There is no disputing the fact that WordPress (WP) is the leading content management system in the world. It was released May 27, 2003 and is currently installed on more than 75 million websites. Over 5% of all US registered domains run on it and WordPress.com receives more unique monthly visitors than amazon.com.
The open source nature of the software means that any weakness is open to abuse and exploitation. Add the opportunity to exploit one of the 35,537 plugins totaling over 800 million downloads and you could keep an army of hackers very busy for many years.
The current frequency of attacks across all WP sites running the security plugin Wordfence is over 20,000 attacks per minute! Every day, servers hosting WP sites and the sites themselves are attacked 100’s or possibly even 1000’s of times.
With such a big opportunity for abuse, any WP site owner has to use some amount of security to prevent opening their installation to attacks by hackers. The good news is there are plenty of ways to secure a WP site. And, as with the software itself, the user doesn’t need extensive technical knowledge in order to protect their site.
This article outlines security measures for anyone wanting to protect a WP site. And it gives easy, non-technical ways anyone can own a secure site in only 80 minutes or less and the work doesn’t need to be accomplished all at once. If you have as little as 5 minutes available, you can complete one of the steps. The time allotted for each step is very fair. If you find you are using more than the stated time, you may be over thinking the process.
The Security Plugin. This is the workhorse around which all my other suggestions revolve. There are a number of plugins that provide at least the basic protection necessary to a secure site. My personal choice is Wordfence by wordfence.com. The free version includes more useful features than some premium products. Installing it is as simple as installing any other plugin.
The only thing that must be added is an email address for alert messages sent by the software. There are a number of useful settings but the only thing an administrator must do is add a working email. If you are the only user who logs in, you can make the Login Security Options quite strict. Each option is well documented, so read the information for any setting you do not understand. Even if you take the time to read all or most of the documentation for each setting in the plugin, your time to complete this step is 20 minutes or less.
Update the core software and all plugins. WP Core updates are done automatically now. If your installation is too old to update itself, your site is in serious jeopardy (but still updateable in 5 minutes or less). Happily, a few plugins like Wordfence and some themes are also self updating. Out of date software, themes and plugins are a major source of compromised sites.
Updates almost always involve some security fixes. The Changelog contains specific details about any changes and the rest of the internet fills in any unknowns about how to attack the compromised sites. It is not unexpected that as soon as an update is released, hackers make a big push to exploit these newly found weaknesses.
It’s very important to keep your WP installation up to date and Wordfence is very helpful with this task. Wordfence will contact you when updates are available. Be sure to mark these emails as a priority and make the needed changes as soon as you can. The time required to make these changes in your site is 5 minutes or less.
Remove the admin login. The default options in a WP install will use admin as the username when logging in. Choose a different user name for any new installations you make. Keep in mind that the system will display the Editor’s name publicly. Choose a user name that is different from your first name, last name or nickname choices.
If you are already using admin as the login user in an existing installation, there is an easy fix. Add a new user (login and choose Users > Add New) with the role of Administrator and, please, use a nice strong password (there is more about passwords later in this post but for now, choose a STRONG password.
If you tick the box, Wordfence will programmatically check the strength of your passwords for you ). Log in as the new user and delete the old admin user. You will be given the option to transfer all existing posts written by admin to another user. Choose this carefully so as to not delete any posts. The time required to remove admin from your site is 5 minutes or less.
Add Multifactor Authentication Multifactor is a big word for a simple concept.You have removed the admin user, so now a hacker has to determine two different, unknown, items (username and password) before gaining access to your WP Dashboard. If you are the only user to log into WP, another password item and a third level of security can easily be added. The Stealth Login Page plugin very easily adds this additional level of protection to your site. This may be more effort than your users are willing to make. If you have a membership site, or lots of users, this may not be an addition you want to make.
But if you are the only or possibly one of a few who login, the plugin is a good addition. After installing the plugin, Go to Dashboard > Settings > Stealth Login Page. Choose a word. Think of it like a PIN only it’s the same word for everyone. You can make the word as long and as complicated as you want. Now three separate items are required before logging into your Dashboard. There is also an option to redirect incorrect log in attempts to another URL. I’d never miss an opportunity to make life harder for a hacker. You could set it for google.com or have some fun and enter www.spamcop.net. Other than a check box for sending an email with the new word to the administrator, that’s it. Total time add and configure the plugin is well under 5 minutes.
Back up your installation. You may never need a backup of your site but IF you do sometime need to restore a file, your database or heaven forbid, you whole site, restoring it will be a manageable task, assuming you have something to restore the site with. Unless it’s carefully detailed in your Terms of Service (and you pay a fee for it), you cannot expect your host to do your backups for you. Many hosts back up at the account level. Meaning they may not be able to restore anything short of your whole account. And they may charge you for doing any kind of work to restore your site.
The backup process is a server related issue and I believe that when it’s possible, the server should do the tasks it does best. So, I do my back up processes using cPanel. But I also know that many site administrators are not technical. It’s very important that your site be backed up. If you can find understandable documentation for using your server to provide your backup, great! If not, my search for “back up” in New Plugins returned 1,600 items. You will want to pick a method or plugin that will send you copies of the backups. If you can provide it, backups should be stored on the server, on your pc hard drive at home and possibly using some form of offsite (meaning not on your server or your home pc) storage.
The frequency of the backups will be determined by how often you update your WP site. If you make a few posts a month to a blog and you have a hard copy of each post in MS Word, then you may only need to back up that site monthly. But if you have a busy eCommerce site, you may want to make several backups per day.
Backups are very important to the long term success of your site. The Small Business Administration rates the loss of data with no means for back up as a common cause for business failure. You may not be using your site for business but the same logic applies. Attempting to manually replace lost data may not be practical for your site. The time required to choose and configure a backup solution is 20 minutes or less.
Password policies. I saved this for last because I believe it’s the item most likely to cause you to stop reading. Regularly changed, strong passwords are the easiest and fastest way to add security to your WP installation. It’s also natural for each of us to resent the loss of personal freedom that password security imposes. The aggravation triggered by the burden of using proper password procedures causes many of us to do some very careless things.
Last year’s top three most used passwords – “123456,” “password” and “12345678” just won’t do anymore. We all know at least some of the rules for good passwords but most of us just won’t go to the extra trouble. However, speaking from experience, you may change your mind if you become a hacking victim. There are a number of password solutions; most are free or nearly free. I strongly suggest you Google for “password manager” and pick one.
Sure there are different features provided by each vendor – but I urge you to pick one. I use LastPass (https://lastpass.com/) but your needs may vary. It’s a little added work at first, but like going to the dentist, you will feel a lot better when it’s over. And it wasn’t nearly as much work as I expected it would be. I have about 250 sites in my LastPass Vault – not that I think that is a lot.
A password manager is more than just a way to generate secure, unique passwords for all the sites you visit using a password. It also offers you protection against password harvesting should your desktop or laptop computer become infected by malware. I believe that servers are hacked using information stolen from your pc more than any other method of attack.
All you have to do is start the password manager process. At a minimum you should add all your server information to your chosen password solution. That includes, server and account passwords, FTP, email, SSH, hosting logins, MySQL user and database names and passwords. Then remove all this information from your pc. Let your new password manager create new passwords for these server services as you use them (and gain trust in the software). The time required to choose a password solution and to begin entering your site information is 30 minutes or less.
In less than an hour and a half, you should have a very secure WP website. Congratulate yourself and give yourself a treat.
