If you currently own or will soon be owning a WordPress site you will no doubt have considered security at some stage. Our guide will help you secure your WordPress site so you can rest assured your content is safe!
Install Two Factor Authentication (2FA) for site admins
2FA requires all admin users to log in with their username and password (like normal) at first but then asks for a secondary factor – we recommend using the one-time passcode option for this secondary factor. Google Authenticator is a fantastic (free) mobile app for this, providing rotating codes every 30 seconds.
We highly recommend Mini-Oranges 2FA plugin for WordPress to get started with 2FA for free.
Once the plugin is installed simply install the 2FA code generator app of your choice on your mobile device(s) – as we mentioned earlier, we recommend Google Authenticator – then scan the barcode the plugin generates. Don’t forget to store the backup codes safely in case you ever lose your mobile device!
Don’t use a simple username
It’s estimated that over 70% of WordPress sites have a user with “Admin” or “Administrator” as the username, don’t give the bad guys a challenge of only guessing your password, set an obscure username also! If you’re worried about remembering the obscure username try using a personal e-mail address as your username (one that’s not associated with your website).
Rename your login and admin URLs
Much like the previous point of websites using a common username for administration, an even higher number use the default “/wp-admin” directory and “wp-login.php” page to login to administer their WordPress sites.
Changing these URLs is super easy. When hackers know the direct URL of your login page, they can try to brute force their way in (try multiple random login details hundreds of times per minute).
Hopefully, by this point, you have already swapped usernames for email IDs and installed 2FA. Now you should also replace the login URL and get rid of 99% of direct brute force attacks.
To do this we recommend using the iThemes Security (formerly Better WP Security) plugin.
Change your passwords regularly
This one is applicable to all websites & applications you use as much as it is to WordPress. Changing your password regularly dramatically reduces the change of your login being compromised. Consider using a password manager such as LastPass or one built into your web browser to generate secure passwords also.
Use SSL across your WordPress site
We covered this in our Avoid “Not Secure” Message On Your Website blog post earlier this month. Securing the communication from your web browser to the web servers hosting your website is critical to maintaining a secure WordPress website. Don’t forget Hugoton Hosting offers completely free SSL certificates for all websites hosted with us!
Logout Admins & Users after a certain length of time
Admins and website users leaving themselves logged in accidentally can leave a gaping hole in the security of your website. We recommend installing the free Inactive Logout plugin for WordPress to easily log out administrators and users after the period of time you choose.
Set strong passwords for your database user
When setting up WordPress be sure to use a strong password for the database user. You can, of course, go back and change this also via your web hosting providers control panel, then updating your wp-config.php file with the new password afterward. Use a free tool such as Passwords Generator to make sure your DB password is ultra strong.
Monitor your audit logs
Keeping a close eye out for anything suspicious is important, and can be easily accomplished in WordPress using the WP Security Audit Log plugin. The free version is more then adequate for most websites. If you want more features such as automatic e-mail alerts you might want to consider one of their premium plans.
Choose a web host with automated protection
As well as making changes and installing plugins within your WordPress instance, choosing a web host with automatic protection is important. Hugoton Hosting provides automated brute force login protection as standard for all WordPress websites, blocking the attackers IP address in seconds.
Much like updates to an Operating System, WordPress core updates and WordPress plugin updates should be installed as quickly as possible. WordPress makes it extremely easy to do this and will prompt any administrative user to do so once they log in. Please don’t ignore these update messages, they could save you a huge amount of time recovering your site from a security breach by preventing an attack in the first place.
Backup, backup, backup
You can take all of the above steps to secure your WordPress installation, but in the event, the worst happens and something gains access to your website you must be in a position to be able to restore from a recent backup. When setting up backups ensure you’re backing up to an off-site location (don’t back up to the same server your website is hosted on) and please test a restore to be sure what you’re backing up is absolutely everything you need should your site be deleted.
A common blunder website owners make is setup backups to an off-site location, only to realize they weren’t backing up everything they needed to fully restore their site when the time comes. We recommend using one of the below plugins to manage backing up your WordPress site:
- BackupBuddy is our recommended premium WordPress backup plugin ($80 one time fee per site). It allows you to easily schedule daily, weekly, or monthly backups to a variety of destinations including e-mail.
- UpdraftPlus is our recommended free WordPress backup plugin. It allows you to create a complete backup of your WordPress site and store it on the cloud or download to your computer on demand or on a schedule.
Your website content is one of the most single valuable assets your company owns, take 30 minutes today securing your WordPress website, you won’t regret it!