WordPress Site Security, 7 Simple Steps
One of the most frequent questions we get from clients for whom we are building a WordPress-managed website is, “What can we do to keep everything secure?” This is a great question, especially in an age in which we hear about another security leak almost daily. While it is nearly impossible to keep out someone who is intent on breaking your site, you can take several steps that will turn away a mischief maker. We’ll start with a set of “best practices” that we do on every website we build.
- Keep WordPress up-to-date. This might seem like a no-brainer, but you would be surprised how many websites are running old versions of WP. Now, it can be a hassle to update WP because you will need to back up the entire site to ensure you will not lose any data, but there are many WP backup tools you can use if you don’t have a working knowledge of database management.
- Setup WordPress for automatic security release updates. The biggest reason WP releases security updates: they have found a weakness that makes the system vulnerable to attack. If you are running WP, make sure that any security updates are automatically installed.
- Only implement trusted plugins and keep them up-to-date. Not 100% sure about that plugin? Don’t install it. Furthermore, if you are using plugins on your WP site, you should be updating them once and update becomes available. Aside from security, this will ensure that you are taking full advantage of the latest technologies available.
- Do not use the default “admin” Administrator username. Unless you define it while setting up your WordPress site, your default username is “admin.” The username is not editable after it is created, and if it’s “admin,” it’s one less layer of security your site has for someone trying to hack in.
- Use strong passwords for all user accounts. Examples of terrible passwords: password, 123456, admin123, qwerty. Example of a good password: C411MeI5hm4e1! How did I get there? “Call me Ishmael,” the opening sentence from Moby Dick. I replaced L with 1, A with 4, S with 5, capitalized the first letter of each word and added an exclamation point. And no, this is not the password to any of our personal or company accounts!
- Use a non-standard table prefix for the database. This is obviously a little more complicated. So, rather than take up an entire blog post with just this, we’re simply going to link to Jeff Starr’s “Digging into WordPress” blog post, which explains it very well.
- Limit WordPress Users and SFTP access. This seems pretty simple, but the fewer people you have in WP messing around, the more secure it is. And, the more unlikely that there are open accounts on someone’s machine which could be hijacked by someone who has inappropriately gained access.
If you have already implemented these ideas but still feel the need for additional security for your WordPress website, please read WordPress Site Security, 6 Advanced Steps, which details more advanced solutions for website security.