According to WordPress.org there are over 60 million WordPress users and over 30% of all websites are running on WordPress. That’s an incredibly large footprint. I’ve been a WordPress user since 2012 and host multiple WordPress sites for different purposes. As much as I enjoy using WordPress, out-of-the-box it is not the most secure system.
In this post I’m going to share five tips that can dramatically improve the security of your WordPress site.
1. Configure your site with https
If you’re not familiar with web protocols you might wonder about the difference between http and https. I’ll keep this high-level so I don’t lose readers who might already be wondering if this post is for them.
HTTP vs. HTTPS
Browsers request pages from web servers using one of two protocols: HTTP or HTTPS. HTTP stands for Hyper Text Transfer Protocol. In non-technical terms HTTP is simply the way web servers and web browsers exchange information about web pages. HTTP has been around since the early days of the internet and has improved a lot over the years but one problem remains with HTTP. All data exchanged using HTTP is unencrypted.
If you think of the internet like a postal system, using HTTP is sort of like send a post card. Everyone involved in delivering that post card can read what it says. Most people handling the post card probably don’t care what is says or are too busy to stop and read it but they could if they wanted to.
HTTPS, short for Hyper Text Transfer Protocol Secure, is also used to exchange information about web pages. With HTTPS all the data exchanged is encrypted. Now, instead of sending a post card it’s more like you’re communicating with sealed, security envelopes that can only be opened by the intended recipient. This makes it nearly impossible for anyone delivering the message to read it’s contents.
Why should you care about HTTPS?
“So what?” your thinking. “My blog is only exchanging information I want the general public to consume anyway. I don’t really care if it’s encrypted.” That may be true at first glance. However, all of the information exchanged using HTTP is unencrypted and that includes your administrator login and password!
If you think back to our analogy of the postal system, would you rather send your login credentials on a post card or in a sealed envelope?
One more advantage of HTTPS is search engine ranking. Quite some time ago Google announced their search results would favor sites using HTTPS over sites using HTTP. They did that to encourage the use of HTTPS with the goal of making the internet more secure.
2. Do NOT use “admin” as your administrator login
Brute force attacks are one of the most common attacks on WordPress sites and they usually target logins like “admin” or “administrator”. Simply put, brute force attacks are repeated attempts to login to your account using common or known usernames and passwords. One of the first usernames they will try is “admin” or “administrator”.
Bloggers who are unaware of this fact often set up their administrator account using a username like “admin” with a password that is easy to remember and unfortunately also easy to guess.
Taking the precaution of using an administrator username that is not obvious immediately reduces the likelihood of becoming a victim of a brute force attack.
3. Use strong passwords
A great way to reduce the likelihood of brute force attacks succeeding is to use strong passwords for all your accounts. A strong password is one that is easy to remember, hard to guess, not a word in the dictionary, and not used anywhere else. Unfortunately we all have so many online accounts it’s nearly impossible to meet all those criteria.
Here are a few methods to help you maintain strong passwords.
Use a password management system
Password management systems are one of the best ways to maintain strong passwords. Essentially they are just databases of your login credentials. Most can generate new passwords and keep track of them for you so you don’t even have to remember them. That allows you to use passwords that are nearly impossible to guess, are not reused, and can quickly be accessed by you. An example of a machine generated password is “Nd0a7%cC6&Td”. That’s quite a bit harder to guess than your mother’s maiden name or some combination of your birthday.
Password management systems generally come in two forms: local systems and online.
Local password management systems
Local password management systems only store your credentials on your computer. Their advantage is they are only accessible to people with access to your computer. On the other hand that means if your computer is stolen, destroyed, dies, or you just don’t have immediate access to it, you may not be able to login to your accounts.
Online password management systems
The advantage of an online system is the ability to access your passwords from multiple devices and locations. Some of them even allow you to share passwords with people you trust. For example, you and your spouse could shared your bank account credentials using such a system. The biggest drawback to online password management systems is your credentials are stored in the cloud and therefore could be compromised if the management system’s database gets exploited. To mitigate that risk look for an online password management tools that encrypts your passwords before storing them.
There are lots of password management tools available. If you’re not already using one I encourage you to do a little online research and find a tool that works well for you.
Use machine generated passwords
If you’re still not convinced you should be using a password management tool at least consider using machine generated passwords. These are random character strings generated by websites or other tools. In fact WordPress will generate passwords for you so you don’t have to go far to get a machine generated password.
Use variations of passphrases
If you’re really not into machine generated passwords, at least do something to make your password difficult to guess. Before I moved to a password management system I would think of a sentence I could easily remember and then converting it to a password by using the first letter of each word and a few special characters.
Here’s an example. If my passphrase was “Blogging is fun and easy in 2018.” My password would be something like “Bif&ei2018.” You could also “salt” your password by adding something to the beginning or end of it, like this “Bif&ei2018.WORDPRESS”.
4. Install security plugins
There are a two really good, free security plugins I recommend: Jetpack and Wordfence.
Jetpack is not strictly a security plugin but it’s already in use by a lot of bloggers and it offers a few nice security features. Specifically it allows you to block suspicious login attempts and whitelist IP addresses that are allowed to login to your site. Just be careful whitelisting because most home IP addresses are subject to change. I know mine changes several times a year.
If you’re already using Jetpack make sure you review the security tab on the settings page.
Wordfence is a free plugin designed to address lots of different security issues. Notably it will block brute force attacks by temporarily disabling invalid login attempts after a specified number of tries. You can also configure it to immediately block attempts to login with invalid usernames. So, if you followed my advice and didn’t use admin as your administrator login you’ll quickly start to see Wordfence blocking attempts to access your site with the username “admin” and variations of it.
5. Keep your site up-to-date
Because there are so many themes, plugins, and custom sites running on WordPress, security vulnerabilities are being discovered and remediated all the time. This applies not only to the themes and plugins but also to the WordPress core software itself.
To keep the WordPress core up to date, you can turn on auto-updating. Doing so will automatically install the latest updates to the WordPress core when they become generally available.
As previously mentioned, Wordfence will notify you when themes and plugins have updates available. You can also visit the plugins and themes pages in the WordPress admin to see what needs updating. Updating themes and plugins only a minute or two so there’s really no excuse not to do it on a regular basis.
The standard installation of WordPress isn’t terribly insecurity but the way many people configure it leaves them open to a variety of attacks. Thankfully there are lots of easy ways to improve the security of your WordPress site.
If you’ve got other security tips feel free to leave a comment. I’d love to hear about them. If you’d like more information on anything you’ve read here, get it touch and I’d be happy to provide whatever help I can.