One of the most pernicious myths about WordPress is that it is vulnerable to hackers. As the most popular Content Management System, running almost 60% of all websites that use a CMS, there will always be some WordPress sites that are no longer actively maintained or whose owners are simply unaware of what they need to do, so, yes, we will keep hearing about hacked WordPress sites.
NOTE: If you stumbled across this post looking for a security service that will clean your hacked site, then utilize this excellent WordPress Malware Removal Service by MalCare, one of the best security services out there. It will clean your website in a jiffy.
The truth is, however, that the vast and extremely active WordPress community, who follow the latest security trends and spring into action whenever they discover a vulnerability, make WordPress the most secure CMS if you follow a few simple steps.
In this short article, part one of a 3-part guide, we outline the first six essential security measures you should consider implementing right away. Each of the two following installments will lay out six more steps towards making your WordPress site as safe as Fort Knox.
1. Use a Custom Login Username
Older versions of WordPress insisted that the admin username always be “admin” but now you can choose any username you want, meaning that the hackers have to guess not only your password but, also, your username.
Out of habit, some people still use admin, but we recommend choosing something different when you are setting up a new installation of WordPress.
The easiest way to change the admin username in an existing installation is to create a new admin user and delete the old one.
If you are a more advanced user, you can use phpMyAdmin to change the admin username in the database.
You can also find plugins that will do the same thing, such as Username Changer.
2. Change your Login URL
Whenever you examine the server logs for an active WordPress site, you will see that the usual WordPress login page, wp-login.php, is continuously bombarded with hits. These come, almost entirely, from automated bots hoping to find a WordPress installation with a weak password, allowing them to take control of it.
These bots are pretty dumb; they keep looking for a wp-login.php and, when they find one, they keep hammering it with tens of thousands of login attempts per hour. The beautifully simple solution: change your login URL.
Again, as with almost anything else you can think of, there’s a WordPress plugin for that: Rename WP Login plugin.
3. Limit Login Attempts
Another way to stop hackers hammering your login page with different passwords is to limit the allowed login attempts to a number that would be enough for a human with sloppy typing to eventually get it right, perhaps five attempts, but would then block any further login attempts for, say, 20 minutes.
Sure, having to wait 20 minutes would be an inconvenience if the attempts were being made by a human but, honestly, if you get your password wrong five times you should probably spend that 20 minutes calling a doctor and making sure you haven’t had a stroke.
For an automated script attempting to brute force your password, however, 5 attempts are nothing. If they have to wait 20 minutes for every 5 attempts, by the time they access your site mankind will have evolved into musical notes.
4. 2FA – Two-Factor Authentication
Adding two-factor authentication to your WordPress login, in addition to your username and password, means that anyone attempting to gain access to your site’s backend must have access to your phone or some other computing device on which you have installed your 2FA app.
Many people use an app such as Google Authenticator on their phone to supply a TOTP: a Time-based One-time Password. Every minute, the app provides a new six-digit code, based on a secret algorithm, that will expire by the end of that minute. No-one can log into your site without the current code, so, unless they can somehow get hold of your phone and one of your fingers to unlock it, that route is closed to them.
You can also use a TOTP-enabled password manager on your tablets and desktop or laptop computers, providing the same constantly changing codes right next to your passwords.
5. Reliable Hosting
According to WP WhiteSecurity, 41% of hacked WordPress sites are hacked via their hosting.
Almost all Web hosting is terrible, a triumph of marketing over technical realities. Even if you diligently follow all the steps to ensure that your installation of WordPress is as secure as you can possibly make it, hackers can still gain control of your site via vulnerabilities in the hosting.
It does not matter how much you pay, it does not matter how much the company advertises, it does not matter how big the brand seems to be, it does not matter who vehemently they claim to be “WordPress experts”. The reality that we see, time and time again, is that the vast majority of hosts have no idea what they are doing.
Their primary skill is to tell you, when your site does get hacked or deleted, that it must be your fault because you used installed a plugin or theme they are not familiar with. That is an excuse you can build an entire industry on because, of course, what WordPress user doesn’t install a plugin or theme?
After 8 years running this site and dealing directly with users on almost every type and brand of hosting out there, the editorial staff of WP Mayor have seen only four companies who configure their servers securely and who have the expertise to actually handle problems when they do crop up:
If you are on a tight budget, SiteGround has a good reputation for well-managed and well-supported shared hosting at a good price. They are by far the best at that price level. Consider, in particular, their GoGeek level.
If, on the other hand, absolute reliability and performance are more important to you than price, WP Engine provides managed WordPress hosting at a reasonable price. We use them for all of our most important sites, the ones that generate money.
For truly cutting-edge hosting, built on Google’s infrastructure, consider Kinsta. They are not cheap but they are the best if you want to be able to scale quickly.
For WooCommerce hosting, Liquid Web is innovating and focusing on the specific needs of e-commerce more than any other host.
6. Prevent Directory Indexing
If a folder on a Web server does not contain an index.html or index.php file, visitors to that part of your website can sometimes see the folder contents. This means that the server has been configured to allow directory browsing, which can be helpful in some situations but, if your site is public-facing, is also a gaping hole that allows hackers to search around for files with known vulnerabilities.
Experienced WordPress, such as the ones we recommended above, will not host users on servers that have not be configured properly, but if you are using any other host you should check to make sure that directory indexing has been disabled.
You can test for this by creating a folder in your root directory and uploading an image file to it. Then enter the URL for that folder into your browser. If you see a message telling you that you don’t have permission to view that directory, success, everything is fine.
If, however, you see a simple white page with your image file helpfully listed, well, that means that the server has been configured to allow directory indexing. You should contact your host’s support and ask them to prevent directory indexing for your site.
If your host’s support is unable to do this (don’t be surprised, many of the “technicians” you chat with are just call center workers following a script in low-wage countries), you can do it yourself by simply uploading blank index.html files to each directory that can be viewed. Now hackers will see your blank index file instead of the folder contents. You can even place a cheerful message for them on your index file!
A more technical but neater fix would be to find the .htaccess access file in the root directory and edit it to include this line:
That will prevent directory indexing, but be aware that later changes to your .htaccess file, by WordPress or other scripts, might remove that line and leave you wide open again. For that reason, it is better to get the host to configure the server properly.
That is it for part one, we hope you find those six steps useful, stay tuned for the next two parts, each containing another six steps to bring you closer to security nirvana.