WordPress Security Guide for Your Website
August 30, 2023
In the digital environment, on both private and open source platforms, exposure to attacks is constant, regardless of the time of day. Check out this Syrus guide to help you improve your WordPress security.
On this occasion, we will focus on addressing strategies to reduce the risks on your website built on WordPress. To do this, we have organized nine tips aimed at strengthening security on this platform.
Use Secure Passwords
Prevent any individual, especially those with administrator privileges, from choosing passwords that lack security. While this may seem like an obvious measure, you’d be surprised how many common passwords, such as “admin”, “1234” or “qwerty”, are still in use.
Even users with lower access levels, such as subscribers, can become vulnerable points for attacks. Therefore, it is essential to enforce strong passwords for all those who have login access to your WordPress site.
A well-known add-on, the WordPress security plugin called iThemes Security, which has over a million users, offers the ability to strengthen login passwords, as well as implementing two-factor authentication. It is also feasible to enable a password security policy using the Wordfence Security plugin, another widely used resource in the WordPress community.
Include HTTPS/SSL Certificates
By now, the vast majority of websites have adopted the HTTPS protocol. If your site has not yet done so, we recommend that you check with your hosting provider about the possibility of adding a free SSL certificate. Many hosting services offer SSL certificates free of charge, which is also a well-known factor in Google’s ranking algorithm.
If you are in the process of upgrading your site from a non-secure to a secure status, consider the usefulness of the Really Simple SSL plugin, which has over 5 million installations. This plugin greatly simplifies the transition to HTTPS by taking care of redirects and other associated tasks, while also helping to mitigate security risks such as clickjacking and other types of attacks by offering additional security options.
It is important to keep in mind that after migrating to HTTPS, it is advisable to verify that no pages on the site still link to HTTP content or links. This situation is known as mixed content and occurs when non-secure (HTTP) links are accessed from secure (HTTPS) pages on the site. In both cases, it is crucial to quickly detect and correct mixed content issues by replacing the links with secure (HTTPS) versions.
Use a Secure Admin Name
A significant number of security attacks target the WordPress login screen and tend to employ the username “admin”. There are two fundamental types of attacks that seek to breach login passwords: Brute force or Targeted attack.
The brute force tactic involves automated hacking software attempting to guess the password of the user “admin” using various combinations of words, letters and numbers. On the other hand, the dictionary attack relies on the use of common passwords to try to crack the login password of the “admin” user.
In many cases, this malware targets the administrator username known as “admin”. Avoiding the use of the word “admin” as a username stands as a simple step that will help strengthen the security of your WordPress site.
If you want to step up your protection measures, you can use the Wordfence security plugin to set up a firewall rule that automatically blocks any login attempts with the username “admin” by both humans and bots.
Updating Plugins and Themes
Certain updates in WordPress, such as those of plugins, themes and the very base of the system, play a fundamental role in correcting vulnerabilities, making patches to ensure security. Failure to update these parts of the software can expose the site to risk.
Most updates go smoothly. On rare occasions, an update may generate changes in the software that, when interacting with another plugin or theme, trigger conflicts and cause the site to become inoperative. In such a case, restoring the site to a previous state is simple as long as you have a backup.
Another option is to configure the automatic update of all plugins, which will exempt you from even considering this task. In case a problem arises, the solution lies in restoring the site to its previous state by restoring a backup.
Backing Up Your Website
Performing daily backups of a website is of vital importance. There are numerous scenarios that can trigger problems, either by the installation of a new plugin or the insertion of a code fragment, and in such circumstances, having a backup is the saving grace in the face of catastrophic events that can affect the site.
Two-factor authentication gets its name because two methods of identification are required to access a WordPress site with this feature enabled. The first method consists of the username and password. The second method consists of a second form of authentication, usually through an application such as Authy or Google Authenticator, hosted on the user’s cell phone. Therefore, even if an intruder manages to obtain the username and password, they will not be able to gain access without completing the second phase of authentication.
Use Fewer Plugins
Every time you incorporate a plugin, you increase the probability that one of them can introduce a vulnerability on your site. Before proceeding with the installation, it is important to pay attention to the number of existing installations and the date of the last update.
Beyond security considerations, excessive use of plugins can impact site performance and increase the chances that the code of two or more plugins will collide, leading to a crash.
Choose to avoid multi-purpose plugins. Some plugins may perform multiple functions, when in fact we only need one of them. Instead, try to install a plugin specifically designed to address that particular need you have.
Use a Security Plugin
Security plugins play a valuable role in sealing potential security breaches and hindering attempts by hackers looking to exploit those vulnerabilities. Wordfence emerges as a popular choice in the security sphere for WordPress sites, backed by over 4 million active installations. On this very website, we make use of Wordfence to prevent the proliferation of unwanted comments.
Functioning as a firewall, Wordfence deploys a defense to safeguard a website against potential hacker attacks, with the ability to block both automated bots and real hackers in real time, if their activity resembles typical attacker behavior.
In addition to its protection function, Wordfence strengthens a site’s security by offering two-factor authentication and disabling the execution of PHP code in directories where its presence should not be allowed. It is relevant to note that there is also a paid version, as with most plugins.