WordPress is the open-source CMS of choice. But like any web platform, it isn’t perfect. The biggest problem with WordPress is the people who use it, specifically, those who fail to use it responsibly. Keeping the installation secure and safe is your job, not that of a faraway corporation.
I am occasionally asked to peek “under the bonnet” of other WordPress sites, and I tend to go pale when I see a site that has no security safeguards in place. It’s a bit like keeping your front door locked, but leaving the key under the mat. Without some security precautions, breaking in is that easy.
There are plenty of lists and posts out there with excellent information on how to protect your WordPress site, but not everyone has the time or the technical inclination to see it through. With that in mind, here is a list of a few critical steps you should take to protect your WordPress site. These will take a minimum of five minutes, and no more than 15. When I set up a new WordPress install, I do not do one click worth of work until I have run through these security safeguards. Make it your own habit to do the same.
- Create a new administrator user with a new login name. Delete the default “admin” user. Don’t use obvious generic login names like “test”, “administrator”, or “root” either.
- Use random gibberish passwords of at least 12 characters. Here’s a helpful random gibberish password generator.
- Install and activate the Login Lockdown plugin. This automatically locks out anyone who tries to log in with the wrong password more than three times in a short time span.
- Install, activate, and run the Secure WordPress plugin.
- Install, activate, and run the WP Security Scan plugin. Run its File Permissions check, and change your folder permissions accordingly.
- Install, activate, and run the Lockdown WP Admin plugin. This denies access to the back-end of WordPress to anyone who is not logged in.
- Install, activate, and run the WP Maintenance Mode plugin to create a landing page and “cloak” the work in progress.
This audit will provide your WordPress site with a healthy standard of essential security and protection. The three security scanner plugins do have some overlap, but I doubt you will mind. If you want to explore more advanced options for protecting your WordPress sites, here are some definitive lists:
- 12 Essential Security Tips and Hacks for WordPress (Six Revisions)
- 13 Vital Tips and Hacks to Protect Your WordPress Admin Area (WPBeginner)
- 9 tips to make WordPress hack-proof (guvnr)
It goes without saying that you should keep your WordPress installation, plugins, and themes updated to their most recent version at all times. If you’re not willing to do that, all of the above guidelines are a waste of your time. If you have more than one site, use WP Remote to monitor and update all your installations at a click.
Use a good host
No web host is 100% safe from all forms of hacking and cracking; that simply is not possible. All that said, you will notice a major difference between good web hosts and bad web hosts. I have used bad, cheap web hosts and found myself up cleaning hacking code at 3 AM as a result. On the other hand, I have used good hosts like Krystal and never had to worry about a thing.
If you’ve paid under £20 for a year’s web hosting, or you’ve chosen your web host based on the celebrity faces in their banner ad, or you use a password like “123456″, do you really think you have a right to complain?