WordPress is easily the most widely used website platform to date. The statistics range but it is safe to say that at least 25% of websites run WordPress. This makes it a very popular website platform. Unfortunately, the hackers and spammers know this and have made a habit of trying to “break in” to WordPress websites.
Keep in mind that any website, regardless of what platform it runs on, is susceptible to hackers. Not just WordPress. Although there is no single way to make any website 100% safe, you can get pretty dang close.
The good news is that it is rather easy to make your WordPress website hacker-proof. Following this security checklist for your WordPress site will make it virtually impossible to be hacked. I will break down this checklist into two parts: DIY and Settings and Security Plugins.
Let’s get started
DIY and Settings
Make sure that you have the latest version of WordPress
Every new WordPress release comes with more security and sometimes fixes security-related bugs from previous versions. Keeping up with and installing the latest release is very important for security.
How to: Go to your WordPress dashboard, hover over ‘Dashboard’ in the left navigation, and click ‘Updates’ — if the page is showing a new version of WordPress then it is time to update.
Note: Before you update WordPress, add/update a theme or plugin, please backup your site! Read how to backup WordPress
Make sure your plugins are updated
Just like having the most updated version of WordPress installed is important, it is equally important that the latest versions of your plugins are installed as well. Having out-dated versions of plugins can potentially create a “weak spot” for hackers to exploit.
How to: Hover over ‘Plugins’ in the left navigation, click on ‘Installed Plugins’ and see if there is a new version available for each plugin (you will see a message underneath each plugin name).
Uninstall plugins you don’t use
If you aren’t using them then you aren’t updating them. Just get rid of them.
Remove the ‘admin’ username….now!
By default, when you first install WordPress, the administration name will be ‘admin’. Many WordPress users are aware of this and so are hackers. By removing this user from your site, you eliminate a potential area of vulnerability.
How to: follow the instruction at how to change admin username
Make your display name different than your username
Your display name is the author name people will see when they read your blog posts. Having this be exactly the same as your username gives hackers vital information when they try the brute force method.
How to: Hover over ‘Users’ in the left navigation of your dashboard, and click on ‘Your profile’. You will be taken to a page that has your profile information. To add a new public display name, just type in a name in the ‘Nickname (required)’ field and it will populate in the ‘Display name publicly as’ drop down menu. Just select the name and click the ‘Update Profile’ button at the bottom of the page.
Use a strong password
Often times the best way for a hacker to get into various online accounts and hack into websites is through brute force. This means they try various combinations of passwords over and over again, until they get in. Using simple passwords is the easiest way to fall victim to this common method. Since the release of WordPress 3.7, there has been a password strength meter you can use to see just how ‘weak’ or ‘strong’ your password is. Don’t get lazy here. Create a password that earns the ‘strong’ status.
Using the right plugins in your WordPress security checklist will help to create a virtually impenetrable wall around your site that nobody can get past. In years past, many WordPress users had to use half a dozen or more security-related plugins to achieve the same results that can now be realized with a single all-in-one security plugin. Instead of listing dozens of potential security plugins that perform a single security task, I’ve listed, what I believe is, the best all-in-one solution below – iThemes security. But, before we ge into that one, let’s cover two very important plugins.
Akismet Spam Plugin
This plugin already comes pre-installed with WordPress. You don’t need to install it. It will block spam comments using an extremely large anti-spam network on WordPress. Akismet works by sharing a list of all the spammers it identifies from every site it’s installed on. It uses this spam list to block new comments. Spam comments are sometimes used to try and inject malicious code on websites.
The only thing you will have to do to fully setup Akismet is get an API key and register it. This is all free to do. To get started, hover over ‘Settings’ in the left navigation and click on Akismet. Simply follow the setup instructions at that point.
Backing up your site is an absolute must. This is not a security plugin, but will play a very important role if your site ever “breaks” due to a myriad of reasons – including a security breach. With Backup Buddy, you can create automatic backups of your site every day and have these backup files emailed to you and exported to a cloud server like Dropbox. If your site gets wiped out and you have a fresh backup, then you can quickly get your site restored using this plugin.
There are other backups plugins available – some free and some paid. Depending upon your hosting provider, you may also be able to automatically create backups of your site. For example, we use WP Engine to host our site and they automatically create a full backup of our site every day. We also have the option to create a manual backup anytime with just a simple click of a button. If we need to restore an old version of our site, we simply select the version and….click a restore button. It really is that easy. Read our WP Engine review for more details on them.
iThemes Security Plugin
This security plugin is truly awesome. It provides a multitude of ways you can further secure your site and really is the only security plugin you need to install on your site. It comes in both a free and pro version, but the free version is good enough for most sites. Below is a quick breakdown of some of the security features that come with the plugin:
Limit login attempts – With brute force, hackers quickly use various username/password combinations to break into sites. With this feature, you can limit the number of attempts – 3 attempts, for example – and actually lock the ability for someone to keep trying to login in whenever they exceed the limit you set.
Hide WordPress Login Errors – When you login to your site incorrectly, you will see a message stating you used the wrong username or password. This is information you simply do not need to display publicly. It is important to hide this from the bot/scripts that hackers use when trying to break into a site using brute force. ave an author page. Once again, the less information hackers have, the better.
IP Address whitelist/blacklist – With this feature you can put specific IP addresses on a whitelist (only users at specific IP addresses can login). You can also put certain IP address on a blacklist and utilize iThemes list of already known bad IP addresses.
Move /wp-admin, /wp-login – All WordPress default installs use these folders for logging into your WordPress admin panel. It looks something like this – www.yourblog.com/wp-admin. Most hackers know this and they will utilize this as a potential opportunity to try and hack your site. By changing this folder location, you are essentially hiding your login page from other people. This is important to do and can easily be done with the iThemes plugin.
Stop displaying the version of WordPress you are running – Did you know that WordPress displays the current version of WordPress that you are running?. It can be found in the page source and hackers know this. They are aware of the potential vulnerabilities in previous versions of WordPress and will try and take advantage of this. By removing this information, you are taking yet another step in securing your site. There is absolutely no reason to display this information. Just remove it.