When it comes to managing your website, nothing is more important than security. If you are running a business on the internet, then securing your WordPress installation should be at the very top of your priority list! There is so much to say on this topic, but I have picked some of the most broad and easily-executable tips and outlined them here. If you are looking to improve security, this this is a great place to start.
Prepare For A Rainy Day With Backups
Your first lesson in security should be knowing that the security landscape is constantly changing, and that you should never consider yourself 100% secure. Even if you are doing everything right, you should always have a backup plan. If your website is important to you, then you need to be performing regular backups.
1. Remote Server Backups – Always store backups remotely. It’s foolish to store backups on your production server! There are some really simple ways to perform regular backups using standard server software, such as WHM. I would also recommend R1Soft for incremental backups.
2. Remote WordPress Backups – If a daily full-server backup is not an option, the very least you should be doing is backing up your WordPress database. There are many free and commercial plugins out there that can handle this for you. I would highly suggest using one that allows for remote storage. If you have to use FTP for file transfer, use FTPS or SFTP. Unencrypted FTP should probably be disabled on your server anyway.
3. Use a Redundant RAID Array – You should be using a host that stores your information on a redundant RAID array, such as RAID 1 or RAID 10. Hard drives fail all the time, it’s simply a reality of the hardware. Using a RAID that mirrors your data across multiple drives will greatly reduce the risk of data loss.
Securing Your Internet Activity
Good WordPress security starts in your own home. Not only does your website need to be secure, but so do the methods in which you connect to it. Connecting to your server or WordPress Dashboard in an insecure manner will put everything at risk.
1. Use A Secure Network At Home – If you are using Wifi at your home or office, then I would suggest setting up a private WPA2 network with a strong, randomly-generated name and network passphrase. For additional protection, you can employ “security through obscurity” methods such as enabling MAC Address Filtering.
2. Use An Encrypted VPN Connection Over Public Wifi – Generally speaking, it’s best to never log in to a sensitive area such as your WordPress Dashboard when connected to the internet over public Wifi. If you are using your laptop or phone over a public network, always run your connection through an encrypted VPN and make sure that you are signing in to your website over SSL. You can purchase a VPN from StrongVPN.com.
Securing Your Personal Computer
Your network is secure, but what about your physical computer? It’s incredibly important to keep your computer clean of spyware, malware and viruses.
1. Virus Protection and Firewall – There is no sense in having secure passwords if your computer can be easily infected with malware that can access your sensitive information and spy on your internet activity. Be sure that your computer is running trusted Anti-Virus, Firewall and Malware software. I have had good success with Kaspersky and Malware Bytes. Both should be configured to automatically update and scan your computer daily.
Securing Your Online Accounts
You can be doing everything right, but still get hacked from a brute force attack because your password is weak. You can also have a strong password, but still get hacked because you stored it insecurely.
1. Password Generation – Every login you use should have a unique, randomized password with at least 8 characters. Your password should include capital letters, numbers and special characters.
2. Store Your Passwords Securely – If you have 20 randomized secure passwords, how do you remember them? If you plan on storing your passwords somewhere that you can reference, do so in a secure manner. If you are using OSX, try creating a new Authentication keychain and make a new secure note set to automatically log out after 5 minutes. If you are using Windows, try creating a secure OneNote file set to automatically log off after 5 minutes as well. You might also try using online services such as LastPass, or you could also encrypt your own files using an encryption software such as Truecrypt.
3. Reset Your Passwords Regularly – Your passwords should be changed on a regular basis. It’s best to set up a reminder on your calendar to reset all of your passwords every month or two.
Avoid Phishing & Social Engineering Schemes
Sometimes getting hacked has nothing to do with your website or your computer, but with your insecure communications. These types of attacks are often called phishing or social engineering scams. The “Nigerian Prince Scam” is the classic example of a phishing scheme.
Be Wary Of Phishing Attempts – Commonly, phishing attacks come in through email. They often target large companies blindly, such as WordPress or Hosting companies. A simple Whois lookup could provide insight into your hosting company, and a look at your website will reveal that you are running WordPress. An easy attack on such a website would be to pose as an employee from your hosting company, warning you about an issue with their WordPress installations and requesting your Login details so that they can fix it. Don’t fall for it! No respectable company will randomly request your login credentials. Phishing attacks will often send out mass emails like this to potential targets, hoping that a few people fall for their trickery.
Securing Your WordPress Installation
I bet you were wondering when we were finally going to talk about WordPress! There are many good practices that you can subscribe to that will help keep your installation more secure. The WordPress codex has a great entry about Hardening WordPress.
1. Update WordPress, Themes & Plugins – One of the most important things you can do is keep your software up to date. Whenever there is a new version of WordPress, or a new version of one of your themes or plugins, update them as soon as possible. This goes for your inactive themes and plugins too. Keep them updated, or if you don’t plan on using them any time soon, delete them so you don’t forget to update them.
2. Update WordPress, Themes & Plugins – Seriously, do it!
3. Force SSL On Login – If your server has an SSL certificate, then you can use https when logging in to your WordPress Dashboard. I would recommend forcing login over SSL by editing your wp-config file using define(‘FORCE_SSL_ADMIN’, true);
4. Change Admin Username – This shouldn’t be a big issue if you are using a truly strong password, but none-the-less changing your username to something unusual makes brute force attacks much less likely to succeed. You can change your Administrator login by created a new Administrator via the Users > Add New tab in wp-admin. Once created, you can delete the default user.
5. Perform Daily Malware Scans – Ideally you wont get hacked if you are running your website securely, but as mentioned in the beginning of this article, it’s impossible to be 100% sure. Running daily malware scans can help notify you if a hacker has successfully exploited your website to do something malicious by detecting suspicious code on the frontend. Sucuri is a great choice, especially considering they have aligned themselves with the WordPress community a bit more than the average security company.
6. Limit Login Attempts – If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. Just in case, however, you can also limit login attempts. There is a great plugin that will do the job for you.
7. Disable Administrative File Editing – In the unfortunate event that someone gains access to your WordPress Dashboard, you should try and limit the resources they have to do damage. Using the WordPress Editor to modify your theme’s PHP files is an easy way to execute malicious code on your site and effectively let the hacker do whatever they want with your website. These editing capabilities can be disable in your wp-config file using define( ‘DISALLOW_FILE_EDIT’, true );
8. Use Security Plugins – There are a few great security plugins out there that will do a lot of the work for you when it comes to hardening your WordPress installation. I would give WP Better Security a try – it helps handle most of the things mentioned here, and more.
Thanks Nick for this informative article. I’ve been learning more and more about security since the “brute force attack outbreak” several months back. I’ve implemented a lot of the things here when it comes to WordPress, but I could definitely improve some things when it comes to securing my network and resetting my passwords on a regular basis. So thanks for the tips!
My recommendation for a backup solution is BackupBuddy by iThemes. It regularly backups your site and sends to an offsite server, and then it also does malware scans. It’s also useful for moving a WordPress site to quickly set up a test site to test new plugins, etc.
The last thing I’d like to say is I also highly recommend the “Limit Login Attempts” plugin that you mentioned. Not only does it help prevent the brute force attacks from successfully logging in to your site, but it also limits the amount of times they can attempt (hence the name). Correct me if I’m wrong, but I’ve been told that brute force login attempts put a big strain on your server, and locking the bots out after a few attempts will prevent that from happening.
Thanks for the recommendation – I linked to Backup Buddy in the post and have heard good thing. Brute force attacks have certainly strain a server, just like any other burst in traffic can. Using a Firewall can help ban the IP addresses that the attacker is using before they put too much load on the CPU. A simple software Firewall like CSF is easy to implement.
You could always use something like fail2ban and iptables to do a similar job.
Very Good article Nick!!! Very useful tips for website security. Thanks for share
Regarding #4 and removing the default “admin” account. I did that to all my blogs, and I also installed this plugin.
“Limit Login Attempts”
This is cool, because it will block too many failed attempts. So far all it’s finding is folks trying “admin”, but it will pick up the odd attempt at something else. Probably not foolproof, because it works by cookies, but I figure it can’t hurt to use it.
Better than nothing 🙂 Maybe there is a solution that bans by IP instead of cookies out there. I surprised that Limit Login Attempts doesn’t do this, but I haven’t looked into it.
Fail2ban works well
Very useful information. Thanks a lot.
“Folllwing”? Where did attention to detail go?
Sorry…
great article, but major typo in the heading.. “Folllwing These Simple WordPress Security Tips Could Help Save Your Website”
Thanks Jamie, looks like I hit that publish button a little too quickly 😉
One more typo: Be Weary of Phishing Attempts. Yes, I am weary of phishing attempts, but I think you meant to say Be Wary.
Great article with good, solid recommendations. Thanks for taking the time to put it together.
Thanks Glen.
Right-on Nick! Thanks for the helpful tips. This is a post worth bookmarking 🙂
Not a surprise that WP Better Security is on your list.
I’m using it .. and .. it simply works !
(It is amazing to see the Logs .. and how many times people are trying to login .. with the “admin” role .. amazing ..)
Cheers
Eric
There are tons of bots out there scouring the internet for a lucky break 🙂 (in other words, a weak password).
Update, backup, ensure redundancy, make it harder for the bad guys. You make very good points. I’m often amazed at how often people take none of these steps.
Here are some password tips, too: http://goatcloud.com/2013/03/01/password-protection/
and some tips in case your email is hacked: http://goatcloud.com/2013/06/17/what-to-do-if-your-email-account-is-hacked/
in case they’re of use to fellow ETers.
Thanks for the resources Cliff, I am sure they are appreciated by the community 🙂
Great Article.
Has anyone tried 2 part authentication by using something like Google authenticator on your WordPress site.
http://wordpress.org/plugins/google-authenticator/
Yep, I use Google Authenticator on several sites. I’ve noticed Dreamhost offers it too for logins to your account dashboard.
I just learned about Clef and am trying that on a few sites too. It seems easier for an end user to use, but its Single Sign On (SSO) nature, for me, makes it a little “too convenient” for me to use with admin accounts on multiple sites. I just might be overly cautious.
I also played with LaunchKey (sorry, too lazy to find the URL) and it holds promise but I found their 1.0 version too buggy. I haven’t tried the latest release yet.
Hey Glen
Unfortunately GoDaddy doesn’t offer two part authentication in the UK yet (however available for USA).
http://support.godaddy.com/help/article/7502/enabling-twostep-authentication
Dream host does offer it via the Google App: http://wiki.dreamhost.com/Enabling_Multifactor_Authentication
Thanks Nick … I appreciate the informative blog articles you have been delivering lately. All these small efforts create such a better ET community. 😛
Thanks Chris, we always try hard to provide value to our customers, even if that value isn’t in the form of a new theme!
Very Good article Nick. thanks for share
Wow!!! Just wow, this is really helpful. Thanks so much.
Excellent article, Nick.
I’d like to add a suggestion for stopping most brute force login attempts and also keeps your server from being overloaded by those attempts:
Password protect wp-login.php.
There are good instructions here: http://codex.wordpress.org/Brute_Force_Attacks
That technique will make for two step login process but, assuming you use different usernames and passwords, it makes it a lot harder to hack your site and also prevents the php and mysql queries that are a burden on the server from taking place until you’ve authenticated using http basic auth first (which is a light load).
Handy set of tips. Thanks for sharing it.
Thanks ver much
thank to your tips. i was ddos. and i use IOSEC HTTP Anti Flood Security …. Share to all your friend
Thanks for the great article Nick! We also use Wordfence on virtually all of our sites to help ensure we are covered. We like the notification feature when something is happening on one of our sites that we have set up alerts for. It also helps keep us current on plugin updates, etc.
Good security tips It will help us to secure our Word press installations
A great addition to limit login attempts is Stealth Login Page. This will mask the wp-login/admin url to only you know. This way bots/software will be redirected when they visit site/wp-admin. It’s not foolproof, but will save you from a lot of login attempts (before they occur)
Thanks for the tip Mark.
Thanks for this amazing article on wordpress security, you have been shared some wordpress plugins too for security, but I am afraid if they will make heavy load on CPU or website gets slow? Also write about how to speedup your wordpress site or blog.
I wouldn’t expect the recommended plugins to put excessive load on the CPU.
Thanks for this, Nick. I’m running a series of church websites built on WordPress and we had a 10,000 login attempts per site attack. In discussion with the server provider, I’ve installed the Rename wp-login.php plugin, which allows me to rename the wp-admin file. Job done!
Thanks for the suggestion Lawrence.
Hey Nick,
first of all thanks for sharing the article. Creating backup time to time is the most important and plugins like Captcha can also helps to secure our wordpress login.
Thanks for sharing that. Really informative and helpful article. 🙂
I wish i saw this when it was published! I just got hacked! Had to pay bluehost to remove all the malware and now i have to reinstall ET on my sites!
Thank you for this article and the helpful comments. I am having some serious issues with 2 of my wordpress sites with elegant themes being hacked recently. Both have inserted viagra and cialis ad text and I am having a hard time cleaning and keeping clean.
Creating backup time to time is the most important and plugins like Captcha can also helps to secure our wordpress login.
Thank you for sharing these helpful tips on WordPress security. Those WordPress site owners are surely delighted that information such as this is available for them. Cheers!
Thanks for posting. This is one of the best articles I have found on this topic. I love that you come at it from all the different angles. Definitely sharing a link on my blog!
I really like your blog.. very nice colors & theme.
Did you make this website yourself or did you hire someone to do it for you?
Plz respond as I’m looking to construct my own blog and would like to
find out where u got this from. appreciate it
I found a better VPN solution https://www.waselpro.com/en/. It’s much simple.
Great stuff Nick 🙂
Regarding Security has anybody else any experience of Bullet proof Security? It seems to have been pretty robust for us. Using that in combination with linmit login attempts has cetainly kept the wide boys out so far.
Has anybody else in this stream used Ryan Shaw’s WP Backup Plus? It was a really promising plugin at first but I’ve had a hideous time with it and his support team over last 6 months or more!
Cheers again,
Ray
What a great list of tips – there was several I was not aware of, and will implement right away – thanks again for a great summary!
Great tips. Thanks
Very nice really.
Thanks sir.
Regards
Hi, Love the article. I used Better WP Security. But after the update to ithemes security it broke all of my websites. All themes and plugins (i use Divi) were gone. What do you think of ithemes security?
I don’t know what i did wrong.
Best security with IP and country blocking, limits login attempts and monitors 24/7 … http://www.wordfence.com/ They have free and paid versions. Would’t host WP sites without Wordfence!
Great tips.
Thank you for sharing.
Works like advertised, just had to remove manually the content of folders with “Identities” and “Address Book”. Nothing major, most important is that the DLLs and EXEs are out.
One step closer to a more secure environment. I also blocked all sites for IE and am using exclusively Firefox and Thunderbird now.
Thanks a lot !
Nice tips. It is a good idea if you can put your entire website under the https:// protocol. After the new google updates a lot of peoples ware talking, about SSL and HTTPS certificate, if you use them on your website you can get better rankings.
The downside is that if you use the https:// protocol your website may load slower the before.
Addition to this tips, i would recommend “Anti-Malware and Brute-Force Security by ELI” plugin.
It’s free, easily cleand and rescue your site if its infected somehow.
Great article Nick, thanks for the points, I’ll be working through these to make sure I have everything as secure as possible. I currently use Wordfence, and I think it’s a fantastic plugin. It offers a number of options including a limit on login attempts. I’ve already found a number of attempts at accessing my site, but feel pretty secure with Wordfence. Just wanted to share. 🙂
I am new member to Elegant Themes but have been signed up to receive your posts for a quite a while. I am glad I joined because not only do you create excellent themes but you also go the extra mile by creating really useful posts like this!
BTW I use myRepono (http://www.myrepono.com) to back up my clients sites, it is fairly easy to install on each site, cost effective and most importantly if you do ever have an issue with a site you can restore it to a previous version with a single click. Also I think it is good to have a backup with a thirdparty.
I would also second XtraMark’s suggestion of WordFence, we use this and have found it excellent. We also have a reseller subscription with Stop The Hacker that provides us with account monitoring for malware injections etc
I have also found it useful to secure your wordpress installation through your mysql, changing the default table names and such.
Great information, Nick!
For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
Tested and happy with it!
Thanks for the share.
I am reading a lot about changing the WP table names prefix to help in security. Is this of value? Does it affect the install of your themes at all?
Thanks!