It’s no secret, securing your website is vital for protecting your own data as well as any visitor data you may be collecting. You also need to protect against hackers trying to take over your site to use for their own personal gain. Always think about security online, especially when it comes to your website.
Go through our WordPress Security Checklist below to see if you’re protected. Dont forget to check back occasionally – we will update this page as new tactics come to light.
Part 1: WordPress Settings
These are the easiest changes you can implement on your own. In just a few steps, you’ll have increased your resilience against brute-force attacks – the most common WordPress hacking method.
Remove ‘admin’ username
The ‘admin’ username is the first guess the brute-force robot uses to try and gain access to your website because it is the default username when you install WordPress. Most site owners will change the default username during installation, but if you still have this username – remove it immediately. Create a new username, delete the ‘admin’ user, and WordPress will move all existing content to the newly created user.
Set ‘Display name publicly as’ so it does not match username
The same brute-force robots will often crawl your site and copy author information. If you’ve set the ‘Display name publicly as’ option to match your username, the robot now has that information and will use it to try and break into your site.
Change this option in Users > Your Profile or from the Users > All Users dashboards to hide this data from future site crawls.
Change passwords to exclude common phrases
If the brute-force attack bots managed to figure out your username, they will keep trying new passwords to break in. Their best guesses will often be focused on common passphrases and words related to your site. For your safety, don’t use your name, site name, ‘password’, 123456, or any bad passwords.
Part 2: Plugins
Installing a few plugins will dramatically improve your protection against attackers and prepare you for the worst case scenario: server wipes.
Even if brute-force attack bots manage to figure out your username, you can shut them down easily by limiting their login attempts. Install this plugin to ban users for a while if they guess the password incorrectly too many times.
Block spam comments with the largest anti-spam network on WordPress. Akismet shares a list of all the spammers from every site it’s installed on and uses it to block new spam comments. This includes harmful SEO backlinks and potential malicious code.
With a slew of security checks, iThemes Security dives deep into your WordPress site to change some hard to reach settings that we’ll mention below. Sporting IP whitelists and blacklists, you can ban IP’s automatically with their integrated limit login attempts functions. Their pro version offers a thorough strong password creation and even a two-step authentication.
Nothing is more important than backing up your site. Backup Buddy allows you to schedule backups of both your database and your entire site. You can also send the backups to a cloud server or to your email inbox – even if you server is wiped clean you’ll still have a fallback!
If you’d like to avoid a plugin doing the heavy lifting on your server, then Malcare is an excellent option. This plugin scans the website on its own servers and hence, there is no load on your server resources. It offers fully automated malware removal to get rid of all virus and backdoors forever.
Part 3: Advanced Tactics
Though they only account for a small number of use cases, these advanced changes (handled mostly by the iThemes Security Plugin Pro) can round out your web security for very specific hacks beyond the common brute force attack.
* Relocate /wp-admin, /wp-login, and /wp-content directories
Every WordPress hacker knows the default location of these file systems. By moving them elsewhere you’ll increase your chances of thwarting attacks.
Set a password for the /wp-admin directory
Setting a password before you can see the /wp-admin is a great extra level of defense to thwart any evil-doers who wants to gain access. You’ll need to submit the extra password every time you want to login, but it’s a very thorough way to protect your files. There are a few plugins, but manual setup is the safest.
Reset the database password to something absurdly hard
The database password is only used by WordPress to talk to the database and get your files. In the rush of installation, many database passwords are quickly set to be something simple. Changing the mySQL database password to some ridiculous 50 character password is an easy way to lock down the database even if a hacker manages to get through the layers of server security and query your database directly.
* Use an IP Whitelist
An IP whitelist is a list of IP addresses that are safe for the server to give access to. Usually, anyone not on the whitelist will be blocked from direct access.
* Use an IP Blacklist
Akin to the IP whitelist, the blacklist is a list of IP addresses that are permanently banned from the server. Anyone on the blacklist will be blocked from direct access.
* Remove WordPress Version
By default, WordPress publically displays the version of WordPress you are running. Hackers can use this information to target specific holes in that version. Hiding the version number is a quick fix for giving them less information to work with.
* Remove Unnecessary Header Codes
WordPress comes standard with a few hooks for themes to utilize in combination with some 3rd party apis. Generally, you won’t need them, but feel free to review and remove them as you see fit with simple codes for your functions.php file.
Just like using the username ‘Admin’, leaving your original ID as 1 allows hackers to potentially gain access to your admin username. This would open your site up to a brute-force attack on your username.
* Change the default wp table prefixes in your database
When installing WordPress, the tables are automatically added as ‘wp_’ unless told otherwise. Hackers know this and can use the information for automated SQL injections to your database. Change the default prefix to easily thwart them from knowing your exact table names.
* Hide WordPress Login Errors
If you use the wrong password, WordPress will tell you that you’ve either guess the wrong password or the wrong username. By hiding this information, bots won’t know that they’ve guessed wrong which can buy you a lot of time. The less information they have, the better.
* Enforce strong user passwords
Passwords are at the core of this article. Forcing your users to use strong passwords is an easy way to ensure your site has that extra edge against attacks.
* Force SSL for admin
If you have an SSL certificate for your site, it’s important that you don’t just use it on the frontend. Forcing SSL for the Admin is a great way to to ensure you’re sending encrypted data to and from your server.
* Disable theme & plugin editors
Even if someone nefarious gained your login information, you can limit their damage by preventing them from editing theme or plugin files from the backend.
* Track 404 pageviews
Looking at your 404 errors will give you a quick insight into where any bots are poking around on your site. You can use this information to buff your IP blacklist (or to add content for regular visitors).
* Replace default jQuery file
WordPress comes standard with a jQuery file for running fun admin transitions. Replacing this file with a safer version is a small way to add an extra layer of protection.
* Disable author pages with 0 posts
WordPress will automatically add an author page for every user. If a user doesn’t have any posts, they shouldn’t have an author page. Once again, the less information hackers have, the better.
* Force unique nicknames
If your users choose the same nickname as their login name, bots can easily pick up on it if your site displays their nickname. Force them to use unique nicknames and save yourself the potential headache.
Though it may be extreme, 2 factor authentication is a thorough way to keep unwanted visitors out of your site. 2 factor requires a password to be sent to an additional device in order to login. So, your site would text your phone the new password every time.