Part 1 of 3: Securing WordPress from the dashboard
If you run a WordPress-based website, I have an unnerving statistic for you: in 2013, 117,000 WordPress sites were hacked. Further, the same study found 70% of all WordPress sites were vulnerable to malicious attack, most of which are easily preventable.
Does this mean you should dump WordPress as a web authoring environment? No, not really. The same threats, in similar percentages, appear across other CMS and blogging platforms, as well as static html sites. Unfortunately, it's just part of doing business on the web.
The good news is that there's a good deal you can do to secure your WordPress site. And there's a lot of it that you can do yourself.
And because WordPress is such a popular platform (by a huge margin) there's a large, active community of volunteers and commercial interests constantly working to keep malicious threats against your site at bay. Essentially, you've got your own private army ready to help you out: you just have to ask.
This article started as a simple how-to. But, as you can imagine, security is a serious and complex matter, and soon I was diving down rabbit holes full of code, jargon, hacking how-tos (!) and other geeky stuff.
Simplify, said the boss.
We decided to split it up into three approaches. Part 1 deals with things you can do, on your own, from the WordPress dashboard. These are easy, commonsense and frequently mis-used and abused. If you don't read anything else, read this first part — and implement the suggestions.
Part 2 is kinda geeky, but if you really want to secure your site, you need to speak geek. It deals primarily with editing some of WordPress's files to limit access and permissions that could otherwise let hackers in. Strap on your propellor hat, grab a cup of tea, and jump down the rabbit hole: you're not in Kansas anymore. (Yeah, yeah, I know: it's a mixed metaphor, but an apt one.)
Part 3 deals with plugins and other third-party services. Plugins are one of the easier ways to implement a whole raft of security measures in one swoop, but they're not without the occasional problem of their own making.
First things first
Seriously. The following steps will take you, maybe, an hour and a half — and that's if you're an absolute novice. Fixing a site following an infection will take days. Can you afford for your site to be down for days? Can you afford the cost of someone disinfecting your site? Securing your site now will save you a lot of time, money and headaches.
(Not motivated enough yet? Okay. Here's a story. A friend of mine runs a small e-commerce site. His site got infected with a new virus the day before Christmas Eve. Their site was down for potentially their busiest day of the year. How did the virus get in? Brute force. At one point their logs showed they were getting 180,000 login attempts per second. If your site has any of the symptoms below — weak passwords, admin usernames, outdated themes and plugins — your site will get hacked. It's really just a matter of time.)
Like burglars, if a hacker wants to get into your site, they will get in. That's life on the internet.
But, again like burglars in the 'real' world, most hackers are opportunistic and if you put up a decent fight, 99% of them will move on to a site that's less of a challenge. For the most part these guys aren't into crossword puzzles: they're into the cyber equivalent of Hungry Hungry Hippo. Fast, frantic, slapdash, and without a lot of thinking.
Your aim, then, is to deter these would-be hackers and make life difficult for them in the hope that they'll give up and move on.
Most attacks on WordPress sites are done by what hardcore geeks dismissively refer to as scriptkiddies. They grab code wholesale from a hackers' community site, add nothing themselves, don't really know what they're doing, and have no idea of the consequences for the business they target. They really are the equivalent of a 14-year old boy who's just discovered ... well, you get the idea.
Thankfully, they're easily bored and bit of resistance will see them move along.
A balanced act
It may be possible to lock out every security threat that comes rumbling through the WordPress tollgates, but it would more-than-likely mean that your site would cease to function. Or at least cease to be usable.
Securing your WordPress site is a balancing act, weighing usability against security. You can get good security and good usability: just don't expect to get 100% of both. It's not realistic.
And nothing beats ...
If your site does get infected with something malicious, the best comeback is to identify when the infection started and roll back your site to the day or week before it started.
Your web host should be backing up your hosting environment as a matter of course, though they may charge to recover it. (If you host is not doing backups, get a new host.)
But you should also have a backup schedule in place. If you site is not especially large or media-heavy, there's really no reason why you can't do a backup every day and keep those backups for a month or more using a free storage account like Dropbox, Amazon S3 or Google Drive.
We'll be doing a post on backups for WordPress in the coming weeks, so if you're in the dark about backups, stay tuned.
Let's get started
There's a lot you can do yourself to secure your WordPress site. The simplest methods for the novice are those things you can do from the WordPress dashboard itself: keeping things up-to-date, tidy, secure.
There are also several things you can do to various files within your WordPress folder on your hosting environment. At first glance, this might seem stuff for the propellorheads, but it's really not that hard.
And then there are methods offered by third parties, such as plugins or software-as-a-service (SaaS).
A good WordPress security system will use all of the above. So let's get stuck in.
Via the WordPress dashboard
Use strong passwords
Most of what follows is in no particular order, but I have deliberately put this item first because it's the most easily implemented and the most often breached by hackers.
If you don't do anything else, do this.
According to research, there is an extraordinary number of WordPress users who use passwords such as 'abcd1234' or 'admin' or 'qwerty' or 'root' or, simply 'password'. You may laugh or roll your eyes, but there's a known stock of about three dozen common passwords and variations that hackers can try to gain access to your site. And they work frequently enough to make it worthwhile.
The answer is for you (and all users of your site) to use strong passwords. A strong password has at least 13 characters and features a random mix of upper and lower case letters, numerals and extended characters (extended characters are the characters, or glyphs, you get when you press the Shift or Option key in combination with a letter or number on you keyboard e.g. !, @, #, $,% and so on).
Better yet, use a password generator or a password recipe. If you're concerned about losing your password, record it in a notebook, on your phone, or even stick it to your computer. Obviously sticking passwords to your computer is not the usual advice, but in this instance it's a calculated risk: better to have a strong password that you can use, than to implement a simplistic password because it's easier to remember. Remember, the goal here is to lock out hackers, not prevent burglars: the two are rarely the same.
Ideally, use a password manager such as 1Password, KeePass or LastPass.
Don't procrastinate. Change your password now.
Update themes and plugins
Vulnerabilities in themes and plugins account for a whopping 68% of all malicious attacks. Most conscientious theme and plugin developers keep their products up-to-date and fix any security holes as soon as they can. But you still have to do your part by updating the themes and plugins to the latest versions.
If the theme or plugin in question is available from the WordPress public repository, then it can probably be updated simply by pressing the Update link in Plugins > Installed Plugins > [Plugin name] Update. Themes available from the WordPress public repository can similarly be updated from Appearance > Themes > [Theme name] Update.
If you have premium plugins from a merchant service like Code Canyon or if you've purchased or downloaded it direct from the developer, then you may need to download it from the source and reinstall it manually.
You may find that a plugin or theme has been discontinued and is no longer being updated by its developer. If that's the case, you really need to start thinking about a Plan B. In most cases, you'll be able to find a plugin that does much the same thing as the one that is being discontinued and it's just a matter of swapping the new plugin for the old one. A discontinued theme might be more of a challenge and may signal a time to think about a website revamp.
Keep the WordPress core up to date
The core of WordPress is also vulnerable to attack; thankfully, with such an active community of programmers, most threats are locked out and patched as soon as they appear. However, for those patches to have any effect, you must keep WordPress up to date.
You'll be notified of available updates in the menu bar of the WordPress dashboard; simply choose Update and the core will automatically update itself.
You can also enable automatic updates via a small line of code in the wp-config file (see Part 2 in this security series). Be aware that themes and plugins can cease to function if they're not kept in step with WordPress updates by their respective developers.
Ditch the 'admin' administrator
In older versions of WordPress, all installs required a root user or administrator called 'admin'. Consequently, the admin username became a target of hackers. Since version 3.9, the admin username is no longer a default, but it is still widely used nonetheless.
Predictable user names are a gift to hackers: the default login requires a username and a password, and if you use something well known such as 'admin' then you've gifted the hacker half of the puzzle. Further, hacker bots are out and about looking specifically for 'admin' usernames for precisely this reason; use a different username and most of these bots will pass on by.
Keep things tidy
If you're a bit of an experimenter, chances are you've got more than a few plugins installed that are not being used, may not even be activated. Same could be said of themes, images and other media such as audio or video clips. If they're not being used, delete them. A lot of infections can sneak aboard with older plugins and themes — if you have themes or plugins lying around that are not be actively used, then chances are they're not up-to-date and are thus more prone to security holes.
In this series ...
If you’re already a customer of saso.creative (and even if you’re not), we’ve got a Special Offer for security audits and security planning. We review many of the potential security breaches detailed in these three articles on WordPress security, provide you a report of suggested improvements, and implement any or all of those suggestions as appropriate.