It’s no secret, securing your website is vital for protecting your own data as well as any visitor data you may be collecting. You also need to protect against hackers trying to take over your site to use for their own personal gain. Always think about security online, especially when it comes to your website.
Go through our WordPress Security Checklist below to see if you’re protected. Dont forget to check back occasionally – we will update this page as new tactics come to light.
Part 1: WordPress Settings
These are the easiest changes you can implement on your own. In just a few steps, you’ll have increased your resilience against brute-force attacks – the most common WordPress hacking method.
Remove ‘admin’ usernameThe ‘admin’ username is the first guess the brute-force robot uses to try and gain access to your website because it is the default username when you install WordPress. Most site owners will change the default username during installation, but if you still have this username –Â remove it immediately. Create a new username, delete the ‘admin’ user, and WordPress will move all existing content to the newly created user.
Set ‘Display name publicly as’ so it does not match usernameThe same brute-force robots will often crawl your site and copy author information. If you’ve set the ‘Display name publicly as’ option to match your username, the robot now has that information and will use it to try and break into your site.
Change this option in Users > Your Profile or from the Users > All Users dashboards to hide this data from future site crawls.
Change passwords to exclude common phrasesIf the brute-force attack bots managed to figure out your username, they will keep trying new passwords to break in. Their best guesses will often be focused on common passphrases and words related to your site. For your safety, don’t use your name, site name, ‘password’, 123456, or any bad passwords.
Part 2: Plugins
Installing a few plugins will dramatically improve your protection against attackers and prepare you for the worst case scenario: server wipes.
Limit Login AttemptsEven if brute-force attack bots manage to figure out your username, you can shut them down easily by limiting their login attempts. Install this plugin to ban users for a while if they guess the password incorrectly too many times.
AkismetBlock spam comments with the largest anti-spam network on WordPress. Akismet shares a list of all the spammers from every site it’s installed on and uses it to block new spam comments. This includes harmful SEO backlinks and potential malicious code.
iThemes SecurityWith a slew of security checks, iThemes Security dives deep into your WordPress site to change some hard to reach settings that we’ll mention below. Sporting IP whitelists and blacklists, you can ban IP’s automatically with their integrated limit login attempts functions. Their pro version offers a thorough strong password creation and even a two-step authentication.
Backup BuddyNothing is more important than backing up your site. Backup Buddy allows you to schedule backups of both your database and your entire site. You can also send the backups to a cloud server or to your email inbox – even if you server is wiped clean you’ll still have a fallback!
MalcareIf you’d like to avoid a plugin doing the heavy lifting on your server, then Malcare is an excellent option. This plugin scans the website on its own servers and hence, there is no load on your server resources. It offers fully automated malware removal to get rid of all virus and backdoors forever.
Part 3: Advanced Tactics
Though they only account for a small number of use cases, these advanced changes (handled mostly by the iThemes Security Plugin Pro) can round out your web security for very specific hacks beyond the common brute force attack. * Relocate /wp-admin, /wp-login, and /wp-content directoriesEvery WordPress hacker knows the default location of these file systems. By moving them elsewhere you’ll increase your chances of thwarting attacks.
Set a password for the /wp-admin directorySetting a password before you can see the /wp-admin is a great extra level of defense to thwart any evil-doers who wants to gain access. You’ll need to submit the extra password every time you want to login, but it’s a very thorough way to protect your files. There are a few plugins, but manual setup is the safest.
Reset the database password to something absurdly hardThe database password is only used by WordPress to talk to the database and get your files. In the rush of installation, many database passwords are quickly set to be something simple. Changing the mySQL database password to some ridiculous 50 character password is an easy way to lock down the database even if a hacker manages to get through the layers of server security and query your database directly.
* Use an IP WhitelistAn IP whitelist is a list of IP addresses that are safe for the server to give access to. Usually, anyone not on the whitelist will be blocked from direct access.
* Use an IP BlacklistAkin to the IP whitelist, the blacklist is a list of IP addresses that are permanently banned from the server. Anyone on the blacklist will be blocked from direct access.
* Remove WordPress VersionBy default, WordPress publically displays the version of WordPress you are running. Hackers can use this information to target specific holes in that version. Hiding the version number is a quick fix for giving them less information to work with.
* Remove Unnecessary Header CodesWordPress comes standard with a few hooks for themes to utilize in combination with some 3rd party apis. Generally, you won’t need them, but feel free to review and remove them as you see fit with simple codes for your functions.php file.
* Reset the Admin User ID 1Just like using the username ‘Admin’, leaving your original ID as 1 allows hackers to potentially gain access to your admin username. This would open your site up to a brute-force attack on your username.
* Change the default wp table prefixes in your databaseWhen installing WordPress, the tables are automatically added as ‘wp_’ unless told otherwise. Hackers know this and can use the information for automated SQL injections to your database. Change the default prefix to easily thwart them from knowing your exact table names.
* Hide WordPress Login ErrorsIf you use the wrong password, WordPress will tell you that you’ve either guess the wrong password or the wrong username. By hiding this information, bots won’t know that they’ve guessed wrong which can buy you a lot of time. The less information they have, the better.
* Enforce strong user passwordsPasswords are at the core of this article. Forcing your users to use strong passwords is an easy way to ensure your site has that extra edge against attacks.
* Force SSL for adminIf you have an SSL certificate for your site, it’s important that you don’t just use it on the frontend. Forcing SSL for the Admin is a great way to to ensure you’re sending encrypted data to and from your server.
* Disable theme & plugin editorsEven if someone nefarious gained your login information, you can limit their damage by preventing them from editing theme or plugin files from the backend.
* Track 404 pageviewsLooking at your 404 errors will give you a quick insight into where any bots are poking around on your site. You can use this information to buff your IP blacklist (or to add content for regular visitors).
* Replace default jQuery fileWordPress comes standard with a jQuery file for running fun admin transitions. Replacing this file with a safer version is a small way to add an extra layer of protection.
* Disable author pages with 0 postsWordPress will automatically add an author page for every user. If a user doesn’t have any posts, they shouldn’t have an author page. Once again, the less information hackers have, the better.
* Force unique nicknamesIf your users choose the same nickname as their login name, bots can easily pick up on it if your site displays their nickname. Force them to use unique nicknames and save yourself the potential headache.
* Use 2 factor authenticationThough it may be extreme, 2 factor authentication is a thorough way to keep unwanted visitors out of your site. 2 factor requires a password to be sent to an additional device in order to login. So, your site would text your phone the new password every time.
* Handled by iThemes Security Pro plugin. Want to secure your site? Sign up with 99 Robots today and we’ll install iThemes Security Pro for free (an $80 value)!