Although generally considered as a CMS only for managing blogs, WordPress, in fact is a very powerful platform that can be used to create your entire site without the need of any additional applications. Its ease of use, large community always ready to help, and an impressing variety of plugins has made WP a preferable choice for many webmasters. At the moment WP holds around 15-20% of the ‘market’. However, regardless of its ease of use – it is also one of the weakest platforms when it comes down to security.
NOTE: We have just updated this article with a new link which shows you how to password protect your “wp-login” page in order to get better protection against brute force attacks:
This article covers some of the most important changes you should consider in order to secure your WordPress site:
- Update your WP regularly– I know you have heard a lot about updating regularly your WP, including all installed plugins. Updating your version and installed plugins is of vital importance to the overtall WP security. When a new version of WordPress is available, users are informed via an automatic message; there will be also a warning in your WP admin area. When a new WP press version or new version of any installed plugins is available – you should proceed with any recommended updates IMMEDIATELY. You can do this with a few click from the top note in your admin panel informing you that there is a newer version available -> Please Update Now -> Update Now. All of our customers, using cPanel control panel, will also receive an additional reminder from our application installer tool Softaculous if there is an outdated version of WordPress installed under your hosting account.
- Select your plugins very carefully – the advantages of an open community are endless but what you need to know is that adding random plugins can be a security threat to your site. The problem comes not necessarily due to malicious intentions of the plugin creator, but mostly due developer’s lack of experience or secure web site development knowledge. We find this point so important that we will dedicate our next article on how to choose your WordPress plugins.
- Remove disabled and NOT needed plugins – Now, another step is to make sure that you remove all the plugins that you do not need anymore and you have disabled. Disabling the plugins does not mean that they are removed from the server, thus if you simply disable them, you leave a door open for potential attacks. Depending on your WP version you can either remove the plugin from using the DELETE link next to the plugin (you first need to disable it) ; or for older versions you can remove the plugins by logging to your site via FTP, going to the directory where the plugin is installed and then delete the folder with all the files from the server. This applies to the themes as well, in case you don’t need a certain theme, delete it from your admin panel (Appearance -> Themes). It is recommended to perform this on a regular basis because it is almost automatic to install and later disable a plugin, and you could easily forget about this which could cost you your site being compromised.
- Select strong account & admin passwords – This so essential that we have created a whole separate article focusing on strong passwords. You can check some tips on how to create your unbreakable password here .
- Login Limiter – it is very common to break a user account via brute force password attack. It means that in a very short period your login page will be bombarded with different combinations of usernames and passwords. You can prevent this from happening by setting a login limiter. There are certain plugins that you can use for this such as Limit Login Attempts.
- Disable user registration – If you do not need users to register on your site, make sure that you disable this option. You can do so from your admin panel and then from the Settings menu disable the ‘Anyone can register‘
- Limit the IPs that can log into your admin account – this is another measure you can take in order to secure your site. The easiest way to do this is by using a plugin that will limit the IPs allowed to access your admin account.
- Remove the WP version info from your site– When you install WordPress it automatically adds the version to the header of all your blog pages. Removing it is important, because if you leave it freely published on your site, you make the life of a potential hacker much easier. You should remove it from the page header meta, and since it is also contained in the readme.html file, renaming (removing) this file as well could do the trick. If the version is still shown add this line in your theme’s functions.php file<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
- WP security keys – If you do not have such keys, make sure you add them. These WordPress security keys, also known as Secret keys, will further protect your password by adding ‘salt’ to it thus making it very difficult to be broken. You can create your own, but it is recommended to use the WordPress random generator. Once you have these keys, you should go to your wp_config file and place them accordingly
define(‘AUTH_KEY’, ‘put your key here’);
define(‘SECURE_AUTH_KEY’, ‘put your key here”);
define(‘LOGGED_IN_KEY’, ‘put your key here”);
define(‘NONCE_KEY’, ‘put your key here”);
define(‘AUTH_SALT‘, ‘put your key here’);
define(‘SECURE_AUTH_SALT, ‘put your key here”);
define(‘LOGGED_IN_SALT, ‘put your key here”);
define(‘NONCE_SALT’, ‘put your key here”);
When you change these keys, all of your users will be asked to re-login. With the new versions of WordPress, these keys are added automatically, but it is better if remove the default keys created during the WP installation, and replace them with new ones.
- Disable html in the comments – certain html code is allowed such as <b> to make your comment bold, <a> for referring to link, etc. If you do not need this as an option, it is better to remove it. You can do so by adding this line:
add_filter( ‘pre_comment_content’, ‘wp_specialchars’ )
to your theme’s functions.php file
- Stop search engines from crawling your WP admin area – make sure that the search engines do not crawl and index your admin directories. This is done by simply adding the ‘disallow’ statement in your robots.txt file. In case you do not have such file on your site, you should create one, and place it in your hosting account public_html folder. The file should look like:
In the addition to the above tips, we highly recommend that you explore the following 3rd party security tools which might be helpful when dealing with WP issues such as infections, and/or spam originating from a WP site.
1) WordFence – available through: https://www.wordfence.com/ (Offering Free + Premium version)
2) Sucuri – available through: https://sucuri.net/wordpress-security/wordpress-security-monitoring
We hope you found the above summary on overall WP security useful. Some of the steps above could be implemented within minutes, some will take longer and require more technical knowledge. Even if you manage to apply only the basics and easy recommendations at the end you will have a more secure WP site, and piece of mind.