A reader asked for tips on how to secure his WordPress blog against hackers. After thinking about and listing all the things I do to keep my blogs secure, I did some online research to see where my actions fell short.
Turned out that my blogs were well-protected, but I did adopt some additional security measures that I learned from other Wordpress bloggers.
Now I pass all those tips on to you…
-
Do NOT use ‘admin' as your username
In April 2013, thousands of WordPress sites with ‘admin' as the administrator username were compromised via large-scale brute force attacks. The hosting service HostGator, reported that they had “seen over 90,000 IP addresses involved in this attack”. In response, WordPress founder Matt Mullenweg urged all those with ‘admin' as their usernames to change them immediately.
Since then, WordPress no longer suggests / pre-populates the username form blank with ‘admin' as the default username for administrators.
However, if you started your blog prior to WordPress 3.0, and still have ‘admin' as your username… it is time to change it!
How to change your username
- Login to your administrative user account.
- Navigate to Users > Add New and fill in all the details for a new user account. Choose a username and set the privileges to Administrator.
- Now log out of your ‘admin' user account and log back in using your new user account.
- Go to Users and delete the old “admin” account. WordPress will prompt you to reassign all the posts associated with ‘admin' to another account. Choose your new account from the drop down list… and you're set!
-
Hide your username
WordPress displays your username in the URL of your author archive page. So, once you've changed your username, make sure it can't be found by changing your nickname in your user profile.
-
Use a strong password
Did you know that the second most common password is ‘password'?
UGH!
WordPress comes with a built-in password strength indicator. Make sure your password indicates ‘STRONG' and that you follow the hint included alongside the password change area:
“Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! ” ? $ % ^ & ).”
-
Use the latest version of WordPress
WordPress is frequently updated to fix security issues such as unintentional information disclosure and brute attacks.
Many hosting service providers will update blogs on their servers to the latest version of WordPress automatically.
If yours does not, or you happen to notice that a new version is available, simply update to the latest version yourself.
-
Keep plugins up-to-date
In mid-July 2014, Sucuri reporting about a security hole in WPTouch stated “During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server. Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.”.
Just like the WordPress platform itself, plugins are regularly updated by their developers to improve functionality and to plug security holes. Take action whenever you see that a plugin update is available.
-
Delete unused themes and plugins
Security (see above) is the primary reason to delete unused plugins and themes.
In addition, removing unused plugins and themes reduces the size of your backups and may even slightly enhance your blog's performance.
-
Limit login attempts
Hackers frequently use a malicious script to repeatedly guess passwords in an attempt to discover the correct one.
Apple has reported that this was the reason many celebrities nude photos were stolen from their iCloud accounts and then leaked publicly…”After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
Nude photos or not, you don't want anyone to guess your password and hack into your administrative account on WordPress.
One way to thwart hackers is to limit the number of times users can try to login. After the limit is reached, the user is locked out for a specified period of time.
Moreover, you can block IP addresses of those who repeatedly try to login without success.
-
Limit registration of members
Remember the dangers associated with subscribers mentioned in #5 above, i.e. “allow a user with no administrative privileges, who was logged in (like a subscriber or an author)?
Unless you are running a membership site or a forum, you really don't need to allow member registration of any sort on your WordPress site.
I personally add users who are guest bloggers and give them the role of Contributor.
Otherwise, no one is allowed to register as a member on this blog.
-
Use a security plugin
I use Wordfence which is free.
Wordfence starts by checking if your site is already infected.
Here is a graphic of problems it found with my blog when I originally installed the plugin…
- Post contains a suspected malware URL: [title removed]
- Comment with author [name removed] contains a suspected malware URL.
- Comment with author [name removed] contains a suspected malware URL.
- User “[name removed]” with “contributor” access has an easy password.
- User “[name removed]” with “contributor” access has an easy password.
What problems might it find with yours?
-
Use a professional theme for WordPress
The folks who develop blog themes and templates for a living do NOT want to kill their businesses by leaving holes for hackers.
The same cannot be said of those who create free themes… they're hobbyists who either don't know or don't care if what they create leaves security holes in your blog.
That's why I always recommend using professional themes for WordPress. My preference is Studiopress.
-
Use a high-end secure hosting provider
Do NOT cheap out on your hosting provider. Bad web hosting services don't care whether or not your blog is protected from hackers. Do your homework to find a secure service.
The majority of my sites are now hosted with WebSiteManagers.net and I've never had better service.
Here is a list of my recommended hosting providers.
-
Use a blog backup utility
Last but not least, make sure you keep your blog backed up at all times, just in case you run into problems with hacker idiots.
For more information check out the Hardening WordPress article.
Stay safe, folks!!
Comments, questions or suggestions? Please leave a comment below!
Cheers,
Quality content is the crucial element attracting people to visit any website site — that’s what THIS web site provides.
WordPress is by far the best semantic publishing platform. But, it can also be hacked. Thanks to good people like you giving us a heads up on helpful WordPress security tips to keep our blogs safe and theft-proof from our unique content being stolen.
It is true! I requested a tip in WordPress Security and Ros has given me 12 of them.
Thank you Ros; much appreciated. I am happy that my comment inspired you to develop such work.
It is extremely valuable to all of us to share your tips.
High 5!
Hey Kazooli,
And I’m glad that you asked your question. Keep ’em coming!
Cheers,
Ros
As usual, a post worth reading.
Loved to read it till end and came to learn alot from this.
Thanks for sharing such a great info.
I never thought it could happen to me ….. (That’s everyones first mistake) Thinking your invincible………………I wuz hacked into next week………………………….I like to think my sites are pretty tight now………….Your suggestions are right on the money…………..Some are just plain old common sense……………………I wasn’t thinking that way 2yrs ago and it cost me……….Take The Time And Secure Your Sites
Thanks for sharing, J.S. and glad to hear your sites are secure now! 🙂
Cheers,
Ros
Great post indeed Rosalind.
I would also recommend the use of Google Authenticator plugin.
This adds another layer of security on your logins.
Regards
Hi Hadee,
Thanks so kindly for that tip and the link to your how-to article. I’ll be implementing the Desktop version of that considering I rarely even know where my phone is – let alone use it. 🙂
Cheers,
Ros
I love security tips for my blogs and use Wordfence myself. I’d like to ask you about this advice you gave above “Otherwise, no one is allowed to register as a member on this blog.”
How do we stop people using the built in ability in wordpress to register as a member?
Thanks
Hi Alex,
Just make sure that the box next to under ‘Anyone can register’ under “General Settings” Membership is left un-ticked. 🙂
Cheers,
Ros
Thanks for this great post Rosalind.
I’ve been ‘hoping for the best’ with the username on one of my sites. I have been aware recently that it should not be admin, but no information was forthcoming about how to change it. I should have been able to come up with the solution myself, but obviously I needed you to give me that tip.
Thanks again.
Valerie
Hi Valerie,
You’re most welcome! 🙂
Cheers,
Ros
Thanks for the wake up call Rosalind. It makes no sense that they would try to hack into my site, there are no secrets and nothing to be gained there.
One of my sites has had over 3000 unauthorised log in attempts in the past 6 months. Proof that they are out there and doing their evil work. I have many of these security plugins installed on my site and the advantage is that you not only get to stop them, but you get to monitor what they are up to so you can stay ahead of them.
Graham Apolony
Big Note Marketing
Hi Graham,
Glad I could help! 🙂
Cheers,
Ros