Essential WordPress Security – Part One

One of the most pernicious myths about WordPress is that it is vulnerable to hackers. As the most popular Content Management System, running almost 60% of all websites that use a CMS, there will always be some WordPress sites that are no longer actively maintained or whose owners are simply unaware of what they need to do, so, yes, we will keep hearing about WordPress sites that have been hacked. The truth is, however, that the huge and extremely active WordPress community, who follow the latest security trends and spring into action whenever a vulnerability is discovered, make the most secure CMS if you follow a few simple steps.

One of the most pernicious myths about WordPress is that it is vulnerable to hackers. As the most popular Content Management System, running almost 60% of all websites that use a CMS, there will always be some WordPress sites that are no longer actively maintained or whose owners are simply unaware of what they need to do, so, yes, we will keep hearing about hacked WordPress sites.

NOTE: If you stumbled across this post looking for a security service that will clean your hacked site, then utilize this excellent WordPress Malware Removal Service by MalCare, one of the best security services out there. It will clean your website in a jiffy.

The truth is, however, that the vast and extremely active WordPress community, who follow the latest security trends and spring into action whenever they discover a vulnerability, make WordPress the most secure CMS if you follow a few simple steps.

In this short article, part one of a 3-part guide, we outline the first six essential security measures you should consider implementing right away. Each of the two following installments will lay out six more steps towards making your WordPress site as safe as Fort Knox.

1. Use a Custom Login Username

Older versions of WordPress insisted that the admin username always be “admin” but now you can choose any username you want, meaning that the hackers have to guess not only your password but, also, your username.

Out of habit, some people still use admin, but we recommend choosing something different when you are setting up a new installation of WordPress.

The easiest way to change the admin username in an existing installation is to create a new admin user and delete the old one.

If you are a more advanced user, you can use phpMyAdmin to change the admin username in the database.

You can also find plugins that will do the same thing, such as Username Changer.

2. Change your Login URL

Whenever you examine the server logs for an active WordPress site, you will see that the usual WordPress login page, wp-login.php, is continuously bombarded with hits. These come, almost entirely, from automated bots hoping to find a WordPress installation with a weak password, allowing them to take control of it.

These bots are pretty dumb; they keep looking for a wp-login.php and, when they find one, they keep hammering it with tens of thousands of login attempts per hour. The beautifully simple solution: change your login URL.

Again, as with almost anything else you can think of, there’s a WordPress plugin for that: Rename WP Login plugin.

3. Limit Login Attempts

Another way to stop hackers hammering your login page with different passwords is to limit the allowed login attempts to a number that would be enough for a human with sloppy typing to eventually get it right, perhaps five attempts, but would then block any further login attempts for, say, 20 minutes.

Sure, having to wait 20 minutes would be an inconvenience if the attempts were being made by a human but, honestly, if you get your password wrong five times you should probably spend that 20 minutes calling a doctor and making sure you haven’t had a stroke.

For an automated script attempting to brute force your password, however, 5 attempts are nothing. If they have to wait 20 minutes for every 5 attempts, by the time they access your site mankind will have evolved into musical notes.

4. 2FA – Two-Factor Authentication

Adding two-factor authentication to your WordPress login, in addition to your username and password, means that anyone attempting to gain access to your site’s backend must have access to your phone or some other computing device on which you have installed your 2FA app.

Many people use an app such as Google Authenticator on their phone to supply a TOTP: a Time-based One-time Password. Every minute, the app provides a new six-digit code, based on a secret algorithm, that will expire by the end of that minute. No-one can log into your site without the current code, so, unless they can somehow get hold of your phone and one of your fingers to unlock it, that route is closed to them.

You can also use a TOTP-enabled password manager on your tablets and desktop or laptop computers, providing the same constantly changing codes right next to your passwords.

5. Reliable Hosting

According to WP WhiteSecurity, 41% of hacked WordPress sites are hacked via their hosting.

Almost all Web hosting is terrible, a triumph of marketing over technical realities. Even if you diligently follow all the steps to ensure that your installation of WordPress is as secure as you can possibly make it, hackers can still gain control of your site via vulnerabilities in the hosting.

It does not matter how much you pay, it does not matter how much the company advertises, it does not matter how big the brand seems to be, it does not matter who vehemently they claim to be “WordPress experts”. The reality that we see, time and time again, is that the vast majority of hosts have no idea what they are doing.

Their primary skill is to tell you, when your site does get hacked or deleted, that it must be your fault because you used installed a plugin or theme they are not familiar with. That is an excuse you can build an entire industry on because, of course, what WordPress user doesn’t install a plugin or theme?

After 8 years running this site and dealing directly with users on almost every type and brand of hosting out there, the editorial staff of WP Mayor have seen only four companies who configure their servers securely and who have the expertise to actually handle problems when they do crop up:

If you are on a tight budget, SiteGround has a good reputation for well-managed and well-supported shared hosting at a good price. They are by far the best at that price level. Consider, in particular, their GoGeek level.

If, on the other hand, absolute reliability and performance are more important to you than price, WP Engine provides managed WordPress hosting at a reasonable price. We use them for all of our most important sites, the ones that generate money.

4 months off
WP Engine
WP Engine
Get 4 months free on annual plans or 20% off your first month on monthly plans.
Get 4 months free on annual plans or 20% off your first month on monthly plans. Show Less
Kinsta Logo

For truly cutting-edge hosting, built on Google’s infrastructure, consider Kinsta. They are not cheap but they are the best if you want to be able to scale quickly.

For WooCommerce hosting, Liquid Web is innovating and focusing on the specific needs of e-commerce more than any other host.

33% OFF
Liquid Web
Liquid Web
Get 33% off from Liquid Web - managed WooCommerce hosting specialists.
Get 33% off from Liquid Web - managed WooCommerce hosting specialists. Show Less

6. Prevent Directory Indexing

If a folder on a Web server does not contain an index.html or index.php file, visitors to that part of your website can sometimes see the folder contents. This means that the server has been configured to allow directory browsing, which can be helpful in some situations but, if your site is public-facing, is also a gaping hole that allows hackers to search around for files with known vulnerabilities.

Experienced WordPress, such as the ones we recommended above, will not host users on servers that have not be configured properly, but if you are using any other host you should check to make sure that directory indexing has been disabled.

You can test for this by creating a folder in your root directory and uploading an image file to it. Then enter the URL for that folder into your browser. If you see a message telling you that you don’t have permission to view that directory, success, everything is fine.

If, however, you see a simple white page with your image file helpfully listed, well, that means that the server has been configured to allow directory indexing. You should contact your host’s support and ask them to prevent directory indexing for your site.

If your host’s support is unable to do this (don’t be surprised, many of the “technicians” you chat with are just call center workers following a script in low-wage countries), you can do it yourself by simply uploading blank index.html files to each directory that can be viewed. Now hackers will see your blank index file instead of the folder contents. You can even place a cheerful message for them on your index file!

A more technical but neater fix would be to find the .htaccess access file in the root directory and edit it to include this line:

Options –Indexes

That will prevent directory indexing, but be aware that later changes to your .htaccess file, by WordPress or other scripts, might remove that line and leave you wide open again. For that reason, it is better to get the host to configure the server properly.

That is it for part one, we hope you find those six steps useful, stay tuned for the next two parts, each containing another six steps to bring you closer to security nirvana.

Liakat Hossain
Liakat Hossain
Liakat Hossain is an eCommerce consultant and digital marketing specialist at WebAlive, a web design company in Melbourne. He has been helping Melbourne businesses grow by developing search and content marketing strategies since 2011.

Consider sharing this post so others can find it:

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on telegram
Share on whatsapp
Share on pocket
Share on email

Join thousands of people receiving real-world, genuine evaluations of WordPress products and services just like this one every week.

Our Sponsors
Prevent Direct Access
Contents

9 Responses

  1. Hello
    Liakat,
    Website security is a crucial part of any website because disaster can happen to everybody, no matter, she/he is a professional or a newbie. A website owner work a lot to achieve success and she/he can’t afford to lose all their hard work.

    The tips you have provided in this post is very informative for the WordPress website owner. The step by step guide from your side to secure WordPress website is very useful.

    Thanks for sharing with us. Will share this post on my social media accounts.

    Have a great day ahead.
    Praveen verma

  2. Thanks for demonstrating fantastic article! That is really interesting Smile We all love reading and We all are always searching for informative information like this!

  3. You are exactly right, Liakat. Even there are many WordPress sites exists with their admin URL as http://www.___________.com/wp-admin. Having customized URL along with limiting login attempts would become an essential security wall for any websites. Your data can be protected almost.

    Thanks for sharing your ideas on WordPress security. You have made it very useful even talking about some common aspects that we might failed to pay attention.

  4. Thanks for the informative post and Security should be of paramount concern to any blogger or website owner.

    Agree, security plugins like Wordfence, login limits and 2-factor authentication etc helps in improving the security of WordPress blog.

  5. Thanks. Good article. Also its extremely important for security reasons that you keep the plugins updated.

    Developers keep improving their plugins by adding new features, improving code quality, and keeping them secure. These changes are then released as updates.

  6. Of course, being an open-source platform, WordPress is highly vulnerable to security threats. We must tick all the boxes to better safeguard our website data and efforts. Thanks for your detailed guide on WordPress security. With this, at least we shall take a glance at our security measures once.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Beginner’s Handbook
From an introduction on how WordPress works to our recommendations on products and services.
👋 Hey there! We're Gaby and Mark
Every week we share tutorials and genuine reviews of WordPress products and services in our newsletter.
Thousands of people read it!
We’d love for you to join.
We’d love for you to join. Here’s what you’ll be getting:

A single weekly email directly to your inbox.