WordPress security has always been food for thought. Even though most of the latest updates (including WordPress 4.5.2) deal with WordPress security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. In this article, I’d like to enumerate a number of suggestions on how to improve security on your own WordPress website.
Table of contents
- Don’t use
adminas a username
- Use a less common password
- Add Two-Factor Authentication
- Employ Least Privileged principles
- Use WordPress security keys for authentication
- Disable file editing
- Limit login attempts
- Be selective with XML-RPC
- Hosting & WordPress security
- Stay up-to-date
- (Free) plugins & themes
- Contact Sucuri
- Closing thoughts
WordPress itself has a list on WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below. Personally, I prefer a more hands on list and direction, that’s why we decided to write this article.
admin as a username
Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it really easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin you’ll also kill the attack outright.
Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember though, like our friends at Sucuri like to say, Security is not about risk elimination, it’s about risk reduction.
For the everyday, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bit harder for the hacker to guess the username. For the sake of clarity, understand that when we say
admin we are speaking specifically to the username only and not the role.
Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the
admin user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.
Use a less common password
An easy thing to remember is CLU: Complex. Long. Unique.
This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.
‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘letmein’; seriously? Shame on you. Even ‘starwars’ made the 2015 list of 25 most used passwords. Remember, you’re never as unique as you think you are…
Add Two-Factor Authentication
Even if you’re not using ‘admin’ and are using a strong, randomly generated password, Brute Force attacks can still be a problem. To address this, things like Two-Factor Authentication are key to helping to reduce the risk of such attacks.
Oh, I know, the hassle two-factor authentication is. But for now, it’s your Fort Knox. The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the recognized standard today for enhanced security at your access points. You are already using two-factor authentication for Gmail, Paypal, and the works (at least you should be), why not add it to your WordPress security toolkit as well. Ipstenu (Mika Epstein) did an article on the subject you might want to read: Two Factor Authentication.
Employ Least Privileged principles
The concept of Least Privileged is simple, give permissions to:
- those that need it,
- when they need it and
- only for the time they need it.
If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.
Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.
No, thou less tech-savvy WordPress website owner, that is not hard to do. It’s actually really simple, especially when you are using Yoast SEO for WordPress > Tools > File Editor to edit your
For better WordPress security, you’d need to add this to your
.htacces file to protect
order allow,deny deny from all
That will prevent the file from being accessed. Similar code can be used for your
.htacces file itself, by the way:
order allow,deny deny from all
You can do it. It’s no rocket science.
Use WordPress security keys for authentication
Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically set of random variables, used to improve security (encryption) of information in cookies. Changing this in wp-config.php can be simply done by getting a new set of keys here and add these. These keys change on a refresh of that page, so you’ll always get a fresh set.
Disable file editing
If a hacker gets in, the easiest way to change your files would be to go to Appearance > Editor in WordPress. To lift your WordPress security, you could disable writing of these files via that editor. Again, open wp-config.php and add this line of code:
You’ll still be able to edit your templates via your favorite FTP application, you just won’t be able to do it via WordPress itself.
Limit login attempts
Attacks like a Brute Force attack, target your login form. Specifically for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form.
Next to that, you could also limit the number of attempts to login from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way. We haven’t tested all, but feel free to let me know your experiences.
Be selective with XML-RPC
XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful how they implement this specific hardening tip.
While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.
There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.
Hosting & WordPress security
In the past years of website reviews, we have had our share of website owners stating that their hosting company couldn’t help with this, or knew jack about that. Hosting companies simply see your website differently. There is no simple rule to decide on your WordPress hosting company. But the choice of a hosting company does matter when optimizing your WordPress security.
Every article written on hosting or hosting companies seems to start by telling you that the cheapest one is probably not the best one. Most cheaper hosting plans won’t have support to help you out with a hacked site. These plans include little to secure your website, like for instance set up a Website Firewall (more on the Sucuri Website Firewall later). Shared hosting, for instance, does imply that your hosting server is also populated with other websites. These might have security issues of their own, which in turn might affect your own website’s security as well.
WordPress security seems to be one of the main USPs offered in specialized WordPress hosting products, like the one offered by GoDaddy. They offer backups, redundant firewalls, malware scanning and DDoS protection and automatic WordPress updates for very reasonable pricing (understatement).
Be mindful of host account
One of the biggest challenges with hosts is in their account configuration for website owners. Website owners are allowed to install and configure as many websites as they want, and this fosters “soup kitchen”-like environments.
This is challenging because, in many instances, a website is compromised via a concept known as cross-site contamination in which a neighboring site is used as the attack vector. The attacker penetrates the server, then moves laterally into neighboring sites on the server.
The best way to account for this is to create two accounts, one which you treat as a production environment – only live sites are published – and a staging one, in which you put everything else.
Staying up-to-date is an easy statement to make, but for website owners in the day-to-day, we realize how hard this can be. Our websites are complex beings, we have 150 different things going at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
Updates need to extend beyond WordPress core. The same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.
This can be compounded in really complex environments in which dependencies make it so that backups can’t be achieved. This is why we personally employ Sucuri’s Firewall. This firewall virtually patches and hardens our website at the edge. It gives us the time we require to go back and apply updates in a more reasonable time frame, allowing us to test in our staging environments first, and only then push to production.
(Free) plugins & themes
Most WordPress users tend to apply themes and plugins at will to their posts. Unless you’re doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless you have a solid business model to accompany these free giveaways. If a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.
We have teamed up with Sucuri years ago, to make sure every plugin is checked for security before release, and we have an agreement with them for ongoing checks as well. If you are creating a free theme or free plugin, you might not have the resources to add solid checks like that.
How to pick the right plugin
If you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.
Let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin. WordPress.org shows ratings, but one five star rating won’t tell you anything, so also check the number or ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you could decide to use it too.
There is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. That doesn’t mean it’s a bad plugin, it could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will tell you that, and the compatibility with the current WordPress version, which is also listed on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.
Based on these ratings and compatibility, you could pick your plugins less random and have a larger chance of some kind of security being added.
I’ve already mentioned our friends at Sucuri. Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past. If you’re not familiar with these gentlemen, they are the owners and managers of Sucuri.
Sucuri is a globally recognized website security company known for their ability to clean and protect websites, bringing peace of mind to website owners, including us here at Yoast.
We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product / service that lets you get back to running your business. They are our partners, the security team we lean on when we need help the most.
Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts to your SEO (something dear to our hearts). Because of this, we turn to them for our needs, like they turn to us for website optimization.
Here is a webinar Sucuri put together on how websites get hacked:
A lot of the suggestions in this article can be dealt with by installing and configuring their free Sucuri Scanner plugin for WordPress or hiring them to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.
Yoast recommends Sucuri
If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack now:
If you have come this far in this article, you will have no excuse not to improve the WordPress security for your website. Like adding posts and pages, checking your WordPress security should be a regular routine for every WordPress site owner.
This isn’t the full list of all the things you can do to secure your website. I am aware that one should, for instance, create regular backups. And that WordPress has a number of plugins for this as well. But backups are not part of WordPress security per se, I think these are part of having a website in general – they are administrative/maintenance tasks.
I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s on us to make it harder for the hackers!
Tony, thanks again for your input and additions to this article!