to update your plugins before you get hacked. You can also make sure you use trusted plugins, but it’s very difficult without reading every line of code to be 100% sure that a plugin is secure.
Another technique to implement back-door attacks is developers you hire, inserting their own back-doors directly into your code. They may modify the core WordPress files to do this. If so, Wordfence will alert you if it’s properly configured.
- Update plugins as updates appear
- Choose auto-update for WordPress (you’ve got daily backups in case something goes wrong, right?)
- Set up Wordfence to scan for any code changes made by developers or plugins
- Consider using a ‘sandboxed’ developer version of your website with different admin users and passwords when you’re hiring an external developer. This way you can test and scan on your dev.yourdomain.com site for any security vulnerabilities before they have the chance of hitting your live server.
- Only give admin access to people you trust – you should know their address at minimum
A note about themes with bundled plugins – e.g. themes from Themeforest:
If you’re buying themes on Themeforest or any other themes which come with bundled plugins, the plugin will not inform you about updates and it will not be updateable using the normal WordPress update method. This is because the theme author has bundled the plugins files which were up-to-date at the time of writing the theme, directly into the themes folders.
If you have a theme like this, stick an alert on the emails from Themeforest. It’s possible to configure Gmail, for example, to watch for emails from the Themeforest email address which contain the word ‘upgrade’ or ‘update’. You can even combine this alert with a service like IFTTT to send you an SMS but a Gmail alert is probably enough. Update your themes religiously – if something goes wrong, rollback using Updraft or restore using Updraft.
Keep your server and your database secure
Many hosts have terrible security – they allow remote login for MySQL (where are the WordPress users using remote MySQL login rather than SSH login??), they email you root passwords, they allow FTP rather than SFTP. If you’ve got a host like this, consider changing.
- Configure your server to disallow MySQL login. Get your developer/host to do it or if you have SSH access to your server, this is simple – log in and run:
- Use key authentication to access your server using putty/SSH. There’s a guide here.
- Use SFTP to access your server files. Ideally, use key authentication for this too as described here.
- Use different passwords for your FTP account, your root server account and your WordPress admin account.
Mitigating against Wordpress denial of service attacks
A denial of service attack is where a botnet hits your server with thousands of simultaneous requests, ideally for large files or complex pages. If your server is poorly configured, it won’t keep up and it’ll fall over preventing your legitimate users from accessing your site. I would say this is on the softer side of hacking, since any damage is temporary – they don’t actually gain access to your site, they just prevent others accessing it – still, it’s a security concern so here’s what to do:
- Set up W3 Total Cache and page caching. This will mitigate the problem should a botnet attack you for some reason. Ideally set up Nginx and Varnish too.
- Configure Wordfence to block repeat offenders. There are options to lock out IP addresses if they access more than X pages in less than Y seconds.
- Install and configure Cloudflare – it does some work to block denial of service IP addresses.
- Consider installing fail2ban – it operates at a level above WordPress, so it’s even more lightweight on your server and has been mitigating against denial of service attacks for ages.
A note about installing Cloudflare:
To set up and configure Cloudflare, I recommend using 2 plugins – W3 Total Cache with the (free) Cloudflare add-on – you just click addons in W3 Total cache, choose Cloudflare then from the General tab you can scroll down and enter your Cloudflare details. The other plugin I recommend you use in conjunction with W3 Total Cache is the Cloudflare plugin created by Cloudflare. This second plugin doesn’t increase your security, but it does fix problems you’ll experience with identifying where users originate from in Google Analytics or Wordfence.
Consider using two-factor authentication for ultimate log-in security
If you’ve set up SSL, used strong passwords, and all the rest of the guide above you’re going to have a really secure site, but for the ultimate in log-in security you should consider using two-factor authentication.
What happens is you log-in to your WordPress site using your username and password, then the site sends you an SMS to your phone. You enter the code received on your phone into the login page and only then are you allowed to log-in. It’s more secure because you have to have the phone with you. Wordfence offers this option if you do decide you want this additional layer of security.
I think I’ve covered everything you need to know about WordPress security. If there’s anything you think I’ve missed, or anything you’d like me to elaborate on, let me know in the comments below.
- More speed, more updates, and a bit of a roadmap for our plugins - July 2, 2020
- More beta updates available - May 20, 2020
- Figuring out slow PHP performance caused by loops using Xdebug - April 29, 2020