One thing that I often come across when working with a new client on their WordPress website is just how few security measurements are implemented. It is puzzling and scary at the same time.
Why? Because around 25% of all websites run on WordPress and there are now over 51,000 plugins in the WordPress database. This makes it one of the most targeted platforms on the internet. A pretty good incentive to add additional layers of security to your WordPress site, don’t you think?
The more plugins, themes, and custom code you add to your site, the more vulnerabilities you expose your site to.
There are many ways of securing your WordPress website, beyond having strong passwords (and you do have strong passwords, don’t you?). In todays post, I’m going to highlight the Top 10 tips that are easy for WordPress newbies to implement. If you’re struggling with one of them, feel free to reach out.
1. Keep WordPress and your plugins up-to-date
This one seems pretty straight-forward, but I’m surprised how often this is not being followed. Sometimes WordPress developers even seem to tell their clients not to update their WordPress version to not “break” anything.
This couldn’t be further from the truth. WordPress keeps evolving, implementing security updates whenever fixes have been found for discovered vulnerabilities. Not updating your WordPress and plugins is like never going to the dentist: You might not experience any issues for a long time but once the first problems arise, the fixes are painful and costly.
2. Limit plugins and delete those not in use.
The more plugins you use, the more vulnerability you may add to your site. Besides, plugins can slow down your site speed, and hence impact your website usability and SEO. If you see any plugins (e.g. Hello Dolly) in your plugin list, that you know you’re not using on your site, delete them. Choose plugins that have multiple functions to satisfy your requirements, rather than installing 5 plugins to do the same job.
3. Don't use "admin" as your username
Seems pretty obvious but it bears repeating. Let’s assume you keep the defaults for your login page (e.g. wp-login) and “admin” for your username, hackers already have 2 out of 3 information they’ll need to gain access to your site. It’s like handing a complete stranger your credit card with only the CVV code blacked out. You wouldn’t do that with your credit card, so why are you doing it with your website?
If you’ve already chosen “admin” as your username, you can change it by inputing an SQL query in PHPMyAdmin, as described in this WordPress article under “Through phpMyAdmin”. If you’re not comfortable with this option, get a developer friend to help you.
4. Change your login page
The default login page for a WordPress site is one of these three:
Changing your login page is a quick and easy way to shield your site from brute force attacks, because these are usually automated. There are some plugins out there who can help you accomplish this. Yes, I know I said limit your plugin use, but this one is worth mentioning. One of these plugins is called Lockdown WP Admin.
5. Limit login attempts
When you install WordPress, it usually gives you an option to “limit login attempts.” This does exactly what it says, it limits the amount of login attempts, so automated software and individual hackers have a harder time brute-forcing their way into your website. If you missed the chance to limit these logins during the installation process, any serious WordPress security plugin or firewall should include this option.
6. Hide your author username
By default, WordPress uses the author’s username login as “author.” This means, that authors displayed as “admin” might have “admin” as username. This can be changed in the “users” panel and I highly recommend heading there now to check if you’re giving away your login usernames to hackers. If you do, change them.
7. Secure your content forms
Content forms are a vulnerability that many overlook, yet a quick Google search reveals just how often they are targeted. An attacker can upload a file (if you give that option) or inject code into your contact and feedback forms, registration forms, and password reset forms to gain access. Upon form submission, this information is usually stored in your database before it is being passed on to your email address, which can pose a significant security risk.
It is therefore important to keep an eye open for security vulnerabilities for the contact forms you are using, and updating your plugins as soon as new versions are being released. If you have the means to afford it, getting a SSL certificate is recommended, as it encrypts the data that’s being passed on from the user’s browser to the plugin on the server.
Additionally, you can require data validation for inputs (e.g. error messages such as “this is not a valid email address” when the @ sign is missing), and adding CAPTCHA challenges will all help improve your WordPress forms’ security.
8. Never share login details
This is not necessarily a tip related to WordPress security but rather common sense. Yet, it always puzzles me just how readily clients and sometimes even hosting providers (and no, unfortunately I’m not kidding) share login details via email, even after they’ve been burned. Sure, it’s simpler than creating new access details for everyone you wish to give access, but the outcome can be disastrous.
Sharing admin login details with others, no matter how trustworthy they seem, can pose an enormous security risk to your accounts. Sharing them via email increases this risk even further. All it takes is someone hacking your email account or a pickpocket getting his/her hands on your phone (if your phone can access your emails — and that’s true for most of us these days). Even if your emails and phone are save, how sure are you that this is true for the recipient’s email account and cellphone?
There are a few ways to mitigate the risk, such as never sending username and password via the same channel (e.g. username via email and phone call to hand over the password) or deleting emails and text messages after the transfer of the login information.
There are additional alternatives such as a team account with 1password (nonprofits qualify for a 20% discount) that can help navigate these challenges even further. Every team member has his/her own login details to 1password and hence no sharing of login details is ever required.
9. Don't log in to your website from an unsecure wifi hotspot
Do you love editing your website while enjoying a hot cup of Java or Earl Grey at your local coffee shop? Good for you. But not for your website. Many coffee shops and public spaces these days offer free wifi to their valued customers. Unless that wifi access is protected, however, it can give violators easy access to your sensitive data. Want to see it in action? Eric Geier did a fantastic job in the article he wrote for PC World to illustrate this visually. How do you feel about your coffee shop’s wifi now?
10. Disable Pingbacks
Pingbacks seem pretty awesome at first: They automatically alert other blogs that you’ve linked to them, if you referenced them in your article. WordPress switches them on by default. Yet, pingbacks are often Distributed Denial of Service (DDoS) attacks. Even though they might not affect your site, these attacks can still impact your site indirectly. If, for example, PayPal is under attack (as it has been in 2016), it can impact your website’s shopping cart checkout, if you’re using PayPal there.
To turn off pingbacks, go to Settings >> Discussion.
Uncheck the “Attempt to notify any blogs linked to from the article” box.
I’d also recommend unchecking the “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles” checkbox.
I hope that this post has opened your eyes to a few WordPress security vulnerabilities your website might be suffering from. Hopefully you will sleep more sound tonight after implementing these steps. If you have any questions, don’t hesitate to reach out.