How To Secure Your WordPress Site: WordPress Security 101

Most hackers don’t want to steal the information you have on your websites. They want to make a stealthy move into your site in order to access the servers. They use these servers to send out spam emails, which in turn potentially helps them profit from gathering financial information from other people.

If a hacker sends spam emails from your servers it sends a red flag to ISPs and email providers. How does this affect you? You could potentially get blacklisted by the ISPs and email providers. You know that trusty email list you’ve been gathering for two years? If you send out those emails using your website’s domain, you can bet that all the emails are sent to spam folders.

The last thing you want is for your site to get hacked into, and that’s why I’ve always tried to communicate new tips, tricks and hacks for securing your sites. But, now I want to put together the ultimate guide for improving site security, in hopes that you’ll save this page and use it as a reference for all your security needs.

What Happens if Your Site is Hacked and Blacklisted?

Broken Lock

The first, and only time one of my sites was hacked and blacklisted was when I didn’t know any better. I had built a few sites for clients, but for some reason I didn’t take the same security precautions with my own personal site as I did with those (there’s something I have that makes me more prone to neglect my own stuff).

Well, it turns out a hacker gained access to my site’s servers so I eventually got blacklisted. I wasn’t aware of the compromised site for quite some time, making it even worse since the ISPs and email providers probably flagged me numerous times.

I was told by a few people that most of the emails I sent from the site were ending up in their spam, so I decided to check out what was going on. Sure enough, hackers gained access to my website, uploaded a script and were sending automated spam from my server without me knowing.

What caused the hack? It could have been that I didn’t do anything to protect my .htaccess file. It could have been that my username was “admin” and my password wasn’t all that difficult to figure out. It could have been the fact that I failed to update the plugins I used and get rid of the plugins I didn’t use.

Regardless, it cost me way too much time and money to fix the problem. Luckily, one of the only security precautions I took was to run an automatic backup of my website so I could restore lost or damaged files.

How did I fix this hacker problem? How should you go about it if you’re site has already been affected?

MxToolBox

Use the MXToolBox Blacklist tool to see if your website has been hacked in any way. If you see any problems, contact your hosting company immediately. Tell them about the problem and ask if they can help locate and remove the line of code or script that is allowing the hackers to send out spam emails.

This should typically solve the problem, but in my case I noticed that some of my files were corrupted after the script was removed. This meant I had to pay one of my more knowledgeable friends to make some tweaks and get things back to normal.

Back then I had to also pay for my hosting company to go in there and remove the script. I would assume it depends on the company you have and even if the support representative is feeling particularly helpful that day. In short, you may have to shell out some cash to fix the problem, but as long as you have your backups, some knowledge and a few buddies to help you out, you can get back up and running soon.

But even so, that whole situation is a nightmare for anyone.

Our goal is to completely prevent situations like this, so keep reading to understand exactly how to secure your WordPress website. Make sure you bookmark this guide for improving site security, and implement the steps before you get hacked (or afterwards if that’s your situation).

What Steps Can You Take to Fight Hackers?

Start With the Simple Stuff: Admin Username and Password

You know that username and password you use to login to your WordPress site? It probably sucks. No, I mean it.

Did you simply take the default username given to you by WordPress? Does that username happen to be “admin?”

The first step to securing your WordPress website is understanding that many hackers use the brute force tactic by trying to guess your username and password. You’ll want to change the username from “admin” because it’s the first guess that every hacker (or automated hacking system) tries, since the admin username is used so often.

In terms of passwords, take a look at the most common passwords compiled by CBS News and bop yourself on the head if your password is anywhere close to one of these. Even if your password is not on the list you’re not in the clear.

Admin Password

If your username is “admin” change it so that the hackers don’t only have to work on cracking your password. WordPress used to only allow people to use “admin” as the username, but now they allow you to change it. Unfortunately, most people neglect to do so, clearing the field a little more for hackers.

Go to your PHPMyAdmin database manager and enter this SQL query to change your username:

UPDATE wp_users SET user_login = ‘mynewuser’ WHERE user_login = ‘admin’;

Remember to change the mynewuser text to whatever username you want to use.

That’s about all you can do for your username, but what about best practices for passwords?

  • Change your password every month.
  • Use a password generator like Strong Password Generator to create something that even you can’t remember. Something like 6xX292qn*(S&0;y looks about right.
  • Since you’ll have trouble remembering these passwords use a password storage and protection system like LastPass. This way you don’t have to remember the passwords for all your sites, but you know they are secure.
  • Don’t write down your passwords on a piece of paper or punch them into a word processor on your computer.
  • Other users can create vulnerabilities with their own poor passwords. Use a tool like Force Strong Passwords so they don’t make up junky passwords.
  • Refrain from storing passwords in your browsers.
  • Don’t use the same password for multiple accounts.

Find a Quality Host With Hardened Security Standards

Since hosting vulnerabilities account for one of the main reasons websites get hacked it’s essential to find a high-quality host for your website. This is important for two reasons: A secure host actively fights hackers and a good host also helps you resolve the problem if something happens.

Here are a few things to look for when seeking out a hosting company for your website:

  • The host actively makes updates and trains staff to learn about the most recent security problems
  • Uses tools for scanning sites for malware and compromised files
  • The host works well for running WordPress
  • The host offers support for recent versions of MySQL and PHP
  • The host uses a firewall that is designed to work well with WordPress
  • Has a support team that is available 24/7
  • Shared hosting accounts are fine, but seek out a company that makes its own backups and provides account isolation (so one site on their servers doesn’t affect the way your site operates).

Feel free to check out some of the hosting companies we recommend at WPKube.

Always Complete Your Updates

Have you ever noticed this little warning at the top of your WordPress dashboard?:

WordPress Update

It’s calling out to you and begging that you click the Please Update Now button.

Whenever you see this button, click on it and complete the update. The same goes for plugins that you use on the backend of your WordPress site. Every portion of your site needs to be constantly updated or you leave open vulnerabilities for hackers to break in.

Update Plugins

When you update your entire WordPress version, the system automatically asks you if you’d like to update all the plugins that have new versions. If you don’t update, this just opens up more security holes. Major plugin and WordPress updates typically focus on rolling out new features, but the smaller ones focus on filling security holes and fixing bugs.

Both major and minor updates require your attention.

Updating manually is a pain. Is there a way to complete this automatically in the future? Yup!

Paste the following code into your wp-config.php file and you’re all set.

# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );

The main reason some people don’t like to update things automatically is because it might break something on your site if the update conflicts with some code. The choice is up to you. I make my updates manually, but I also don’t manage that many sites. If you manage sites for dozens of clients you might want to automatically run updates.

Handle How Easy It Is For People to Login to Your Site

If you have a membership site or several authors logging in constantly to write articles, you need to make it more difficult to login.

Obviously, you don’t want to make it near impossible, but if your users can login easily, so can hackers.

Hackers attempt brute force attacks by running programs to test thousands of password and username combinations. If they get locked out after three or four attempts it prevents any break-ins. Therefore, limit login attempts by using a plugin. Login Lockdown is my favorite plugin for completing this task.

Login Lockdown

The plugin is lightweight and tells users how many attempts they have to get the username and password correct. If they fail after the last attempt, they are locked out of the system.

The next step is to check if the user is indeed a human with a two-step authentication process. Use the Google Authenticator plugin so that people need to punch in a special code in addition to their username and password. You can change this code whenever you want and designate different codes for all users. It can send this code to the person’s phone so that they have to check the phone in order to login.

Buy Your WordPress Themes from Trusted Sources

It’s unfair to say that developers who make free WordPress themes are untrustworthy, because this is often not the case. But, the WordPress free theme repository is a mixed bag with plenty of developers who don’t know how to code as well, or they don’t update their themes to fill security holes.

I’d highly recommend opting for a premium theme from a reputable source. These companies have built infrastructures based on selling thousands of themes, so they run countless bug and security tests before selling the themes. If they start selling a theme that isn’t secure, the customers will let them know about it and hurt their reputation.

Check out our guide on finding the perfect WordPress theme, and consider staying away from free themes. The WordPress theme database is not the worst thing in the world, but the golden rule is to stay away from random companies you’ve never heard of before.

Disable Your PHP Error Reports

It’s wise to disable any PHP error reports, because when a plugin or theme sends an error report it can also reveal your server path, making it a little easier for hackers to find your server.

You can typically just call up your hosting company to disable these reports.

Put a Cover on Your Login Page

It’s not always the most practical way to secure our website, but it can serve you well to hide your login page so other people can’t find it as easily. Since WordPress uses the /wp-admin and /wp-login slugs for the default login areas it’s easy for intruders to know exactly where to start their attacks.

You can actually change the location of your login page, but you will have to remember the location to prevent future confusion. Lockdown WP Admin is a solid plugin to hide your login pages and prevent people from finding them.

Get Rid of Your WordPress Version Number

WordPress puts some code in your website that displays the WordPress version number. If an intruder knows your version number they can figure out if you are using an old version to locate particular holes in the system.

Version

Use a plugin like Remove Version to clear the meta tag that shows your version number.

Secure Your Local Environment

This article is mainly about ways to digitally secure your website, but what about keeping an eye out for threats in your general vicinity?

Do you work on your website in a coffee shop? Did you know that if you login to your website on public WiFi it’s one of the easiest ways for someone to capture your information and hack into your site?

Coffe Shop Computer

You’ll also want to look around your own home or office. Make sure your own WiFi is secure with a password so that no one can hack into your site using your own signal.

Implement a firewall on your computer and setup a schedule for running tools to check for malware and viruses on your local computer files. Just because your website is being run online, on a server somewhere else, doesn’t mean a local tracking virus can’t pick up your login credentials and break in that way. Use a common tool like Norton to avoid these situations.

Get Some WordPress Security Keys

WordPress security keys work with visitor cookies to ensure that the information stored in these cookies is further encrypted. Keys also help with password protection and overall security.

To get a security key, go to your wp-config.wp file. Look for lines of code that look something like this:

Security Keys

Go to the WordPress Salt Key Generator and click on the refresh button in your browser to generate your own random keys. Copy this code and replace the lines that I showed you in your wp-config.wp file above.

Random Keys

Keep in mind that the keys I generated above are completely random, so you should not try to copy them and punch them in your own file. Generate your own with the Salt Key Generator.

Protect Your WP-Config.php File

The wp-config.php file is extremely important, since it contains essential security information like keys and database connection data. You can prevent people from accessing this file by going to your .htaccess file and placing in the following code:

<files wp-config.php>
order allow,deny
deny from all
</files>

Check All File and Directory Permissions

It may not make much sense, but a directory with a 777 permission could open up your site to some problems with attackers. WordPress has a nice guide for setting up the correct file permissions on your site, but the following rules should help you get started:

  • Set your wp-config.php file to 600
  • Set your files to 640 or 644
  • Set your directories to 755 or 750

Your web host can typically help you with this if it’s over your head. Just ask them for assistance with directory and file permissions.

Formulate Your Backup Plan

Once your site is secure it’s not the end of the road. What happens if a hacker manages to burst past your impenetrable wall of protection? It’s possible. In fact, your site may just go down for some reason other than a hacker.

Backup Buddy

Use a plugin to backup your files automatically. The best backup plugins are nice for scheduling backups to different storage locations, so you can then just grab the files and re-implement them if something goes wrong with your site.

Maybe Only a Portion of Your Site is Affected?

Most of the time only a small portion of your site is affect when a hacker gains control. They typically just want to upload a script to send out spam emails, so the server is their best friend. Since only a section of your site is typically affected this makes it more difficult for you to locate a problem on the surface.

The solution for identifying small problems is to scan your site on a regular basis. The Theme Authenticity Checker plugin scans all the themes you have installed on your site to locate any problems with your files.

TAC

It targets and identifies unwanted code and malicious files so you can then take a look at a list and remove those problems or pass them onto your host to complete the removal for you.

Must-Have WordPress Security Plugins

You’ve got a little catch-22 when it comes to WordPress plugins. So many security options are provided as plugins, but one of the easiest ways to decrease security vulnerabilities is to simply minimize the amount of plugins you have installed on your WordPress dashboard.

So…where do you go from there? The first step is to remove any plugins that aren’t active. Then, go through your site and remove anything that you don’t truly need. For example, your theme may already have a contact form provided so you don’t need a contact form plugin.

I obviously talk about several plugins in this article, but the key is to pick and choose the ones that work best for your situation. You don’t want to clutter your site and open up security holes by filling your site with 30 plugins. That said, here are some suggestions for all-in-one security plugins.

All-in-one means that you typically only have to choose one of the following plugins so you can still keep the plugins to a minimum.

iThemes Security – This plugin is particularly nice for modifying database prefixes, like wp_posts, which are easy for hackers to guess. The plugin includes some powerful features, such as the ability to track when your users edit content and log in and out of your site. You can also manage tasks from a dashboard widget, generate strong passwords and scan for malware.

BulletProof Security – BulletProof Security protects your site with firewalls and logs every time your database is backed up. The HTTP error logging is a nice touch, and I really enjoy the fact that it has a one-click setup wizard in the pro version. The pro version also comes with 16 mini-plugins to further help you secure your site.

Wordfence Security – Wordfence Security is completely free, and they claim that the plugin can make your website up to 50 times faster and more secure. The plugin primarily completes a deep scan of your source code, comparing it to the WordPress repository. If the plugin finds anything wrong, it alerts you.

Sucuri SecuritySucuri Security is another free plugin that includes features such as blacklist monitoring, remote malware scanning and security notifications. The one area that stands out to me is the post-hack security actions to guide you through the process of saving your site after it encounters an intruder.

You also might be interested in reading about why plugins alone are not responsible for WordPress security problems.

Ask for Feedback to Measure Site Security Against User Experience

What burden does security place on the functionality and usability of your website?

Although security is a wonderful thing, what happens if your paranoia leads to disgruntled customers who can’t login to their accounts? After you implement all of these security tactics, send out surveys to try and gather feedback from your customers.

It really depends on the types of sites you’re running, but if the two-step authentication process is ticking your members off, consider other methods for security. Yes, security is paramount, but what’s the point of having a website if you drive all your users away?

This is particularly important if you run a business creating websites for multiple companies. Check with your clients to see if they do or don’t mind your security procedures.

Complacency Could Be Your Downfall

Another tip is to never sit back and relax. Your site is now secure, but nothing is ever completely safe. Technogies change, sites get updated and hackers find inventive ways to get around the system.

Always check to see if your site is blacklisted or not, make sure your backups are running properly and change your passwords on a consistent basis. It’s also not a bad idea to stay nimble and consider new tools that come to your attention.

I may mention a tool in this article that eventually gets overshadowed by a new company that offers better security features. Never hesitate to try new tactics when it comes to your site security.

Conclusion

I hope you liked my guide for improving site security! Please feel free to bookmark this page for when you’re trying to secure your future sites. Let me know in the comments section if you have any other tips for securing a WordPress site.

Do any of you have a go-to security checklist for every site you manage? Let us know!

Image Sources: lyudagreen, scragz, illustr

  1. Mike says

    These are some good tips. There are plenty of users who leave their sites as default who are usually the ones who get hacked.

  2. says

    Great guide, Joe.

    For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
    Among the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
    Tested and happy with it!

    Thanks for the share!

Leave a Reply

Disclosure: This post may contain affiliate links, meaning that if you click on one of the links and purchase an item, we may receive a commission (at no additional cost to you). All opinions are our own and we do not accept payments for positive reviews.