Disclosure: This post contains affiliate links.
I still remember the helplessness and shock I felt looking at my travel blog.
I could tell immediately it had been hacked. Badly.
It got worse when I realized I couldn’t even find a good backup of the site. I was convinced for at least two hours that I’d lost everything from the last two years.
Fortunately, I got a lot of assistance from the excellent customer support staff at SiteGround, the company that hosts my site. With that help and some technical wizardry, I was able to recover everything except for one post. It’s a relatively small price to pay for such an important lesson. It taught me that I had to take more seriously the whole idea of securing WordPress sites I’ve created and maintained for myself and my customers. WordPress is the world’s most popular blogging platform, but it’s also the one most likely to be hacked.
In this post we’ll cover four major areas you’ll need to consider when thinking about securing WordPress sites: access, monitoring, protection and backups.
Securing WordPress sites: Access
Access security deals with issues around the entry points to your site: user IDs, permissions and login pages. Think of it like your house: why would you lock your front door but leave the back door and all the windows open? You’re only really securing WordPress sites when access is locked down and controlled.
User ID Security Considerations
For the love of all that is holy, change the default administrator ID and password for your site! It’s amazing how many sites use “admin” as the ID and “password” as the password for their site. It may be easy for you to remember, but it also makes it easier for hackers to get into your site and cause havoc. Consider creating a less intuitive user ID and password combination. Once you do this, also consider using a password manager like LastPass or Dashlane to store login information and create hard-to-crack passwords. Both Chrome and Firefox also provide an in-browser password manager which can be used to store your login information.
Don’t create user IDs unless you absolutely need them, and delete temporary ID’s when you’re done with them. You may need to give your theme developer or a plugin creator to log into your site with admin privileges to debug problems for you. Rather than giving them your main administrative ID, create a temporary ID for them and get rid of it as quickly as possible. Do the same thing for content authors or website designers who are doing work on your behalf.
WordPress also supports the ability to limit login attempts. When this option is enabled a user ID is suspended after three unsuccessful login attempts. An administrator must log in and unlock the ID before it can be used again. This is helpful in preventing brute force attacks. A brute force attack is one where a hacker guesses at both the user ID and password through multiple attempts. It’s easy for hackers to write a brute force attack program and subject your site to thousands of unsuccessful login attempts. Limiting login attempts can significantly reduce the risk of these types of attacks.
One other simple way to secure WordPress sites is to change the login and administrative page names. The default login page is www.yourwebsitename.com/wp-login.php. The default administrator dashboard is www.yourwebsitename.com/wp-admin. Changing both of these page names to something that’s hard to recognize makes it harder for hackers to find the “front door” of your website.
The permission scheme for WordPress is graduated. Users can be granted any level of security from “Subscriber” to “Administrator”. These permission levels are all or nothing, meaning that you can’t selectively turn off access to certain objects or content for an individual user ID. From least to most powerful, the permission levels are:
- Subscriber: read posts only
- Contributor: read posts, edit or delete draft posts
- Author: read posts, edit or delete draft posts, publish posts, delete or edit published posts, and upload files
- Editor: same permissions as Author, plus the ability to publish/delete pages as well as edit other posts and pages, read/edit/delete authority for private pages and manage/moderate comments.
- Administrator: same permissions as Editor, plus the ability to add/activate/delete plugins, create/edit/delete users, edit themes and theme options, import/export content and update the WordPress core.
The WordPress official codex encourages the use of “least privilege principle.” The idea is that user IDs should be grated the lowest level of privilege or permission needed in order to accomplish their assigned tasks. As an example: if you are collaborating with another blogger to create a new post, consider giving that user the Contributor level of permission. Granting them higher levels could enable them to delete your existing posts. Clearly, that’s a risk you don’t want to take.
Securing WordPress Sites: Monitoring
Proper security for your WordPress site is more than just controlling logins. There are other ways that hackers can access your site. Security monitoring will help keep you safe from many types of attacks.
Most security monitoring packages provide protection against content theft, verify the integrity of your core site files, and provide a firewall to deter software-based attacks.
We highly recommend the WordFence plugin for all these functions and more. The free version provides an application firewall, deep scanning, live traffic monitoring, and tools to recover your site quickly and easily if the worst does occur.
WordFence and other security monitoring plugins can automatically email you if a security-related issue occurs. This can include anything from unauthorized logins to attempts to manipulate your content or WordPress itself.
Securing WordPress Sites: Protection
Up to this point we’ve covered issues that happen inside or around a WordPress site. There’s an important component that can’t be forgotten, though – the WordPress core files. The core files are those pieces of code that deliver the essential functions of WordPress. These files store your content and present it to users when it’s needed. Your theme, plugins, and images and uploaded files all sit on top of the WordPress core. Think of it as the foundation of your house – if the foundation is compromised, your house is at risk.
One of the most effective methods of securing WordPress sites’ core files is to lock down editing authority. Check with your web hosting provider to determine if they support use of an htaccess file. This file allows a system administrator to modify or override certain functions of the web server. Two very easy additions to the htaccess file can save you a lot of headaches.
- Adding the command below to your htaccess file will prevent users from seeing a full listing of all the pages and directories in your site. Ordinary users have no need to see such a listing – it is only of benefit to hackers to give them something to target for their attacks. So, it’s best to remove the capability with this command:
Options All -Indexes
- You can also use htaccess to prevent outside users from viewing core files. Adding this code removes visibility to the files and also prevents editing by outside users:
order deny,allow deny from all allow from 127.0.0.1
To further protect your WordPress core files, you must also insure that all the files and folders in your WordPress file structure have the right permissions. Use “755” as the permission level for folders, and “644” for files. Most web hosts have a control panel (cPanel) that allows you to change permissions. Many also provide the ability for you to access your server via a secure host connection (SSH).
If these terms are all Greek to you, never fear – you can always reach out to your web hosting provider to get their assistance in securing your files and directories. Not only does it make your site more secure, but it also helps them avoid problems caused by a hosted site being hacked.
Securing WordPress Sites: Backups
If the absolute worst case happens and your WordPress site is hacked it’s good to have a clean version to go back to. This was the fatal mistake I made with my travel blog, and what led me to think I’d lost everything. Fortunately, my web hosting company keeps automatic backups of the WordPress database and files for 14 days. I was eventually able to determine when the hack occurred, and restore a backup from the day before.
Some website hosting companies don’t provide automatic backups – it’s something you should check into before selecting a host. But even if they don’t, you still have options. One of the first things I did when I recovered my site was to install an automatic backup program. UpdraftPlus was my plugin of choice, although there are many good options on the market today.
UpdraftPlus creates a backup on a daily basis and sends it securely to my GoogleDrive account. The paid version of this plugin also allows you to send backups to Amazon Web Services, an FTP site, or other cloud-based options.
It’s nice to “set it and forget it” with UpdraftPlus – once it’s configured, backups happen automatically at the frequency you specify. You can also specify the number of “generations” of backups kept in order to save on space with your cloud storage provider. Finally, it offers you the ability to take a manual backup and keep it around for as long as you want, independent of your retention policy. I now do a manual backup right after making major changes to my site, as an added level of security.
Final Thoughts on securing WordPress sites
As a site creator and administrator, you need to realize that it’s next to impossible to prevent every form of hacking that’s out there today. But by taking a few simple steps to make your site harder to attack, your chances of remaining safe and stable go up dramatically. Even if the worst happens, having a good backup copy makes it quick and easy to get your site functioning again.
Take these steps today, and save yourself hours or maybe days of grief and stress in the future!