Self-Hosted WordPress Security Basics
(This post was written at the end of 2017 looking forward to 2018; it will be updated as needed.)
It seems the nefarious types are on a roll these days: WordPress hacks are becoming more common than they used to be. I’ve dealt with more hacked sites this year than any other year, and various security blogs have been reporting all manner of larger attacks in the past six months.
It’s incredibly frustrating, but also just a part of WordPress life.
Have a self-hosted WordPress site? Someone at some point is going to try to break into it.
Why? Well, usually, just because they can. The kind of people who want to be able to hack things have to practice, so they look for vulnerable sites to practice with. It’s a game for them…a pathetic game, but a game nonetheless.
Usually, you won’t notice their attempts & they won’t be able to get in. But every now and then, they’re successful. What to do then is a topic for another day…for now, I want to tell you about security basics that you can implement right now to make your site that much more difficult for someone to hack.
Please note that these things won’t make your site hack-proof…I don’t believe such a thing is ever possible. The moment anyone is able to create a perfectly secure website, someone else will figure out how to hack it. It’s a game of cat and mouse.
So the best we can do is make our sites less of a target.
Here are the things you should do to make your site more secure right away:
If your username is “admin,” change it
“But you can’t change your username!” you say. You are correct…you cannot change a username once the user is created. So use this little trick: Create a new user, using the username you want, with full administrator privileges. Then sign out of WordPress and sign back in with the new username. Go to Users–>All users and hover over the “admin” user…you will see “Delete” as an option under the username. Click that, then when asked, attribute all of that user’s posts to your new username, then finish the deletion. Username changed! ๐
Additional QUCK TIP: Once you’ve changed your username, and if you have a security plugin that alerts you to lockouts from people trying to guess the login info, you will see people trying to log in with “admin” all the time. You can ignore them…and chuckle at those attempts which won’t ever work on your site now. ๐
Hide your username from being displayed on the site
Go to Users–>Your profile and fill in a first name and nickname and then choose one of them as “Display name publicly.”
If you don’t need it, turn off the ability for new users to register
To see if this is enabled on your site, go to Settings–>General and look for the “Membership” line. Uncheck it.
If you need people to be able to register, like with a membership site or ecommerce, be sure that the “new user role” is NOT administrator.
I have seen this particular feature be exploited several times; usually you can tell if it has been if you see a large number of unknown users on your site in Users–>All users (and if you do see a bunch of unknowns, delete them).
Delete all extra themes you never use
This is simply a step to reduce any place of possible issues…
Delete all extra plugins you are not using
…and so is this.
Always update things that have an update
Plugins and themes and WP itself update most often due to security tweaks, so you want to always have those recent changes on your site.
QUICK TIP: If more than one type of feature has an update, update in this order: plugins FIRST, THEN themes, THEN WordPress core. This will reduce the chance of an update conflict to a minimum.
Install the plugin Wordfence
After activating Wordfence, be sure to give it an email address to send alerts to. Wordfence will help keep intruders out, but one of its best features is that it alerts you if any WordPress core files are changed…one of the hacks I’ve seen increased in the past year involved adding strange files into the WordPress core. Wordfence will notice these and then you can delete them before they have a chance to do whatever they’re there to do.
Install the plugin iThemes Security
After installing and activating, click it in the left side admin menu; the “Security check” should pop up, then click “Secure site.” It will turn on the most-used security features. It will then show a field to enter your email to turn on “Network Brute Force Protection” and to receive updates…do both. This plugin closes a lot of potential doors that could be used to break into your site.
Do regular backups of your entire site
Install and use the plugin Updraft Plus (free), which does complete backups (database, uploads, etc). Then configure it to send backups to Dropbox (or one of the other locations they can send it to). You can leave the backups within your hosting account, but if you lose access to it for some reason, you’ve also lost access to your backups. So it’s a good idea to have the backups sent to a different location.
You can also use paid services like Vaultpress that will do schedule backups and keep them off-site.
I am working on a free training about how to do a manual backup, something I think every WordPress user should know how to do, which will be available very soon (and linked here when it is).
While it’s frustrating to know that there are people out there who want to harm your site, it’s also good to know that there are steps you can take to make it a bit tougher for them to do so. ๐
