A reader asked for tips on how to secure his WordPress blog against hackers. After thinking about and listing all the things I do to keep my blogs secure, I did some online research to see where my actions fell short.
Turned out that my blogs were well-protected, but I did adopt some additional security measures that I learned from other Wordpress bloggers.
Now I pass all those tips on to you…
-
Do NOT use ‘admin' as your username
In April 2013, thousands of WordPress sites with ‘admin' as the administrator username were compromised via large-scale brute force attacks. The hosting service HostGator, reported that they had “seen over 90,000 IP addresses involved in this attack”. In response, WordPress founder Matt Mullenweg urged all those with ‘admin' as their usernames to change them immediately.
Since then, WordPress no longer suggests / pre-populates the username form blank with ‘admin' as the default username for administrators.
However, if you started your blog prior to WordPress 3.0, and still have ‘admin' as your username… it is time to change it!
How to change your username
- Login to your administrative user account.
- Navigate to Users > Add New and fill in all the details for a new user account. Choose a username and set the privileges to Administrator.
- Now log out of your ‘admin' user account and log back in using your new user account.
- Go to Users and delete the old “admin†account. WordPress will prompt you to reassign all the posts associated with ‘admin' to another account. Choose your new account from the drop down list… and you're set!
-
Hide your username
WordPress displays your username in the URL of your author archive page. So, once you've changed your username, make sure it can't be found by changing your nickname in your user profile.
-
Use a strong password
Did you know that the second most common password is ‘password'?
UGH!
WordPress comes with a built-in password strength indicator. Make sure your password indicates ‘STRONG' and that you follow the hint included alongside the password change area:
“Hint: The password should be at least seven characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! ” ? $ % ^ & ).”
-
Use the latest version of WordPress
WordPress is frequently updated to fix security issues such as unintentional information disclosure and brute attacks.
Many hosting service providers will update blogs on their servers to the latest version of WordPress automatically.
If yours does not, or you happen to notice that a new version is available, simply update to the latest version yourself.
-
Keep plugins up-to-date
In mid-July 2014, Sucuri reporting about a security hole in WPTouch stated “During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server. Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.”.
Just like the WordPress platform itself, plugins are regularly updated by their developers to improve functionality and to plug security holes. Take action whenever you see that a plugin update is available.
-
Delete unused themes and plugins
Security (see above) is the primary reason to delete unused plugins and themes.
In addition, removing unused plugins and themes reduces the size of your backups and may even slightly enhance your blog's performance.
-
Limit login attempts
Hackers frequently use a malicious script to repeatedly guess passwords in an attempt to discover the correct one.
Apple has reported that this was the reason many celebrities nude photos were stolen from their iCloud accounts and then leaked publicly…”After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
Nude photos or not, you don't want anyone to guess your password and hack into your administrative account on WordPress.
One way to thwart hackers is to limit the number of times users can try to login. After the limit is reached, the user is locked out for a specified period of time.
Moreover, you can block IP addresses of those who repeatedly try to login without success.
-
Limit registration of members
Remember the dangers associated with subscribers mentioned in #5 above, i.e. “allow a user with no administrative privileges, who was logged in (like a subscriber or an author)?
Unless you are running a membership site or a forum, you really don't need to allow member registration of any sort on your WordPress site.
I personally add users who are guest bloggers and give them the role of Contributor.
Otherwise, no one is allowed to register as a member on this blog.
-
Use a security plugin
I use Wordfence which is free.
Wordfence starts by checking if your site is already infected.
Here is a graphic of problems it found with my blog when I originally installed the plugin…
- Post contains a suspected malware URL: [title removed]
- Comment with author [name removed] contains a suspected malware URL.
- Comment with author [name removed] contains a suspected malware URL.
- User “[name removed]” with “contributor” access has an easy password.
- User “[name removed]” with “contributor” access has an easy password.
What problems might it find with yours?
-
Use a professional theme for WordPress
The folks who develop blog themes and templates for a living do NOT want to kill their businesses by leaving holes for hackers.
The same cannot be said of those who create free themes… they're hobbyists who either don't know or don't care if what they create leaves security holes in your blog.
That's why I always recommend using professional themes for WordPress. My preference is Studiopress.
-
Use a high-end secure hosting provider
Do NOT cheap out on your hosting provider. Bad web hosting services don't care whether or not your blog is protected from hackers. Do your homework to find a secure service.
The majority of my sites are now hosted with WebSiteManagers.net and I've never had better service.
Here is a list of my recommended hosting providers.
-
Use a blog backup utility
Last but not least, make sure you keep your blog backed up at all times, just in case you run into problems with hacker idiots.
For more information check out the Hardening WordPress article.
Stay safe, folks!!
Comments, questions or suggestions? Please leave a comment below!
Cheers,
