How Good Is Your WordPress Security?
There are a lot of websites in existence which use WordPress. It’s a great choice for most situations. It simplifies the process of managing your website. However, there’s a lot more involved than just simply installing it out of the box and adding content. It’s too easy to just work on how your website looks, or how a certain feature functions. How about all the important components which work quietly in the background? One of the most important, but neglected aspects is WordPress security. Let’s go over a number of key WordPress security points which should be taken into account.
Remember there’s no such thing as an absolutely 100% perfectly secure website. If enough work is done, any website can eventually be broken into. Just look at all the government, military and corporate websites which are broken into around the world. One of the key components of good security is to put as many barriers in the hacker’s way as is reasonably possible. It then becomes too bothersome for them to continue. After all, why should they work extra hard to break into a secure website when there are so many unsecured ones available? Your WordPress security doesn’t have to be the best, just better than the majority of other sites.
This first point is so obvious, I almost don’t even want to bother mentioning it. However, so many people still use easy to guess passwords. Don’t use words which can be found in the dictionary. Use a combination of capital letters, small letters, numbers and special characters. It may be a pain, but it’s more painful to deal with a compromised website. This is more of a general security point instead of a WordPress security point.
2) WordPress Header
By default, WordPress states in the header that the website is using WordPress. This makes it convenient for hackers to know what type of hacking software to use. Of course, with enough investigation, they’ll figure it out anyway, but let’s not make it any easier than it needs to be. Remove this meta tag from your site. This WordPress security point is often overlooked.
3) Hide Update Notifications
If visitors to your website can create an account which enables them to log into the WordPress backend, be sure they can’t see what updates are available. The more someone knows about the current status of your CMS (content management system) and the various third-party components, the better their chances of finding a vulnerability.
Keep your WordPress
4) Admin User
A lot of website administrators use the default user name “admin”. Someone who wants to break into your website only has to work on figuring out the password, not both the user name and password. There is a lot of effort made to convince people to use strong passwords. Using strong user names at the same time helps keep your site safe. If your user name is admin, change it. If you can’t change it, create a new user account with a new name and delete the old one. Your WordPress security counts on it!
5) User ID 1
When WordPress is first installed, the admin which is created is assigned an id number of 1. Knowing that the website administrator has this id number makes it just one bit easier to work out a way to compromise the database and gain access to the site. Check to make sure that none of the users have an id with the number 1.
6) Database Table Prefix
During the installation procedure you are given an opportunity to change the database table prefix. By default it’s set to “wp_”. Make sure it’s set to a random set of letters. This makes it harder for automatic hacking scripts to compromise your database. It’s a simple item which can be done during installation which will keep your WordPress security better than most.
7) Automated Scheduled Backups
No matter how well you secure your website, there’s always a possibility that it gets broken into anyway. Therefore you need to have a system setup which automates regular backups of your website. There are a number of different ways to do so. Be confident that even if your entire website is wiped out, that you can restore it with a recent backup.
8) Admin Area Lockout
You don’t need access to your website admin area 24/7, so why make it available all the time? Chances are you’ll never need to log into your website during your normal sleeping hours. Lock it up so that it’s inaccessible during that time. That means automated hacking programs which run 24/7 will have a smaller window of opportunity.
9) Block Known Bad Hosts
You may be familiar with the fact that there are black lists of known spammers. Well, there are also black lists of known bad hosts, which are used to break into websites. To stay safe, don’t even allow them access to your website at all. Block them using a black list and prevent them from even being able to view your site. This point alone will increase your WordPress security by quite a bit.
10) Brute Force Attacks
WordPress allows users to try to login over and over again. This may be useful for users who have difficulty remembering their login information, but it’s even more useful for hackers. Their automated scripts go through dictionaries and commonly-known user names and passwords to try and break in. This is known as a brute force attack. Your login area should only allow a set number of attempts before the IP address is blocked from further attempts. To make it a bit more user friendly, these blocked IP addresses can be unblocked automatically after a set period of time.
These are the first ten WordPress security points which you can look into. Hopefully you already have at least some of them covered. If not, it’s time to look into getting things locked down. Admittedly most of these items will have to be done by a professional. Many of them are not provided as available options within the WordPress user interface.
Make sure you read part two of this series to find out even more WordPress Security issues which you should be aware of.