This guide features the simple WordPress security measures that any content creator can implement today. Do this to secure your WordPress blog, help prevent hacking attacks and keep your content safe.
Do a WordPress security scan to figure out if you have an issue
WordPress is the most widely used CMS (content management system) for publishing content online. WordPress’ popularity makes sites hosted on it a regular target to brute force login attempts and other hacking attacks despite them taking the security very seriously.
These attacks are automated across all the hosting platforms and aim to discover WordPress security issues. They attempt to find WordPress blogs with security vulnerabilities such as the use of the default username, weak passwords, outdated WordPress version and outdated themes and plugins.
Don’t let this happen to you.
There are several WordPress security scan tools you can use to figure out if your blog has an existing vulnerability. They scan for malware, malicious scripts, blacklist status, out of date software and other known security issues. These are some of the best free options:
WordPress security 101
Let’s start with the WordPress security checklist of tips you should do in order to keep your blog safe and secure.
Create a new user account and limit access
It’s harder for a hacker to break into your WordPress account when both username and password have to be cracked. That is why you should create a new user and delete the WordPress default “admin” user. This is one of those things I do as soon as I setup a new WordPress blog.
This is also why you should reduce the number of people who have admin access to your blog to a minimum. Anyone who doesn’t need admin access right now should not have it. WordPress makes this easy to implement with the different roles and capabilities.
Usernames such as the default “admin” are the most frequent targets of these attacks. They should be deleted and not used.
- You create a user by going into “Users” then “Add New” in the WordPress menu.
- When creating the new user, make sure to give it the role of an “Administrator”. That will ensure that you have the full authority over your site.
- Now just log out from your default “admin” account and log in with the new user details.
- In “Users” delete the default admin username.
- Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.
Do this first before going to the next step.
Use a strong password
Do not use simple passwords on your WordPress account. Simple passwords might make it easy for you to remember it, but they are also easier for a hacker to crack.
Use stronger and more secure passwords instead. Your password should be:
- At least twelve characters long
- It should include numbers
- It should include special characters
- It should include uppercase and lowercase letters
This is a tool that helps you create strong passwords.
Change your password now before going to the next step.
Set a new nickname
You do not want your new username to be the author name that is shown on all posts. This way the hackers will have an easy way of finding your actual username. That means they will know 50% of the details they need to know to log in to your admin.
Make it harder for them to figure out your username and password. Set the nickname WordPress uses as author name to something different from your username.
- You do this in “Users” under “Your Profile” in the Nickname field.
- Choose a new nickname and set “Display name publicly as” to your new nickname.
Turn on 2-Step Verification
There’s an easy way to stop these attacks. Turn on the two-step verification. This adds an extra layer of security to your WordPress login.
You sign in with your password and then a code is sent to your phone number that you need to type in too. Without having access to your phone, it is simply impossible to break through the login page.
WordPress has created Jetpack plugin which allows you to turn on the Secure Sign On. This lets you log in to your self-hosted site with your WordPress.com credentials. It also allows you to require a two-step authentication. You also have the ability to disable the default WordPress login form.
Simply install and activate Jetpack plugin in your WordPress admin. Turn on the “Single Sign On” option. Tick the box to “Require Two-Step Authentication”.
Insert this code to your theme’s functions.php file to disable the default login form:
add_filter( 'jetpack_remove_login_form', '__return_true' );
Now you can only log in through your WordPress.com login details. Remember to make sure that you use a strong password there too.
Disable logins from certain IP addresses
Two-step verification is the recommended option. If you don’t want to use it, you have some alternatives.
- Jetpack’s Protect is a plugin that monitors all failed login attempts on the network of sites hosted by WordPress. It then automatically blocks all these unwanted tries from the rest of the network.
- Limit Login Attempts plugin works on a local level. It records the IP address of every failed login attempt on your account. If a certain number of login attempts are detected within a short period of time, the login is disabled for all requests from that IP range.
If you review unsuccessful login attempts, you will recognize why the step number one is essential. Majority of login attempts are made using “admin” username. Please do make sure to remove it and use a different username as described in step 1 above.
Blacklist IP addresses from logging into your admin
There are also several more advanced versions of hardening WordPress. You could also blacklist everyone from logging to your admin except yourself.
- Go into the /wp-admin/ folder of your WordPress installation and open the .htaccess file.
- Add this code anywhere in the file but make sure to add your IP numbers.
- Type “what is my IP” in Google to find your IP address.
order deny,allow deny from all # whitelist home IP address allow from YOURIPNUMBER # whitelist work IP address allow from YOURIPNUMBER # whitelist holiday IP address allow from YOURIPNUMBER
You can put more than one IP address in there. It’s useful if you’re a digital nomad and move quite a lot.
Now when someone tries to access the login page of your WordPress they will get this message:
Forbidden. You don’t have permission to access /wp-admin on this server.
The big downside is that if your IP address changes you would need to update the document with your new IP. This can become a boring thing to do especially if your IP address changes often.
Another negative is if you travel a lot of use internet from different locations. Every time you would need to login to FTP, find your IP address and put it into the .htaccess file.
Block bots from accessing WP-Admin login page
This means that if and when a bot stumbles upon your site and tries to log into your WP-Admin it will be blocked. It won’t be able to do any damage.
To prevent the bots, you need to locate your .htaccess file on your server in your main directory. It’s not the same one in /wp-admin/ folder that we used in the step above. Paste this list at the top of your file.
Do not allow guest user registrations
You don’t have a membership site? Then there is no reason to allow visitors to register for a guest account.
Check that you’ve got registration turned off. Click “Settings” and make sure that “Anyone can register” option is unticked.
Do not allow pings
WordPress with pingback option enabled can be used in DDOS attacks against other sites. This option is enabled by default, so it is important to disable it.
In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications (pingbacks and trackbacks)”.
Activate one of the best WordPress security plugins
They both do quite a few things to make your site safer. This includes forcing you to use stronger passwords, and making you delete the admin username. They also do block bot traffic and help you do regular security scans.
Keep an eye on the Webmaster Tools
Google Webmaster Tools is a valuable resource even for your site security. Keep an eye on the “Security Issues” section. It notifies you if Google detects malware or any other security issues with your site.
If you get a notification you should act quickly to fix it.
Set your WordPress and plugins for automatic upgrades
Always upgrade to the latest version of WordPress. Do the same for the latest version of your theme and plugins you use. Main reason developers release new versions frequently is the security vulnerability found in older versions.
25% of all WordPress security compromises in first quarter of 2016 happened through three outdated plugins. TimThumb, RevSlider, and GravityForms. All of them have been fixed in their most recent versions, so do make sure to upgrade.
Upgrading is simple, automated, one-click processes within the WordPress interface.
When there is a new update available, WordPress will give you notice on top of your dashboard. It will say “WordPress X is available! Please update now”. Click on it and your upgrade is a simple one-click away. No excuses not to upgrade.
The most recent versions features automatic background updates. You may find that your WordPress upgrades to the latest version while you sleep.
Using Jetpack also allows you to set all your plugins to be updated automatically too. Even for your self-hosted sites. Simply switch on “autoupdates” on WordPress.com in “Plugins” section of the “My site” area.
Are you afraid to upgrade because of some old WordPress theme you are using? Do you fear it’s not compatible with the new WordPress? Please switch over to something more modern. Something that you know has a serious developer and a community behind it.
Limit the number of plugins and themes installed
This helps keep the entry points of attacks down to a minimum. Only install themes and plugins that you actively use and that are necessary to run your blog. Remove anything that is not used.
Always take an opportunity to minimize the number of plugins you use. Jetpack for instance alone can replace several different plugins.
Using the WordPress Gutenberg editor can help you create beautiful posts without extra plugins.
I recommend you not to download themes and plugins from unknown sources. Use only the official WordPress directory and the official websites of trusted sources such as premium themes and plugins. These are the quality signs to look for in a plugin or a theme:
- A high number of downloads and active users
- Regular updates
- Recent last update
- Good reviews
Take regular backups automatically
Taking regular backups of your content and database is important. Any upgrade of WordPress could possibly lead to an unforeseen situation. The database may become corrupted for example. Hosting providers execute their system backups on their part.
You should still take personal responsibility in doing regular backups yourself. WordPress consists of two parts:
- Database: a place where all settings, pages, posts, and comments are stored
- Files: which consist of media, attachments, themes, and plugins.
It’s recommended to perform a full backup of the entire site. Both the database and the files. In case something happens to your site, you can always use the backup to recover your files.
The most convenient way for non-tech-savvy users is to use a backup plugin. There are a plethora of available plugins. One of them is UpdraftPlus.
Do the first backup right now if you haven’t done it already. Really. You will continue building and growing your website with a much bigger confidence.
No more WordPress security problems
These simple steps can be executed fairly quickly to improve your WordPress security and will make your site so much harder to break into. You probably won’t have a hacking problem. You’ll feel safer. You’ll be able to focus your time on writing exciting content and building an audience.