Securing WordPress

Contrary to some belief WordPress itself is very secure. Vulnerabilities are introduced by poorly written or malicious themes or plugins that users install.

I have compiled a list of extra steps you can take to harden your WordPress installation.

Stay Updated

WordPress has updates on a near daily basis. If a security vulnerability is ever found it is usually patched within hours and pushed out to the millions of WordPress installations around the globe. But, if you don’t accept automatic updates, or don’t manually update often, then you will be left vulnerable.

It doesn’t just go for WordPress itself. Plugins, especially the more popular ones, are updated often, and can often have security vulnerabilites of their own. Keep them updated!

Be conservative with plugins

Plugins are great, they extend the functionality of your website in just a few clicks. But is that all they do? Plugins can become vulnerable, especially free (usually open source) plugins, where source code can be viewed by would-be attackers to try and gain an insight into just how insecure they are.

Some plugin developers aren’t out there to help you either. It has been known for plugins to be deliberately malicious in their actions; providing some piece of functionality but doing some unorthodox stuff at the same time that you may not know about.

More plugins also mean your website has to load more in, putting more load on your server, which often leads to decreased load times.

Choose vendors wisely

Leading on from my previous point, use plugins and themes from reputable sources. I often see websites with dosens of plugins from dosens of vendors, when they could get the same functionality to a few select plugins – or don’t even use the functionality at all.

A great example of this is JetPack. JetPack is a plugin from Automattic, the company behind WordPress.com. JetPack adds a ton of functionality to your site, all of which is optional, but really useful. You can read more on my post about why everyone should use JetPack.

It isn’t just plugins to be mindful of. Themes can often contain malicious code too. Be mindful of where your theme came from. Some free themes are often free for a reason – the author may be injecting ads to the occassional visitor, or there may be links back to some untoward websites hidden somewhere. Automattic have a ton of themes available, and there are lots of other reputable vendors out there.

A strong password policy

This isn’t specific to WordPress, but make sure your passwords are secure. Don’t use the same password for your admin login as you do on other sites, and make sure the password you do use is not a dictionary word, a mixture of upper and lower case and contains numbers and symbols.

Don’t use ‘admin’ for your admin login name. It is the most common log in name and often all that is used during brute force attacks, where an attacker bombards your site with thousands of password guesses.

Harden your admin area

Your admin area is the obvious route in for an attacker. Be sure to secure it.

Two-factor authentication

WordPress.com offers two-step authentication, which is a great way of further securing yourself. It essentially means someone needs more than just your password to get in, invaluable if you use public computers a lot.

Currently WordPress itself does not offer this, but plugins are available to do it for you. I’m hoping JetPack will begin to offer it soon, although there are no concrete plans as of writing this.

Lock down by IP

It is possible to lock your admin panel down by IP address, which means that only someone using your home or office Internet connection would be able to access it. This is only suitable if you aren’t on the go a lot, and have a static IP address, but it’s also very secure.

To do this, simply place the following code inside your wp-admin folder inside a .htaccess file. You’ll need to replace [YOUR IP] with your actual IP address, which you can find by Googling “What is my IP?”.

# Secure Access to WP-ADMIN by IP
<FilesMatch ".*">
Order Deny, Allow
Deny from All
Allow from [YOUR IP]
</FilesMatch>

Use HTTPS

SSL certificates are inexpensive, and you can even self-sign one for free if you know what you are doing. Where possible, you should always use HTTPS when using your admin area.