WordPress is an incredibly powerful and relatively secure tool, but its widespread use makes it a huge target for hackers. There are a few simple modifications you can make to harden your WordPress security that will stop 99.9% of hackers in their tracks though.
You might be thinking that you don’t need to worry about WordPress security because you don’t store valuable trade secrets or customers’ financial data, but you’re wrong. Hackers target websites for all kinds of reasons, including to redirect visitors to their own websites, to spread viruses and malware, or to inject links to other websites to boost ranking. Sometimes, they target websites just for their own entertainment.
Any of those tactics can cause a short‐term loss of business, but can also have devastating long‐term effects if they cause Google to flag your website as harmful due to viruses or malware, or in violation of their guidelines due to injected links and/or content.
I’m going to share six simple WordPress security modifications that you can implement today without being a technology guru!
Don’t use a default username
By default, WordPress will make the first username “admin” which presents a pretty large security risk. This default username eliminates half of the work required for a brute force attack because hackers don’t have to guess the username—only the password.
Since you don’t want to make it easier for hackers to get into your website, you need to create a non‐standard and more complex username. Ideally, it should be something not directly correlated with your name or your company name—remember, you’re trying to make it difficult for them to guess.
If your website is already up and running, you may think you’re stuck with the username you have now because WordPress doesn’t give you the ability to change it…fortunately, that’s not the case. You have two options:
- Use phpMyAdmin (in Cpanel for most web hosts) to change the username. This requires a bit of technical expertise because a tiny mistake can break your entire website.
- Create a new user with administrative privileges, then delete the previous user and assign all of that users posts to the new user. I recommend this option for most people.
You should also change the display name in your user profile so that you aren’t broadcasting your username to the world with each post.
Limit wp‐admin to your IP
You can do this with a plugin, but I prefer to use a .htaccess file uploaded to the wp‐admin folder because it’s cleaner and damn‐near bulletproof. Simply fire up a text editor, create a new file and paste in the code below. Be sure to replace the x’s with your IP—you can find that by entering “whats my ip” into a Google search.
# ALLOW USER BY IP <Limit GET POST> order deny,allow deny from all # Replace with your IP address allow from xx.xx.xx.xx </Limit>
Save it with a file name .htaccess, and save as type “All Files” like you see in the image below:
Now, upload it to your wp‐admin folder (located where ever WordPress is installed) and then only people from your IP will be able to access your admin area. If you need to access it from multiple locations, such as your office and home, simply add additional IP addresses separated by a space. This will prevent nearly all WordPress security issues because unless someone is physically using your network, they will be unable to even see your admin area.
Another highly‐effective WordPress security measure is two‐factor authentication, which requires another physical device (usually a smartphone or tablet) to complete your login. There are several WordPress plugins available for this, including:
Limit login attempts
WordPress allows users to enter passwords as many times as they want. Hackers will exploit this by using scripts that can enter different combinations until your website cracks. Statistically, it’s only a matter of time—and usually not much time at all, since most people use shockingly weak passwords.
Preventing this is as simple as installing the Login Lockdown plugin, which records the IP address and timestamp of every failed login attempt. If a predetermined number of login attempts occur within a certain time period from the same IP range, then the login function is disabled for all requests from that range. By default, this plugin will disable login functionality for 1 hour after 3 failed login attempts within 5 minutes, but this can be modified in the options panel, and administrators can release locked out IP ranges manually.
Plugins the biggest threat to WordPress security because they operate essentially with administrator privileges.
Unless you are a PHP developer, you don’t have the knowledge to effectively asses any security risks, and no—just because they are in the WordPress repository, it doesn’t mean they have been thoroughly vetted. Plus, a plugin may be secure today, but become a vulnerability under a new version of WordPress. (Or PHP.)
Keep WordPress themes and plugins up to date
This is easy to forget if you don’t log into your admin area often, so if you need to, add a task on your calendar to check for updates to WordPress core, themes, and plugins every week. Updates are released for a reason, and it’s usually to patch newly discovered vulnerabilities. Failing to update leaves you open to those vulnerabilities.