WordPress Security Part 3: Tutorial – How To Secure WordPress

Welcome to the third instalment of our 4-part miniseries that is delving into the complex world of WordPress security. In Part 1, we gave a general overview of the world of WordPress security, identified what the risks are, and then focused our attention specifically on the vulnerability of plugins. In Part 2, we took a close look at malware detection and what you can do to defend against attacks. In this, Part 3 of our WordPress Security Series, we shall be providing you with an extended step-by-step tutorial explaining how to secure WordPress. And finally, next week in Part 4 we will give you a detailed list of the top 10 security plugins that you can add to the backend of your site. We hope you enjoy this series.

WordPress Security Part 3: Tutorial – How To Secure WordPress

For a lot of website owners – especially newbies or casual bloggers – security is very rarely at the top of the list of priorities. In fact, it can often take an actual hack for most people to actually sit up and pay some serious attention to their security.

Anyone who uses the internet – or even reads the news or watches movies – will be aware that cyber attacks are a real thing and can cause real damage. Yet far too many of us still seem to adopt the rather lackadaisical attitude that it will never happen to us – until it does.

WordPress: Popularity = Vulnerability

WordPress is by far and away the most popular publishing platform on the web. And so it should be – it’s one of the most user-friendly open-source commodities available. But, as such, it is of course a very large and varied target for spammers and hackers – especially if you are using the out of the box version.

But, even if you’re paying for some of the fancy extra bells and whistles that WordPress premium accounts and/or plugins can offer, you still need to be keeping on top of your security measures yourself.

WP White Security published a very revealing report not too long ago that found that more than 70% of WordPress installations were vulnerable to attacks and that more than 170,000 WordPress websites were hacked in a single year.

Why Would Anyone Want To Hack My Site?

A lot of people seem to think that just because they’re only using their websites to turn a modest profit selling tins of paint – or something else that would appear to have no attraction to hackers – that by nature their site is safe from hackers. This just simply isn’t true. Every single site on the internet has value for hackers.

Hackers are not always just out to steal your data or other sensitive information like your passwords. Sometimes what they’re after is access to the server that your site is stored on – and they want to use it send out spam emails. If this happens then you unfortunately will find your server blacklisted by many major internet service providers (ISPs) and email services, which means that any promotion newsletters or emails you are routinely sending out advertising your latest 2 for 1 deals on tins of tartan paint will not be being delivered. This will of course cost you time, effort, business, money and leave you with a lot of headaches and frustration.

So, don’t let this be you. If you think that your site won’t or can’t be hacked then think again. You’re wrong. It can and it will, and hackers and spammers are forever on the hunt for vulnerable sites that they can infiltrate and use to do all manner of nasty things.

Indeed, this is why we have taken the time to write this extended series of blog posts in an effort to raise awareness of the importance of WordPress security and try and help you all make your sites more secure.

And so, below we have put together a very simple 10 step tutorial that anyone can follow and protect their WordPress site from those maliciously-minded individuals out there.

Securing WordPress In 10 Easy Steps

1. Update, Update, Update!!

We went into the importance of this in Part 1 of this series, and it can neither be reiterated enough nor followed too stringently. It is absolutely imperative to your security to always ensure that your WordPress as well as any and all of the plugins that you have attached to it are kept up to date with the latest versions as they are released. Most updates are released to fix security bugs and patch any gaps that are discovered to be making the site or plugin vulnerable. And hackers will be keeping an eye on these updates just as much as you should be. As soon as one goes live, the cybercriminals will be scouring the web looking for sites that haven failed to update, and when they find them, they’ll attack. So – update, update, update!!

2. Don’t Use “admin” For Your Username

WordPress’s default settings will always insert “admin” as your administrative username – and attackers know this.

If you change this to literally anything else in the whole world, then you will be putting up a meaningful barrier and will very easily block a lot of attacks. If you’re just installing WordPress for the first time then you will be asked for your administrative username during this process. If, however, you’ve already got a WordPress website, then SiteGround.com provide a very handy tutorial on how to change your WordPress username.

WordPress Security Part 3: Tutorial – How To Secure WordPress

3. Use Strong Passwords

Don’t be one of those silly people out there (and there are probably millions of them) who use ‘password’ for their password. Or ‘123456’. Or ‘abcdefg’. Or your phone number, date of birth, wedding anniversary or anything else that probably be gleaned for a quick once over of your Facebook account. In fact, don’t do this for any of your online accounts – not just your WordPress ones. The best thing to use is a Password Manager for all of your online passwords. This point may seem like I’m stating the obvious, but it’s important, so it makes the list.

4. Choose A Reputed Hosting Company

There are so many hosting companies out there that it can be difficult to know which one to choose. So, to narrow down your search, look for the ones that place their main emphasis on security. Look out for the following offerings:

· WordPress Optimized
· Optimized Firewall For WordPress
· Malware Scanning
· Support For Latest Versions of MySQL and PHP
· Account Isolation For Shared Hosting Plans
· Daily Internal Backups

5. DNS Proxy

Ok, we’re moving on to the more technical points now. If you use something like Cloudflare, you can proxy all of your web traffic at the domain name server (DNS) level. This means that before anyone or anything can hit your web server they hit Cloudflare first. Cloudfare is great because it filters out any malicious attacks or spam bots before they get anywhere near your server. A similar solution is Cloudproxy from Sucuri.

6. Change Your Database Prefix

As we know, WordPress is extremely user friendly – that’s why it’s so popular. If you use install wizards via your webhost, then, unfortunately, you will be left with a lot of common setup values, such as your database prefixes. These are well known to hackers, and so you need to change them to protect yourself. You can do this yourself, though it does get a bit technical and before you do anything to the code of your site you should always back it all up as a fail-safe plan. The idea is to contain the exploitation of an SQL Injection vulnerability. What’s this? Well, an SQL Injection is when an attacker injects SQL code through an access point – such as, say, your email sign up form – and will be returned with all manner of sensitive information from your server. Read WP White Security’s guide for changing the WordPress database security for full instructions.

7. Consider Using A Third Party For Your Comments

Any gateway into your site is a potential vulnerability and access point for a hacker, and your comments section is no different. Using something like Disqus is a great idea as it serves as a proxy measure for your comments section. This way, no comments actually make it to your site before they’ve been filtered for spam and other malicious code on the Disqus end. Now, as mentioned in Part 1, Disqus was actually named as one of the plugins that was recently exposed by Sucuri to have some vulnerability issues. However, these are indeed now all in the past, and so long you keep this plugin updated (see point 1) then you will be absolutely fine. Disqus is accurate and scalable, so it’s a good choice and we recommend it.

WordPress badges

WordPress security is a continuous process. Following the tips in this tutorial will help protect your site against some (though by no means all) of the most common vulnerabilities and access points for hacker. Look out next week for final instalment in this series where we will be listing the top 10 security plugins to help you secure WordPress even further.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
  • These are great tips. I have been hacked so also use Google Authenticator. Any other suggestione than Disquis? I really dislike it.

  • Some great tips here! What are your thoughts on services like WordFence or iThemes Security?

  • Richard O’flynn

    We use WordFence and are pretty happy with the service it provides, its good at prevention, but if a site has been exploited, the clean up can be a lot harder, and it takes some good tech skills to get things cleared up… malware can be very good at hiding and it can be relentless at creating backdoors to ensure it keeps you infected!

  • 11. Don’t just install every plugin!
    12. Limit the amount of users on your site in terms of number, and capabilities!
    13. File-system & server security (ensure permissions are correctly set, the stack is updated regularly!)
    14. NEVER use a windows server (other than zero-days, which are un-defend-able, there are several vulnerabilities core to Windows servers, including deliberate back-doors & permissions escalation via networking)
    15. Don’t let anyone put anything on your site for convenience; instead use Dropbox or similar services etc for sharing files, and maintain a clear audit-trail to anyone with access to the site.
    16. Do not entrust the security of a site to the advice of blogs, forums or social networks. There are digital security experts and auditors, who know a lot more than your 14-year old.

  • Also don’t install all the plugins that you want, I have seen folks to use more 10 plugins which is way too much. You need a security/firewall plugin (like wordfence), a cache plugin (like WT3 Cache), disable xmlrpc, control heartbeat API, WP cron Control and probably a comments plugin like Disqus. Dont install 4 versions of contact forms or sliders.

    Take care of your website like you would of your car. Do not overload it with crap/junk.

If you found this article useful please share it...