Things you can do
WordPress security is not about removing risk. You can’t. If a skilled hacker wants to get into your site, he will do it eventually. No, WordPress security is about reducing risk; making it as hard as you can. The good news is that there are lots of things you can do easily.
WordPress Security Starts with Hosting
A huge number of websites are actually hacked through weaknesses their hosting security. It makes sense, if you think about it. Why waste time trying to hack a single site when you can look for weaknesses in the hosting system? There’s not a huge amount you can do about your hosting company’s security, but you can ensure you use a professional hosting company with a good reputation. You can also take care to use a strong username and very strong password on your hosting, email and ftp accounts. If you use cpanel, your login address should always be https, so your password is encoded.
Contact your hosting company and ask if it is possible for you to login via SSH, which is an added means of protecting your login. In most cases they will also help you set it up.
Get an SSL Certificate
It’s not a coincidence that one of the basic requirements if you want to have an online store which handles credit card transactions is that you get an SSL Certificate for your website. An SSL Certificate is what you need in order to use HTTPS, which is more secure than the more common HTTP. Read more about HTTPS and SSL here.
Keep it all updated
One of the most basic things and easiest things to do is to ensure that you keep WordPress and the plugins and themes you use up to date. Each updated release of WordPress contains an assortment of security fixes, patches and bugfixes. Each update adds an extra safeguard and ensures your site is as secure as possible. And, if you’re not actually using a theme or plugin at all, delete it. You can always upload it again in the future if you want it.
Admin username and password
Most hackers prefer to enter websites via the front door, by logging in. That means they need to find a username and a password. If your admin username is ‘admin’, ‘adm1n’, ‘administration’, ‘office’, ‘manager’ or something like that, you’ve just made the hacker’s job much easier. If your password is ‘password’ or something similarly silly, well, you just left the door wide open and the key in the lock for good measure. Even so, the solution is simple:
Go into your admin ‘users’ section and create a new user with an unguessable username. Make this new user an administrator and be sure it has a strong password. Then, after you save your new admin username, delete the old user. When WordPress asks you what to do with the pages and posts created by the old user, attribute them to your new username – the option will be on-screen in front of you.
Page and Post Authors
A hacker can look for the admin username by looking to see who created your pages and posts, and there are several ways he can find this information. One solution which we always employ is to create a new user and make it an ‘author’. Give this user a good username and a strong password and save it. When you create a page or post, choose this ‘author’ username as the page/post author. That way, even if a hacker finds the username and cracks the password, he still isn’t entering the site as an administrator.
You’ve almost certainly used two-factor authentication before. We hate it to bits, and it’s a real pain in the butt, but it creates a very effective barrier against hackers. Even if you don’t use it for all your users and subscribers, using it for your admin accounts is a very good idea. Some security plugins such as WordFence (more on this later) offer this facility, or you can look at standalone plugins like ‘Google Authenticator’ which is free and available from the WordPress.org plugin library.
Lock the back door
Making your home secure doesn’t stop at buying a security door with top quality locks. You need to think about other doors and windows too. And so it is with WordPress security – not everybody tries to come in via the login page.
You can start by making wp-config.php and .htaccess invisible, and it will take you all of about 10 seconds to do. If you have cpanel or something similar for your hosting, simply open your file manager and find your .htaccess file. Then paste this code into it:
That’s all it takes to stop anybody accessing your wp-config and htaccess files.