Your website’s security can be a difficult exam to pass. But it’s really one of the most important. That is why a little WordPress Security Cheat Sheet won’t hurt, will it? Verify each step with it and keep your security castle safe.
Now, let’s make each step more profound.
Everything begins with the hosting — with secure, trustworthy, protected hosting you have to choose carefully. Always check what kind of security tools you are getting with this or that specific hosting plan before purchasing it. Decent hosting providers cost $1-10 per month, and we personally can recommend such popular solutions as InMotion Hosting, HostGator or GoDaddy (check out more details on the topic in our guide — How to choose the right web hosting). I say you honestly: this point is the most important, so brace yourself and choose.
FTP stands for File Transfer Protocol. SFTP stands for Secure File Transfer Protocol. Both are methods you can use to upload files from your computer to your hosting server and back. Guess which one provides you with more security.
What exactly does SFTP do? It encrypts the data you transfer to and from your server, adding one more layer of protection.
Where do you get one? You just ask your hosting provider if they have this option. You see, the good hosting is a real power.
Be careful with the stuff you upload to your website. Before installing any themes, plugins or scripts, both free and paid, check whether they have malware (unless you are installing them directly from your WordPress Dashboard, in which case the security is guaranteed).
Do not download any of these items from file share websites. For plugins, use the official WordPress directory. Some plugins have separate websites, but trustworthy ones will be on the official directories as well.
As for the themes, once you have downloaded one, scan it with an antivirus, and if any harmful software inside is discovered, burn it… No, not really, just contact the theme developer to see what’s up.
No matter how well-protected your website is, always backup your database, website data, files, theme setting and plugin setting.
First of all, any self-respecting hosting provider has a backup service. It usually comes included, but the frequency of backups varies. Of course, the more frequently the website is backed up, the more often recent information is saved in case the site gets hacked. You can always check the frequency of backups with hosting and purchase additional backups if you need more.
You can keep copies of all the files and a manual backup of your database somewhere safe. The least you can do to have an ongoing copies of the content is to save everything into your dropbox.
You will need SSL (Secure Sockets Layer) certificate on your site if it is going to handle sensitive information like users’ personal and financial data. Usually they are used in online stores to prevent data thefts. According to surveys third of online buyers hesitate to buy because of credit card information thefts. That is where SSL certificate comes in useful — it encrypts connections between a web server and a user’s browser, making “digital eavesdropping” impossible.
Again, in the most cases you can get the SSL directly from your hosting provider, though it is a paid feature. To signify that the site is using SSL, a padlock is added to the address bar and the http protocol changes to https.
Besides the basic use, you can also force SSL specifically for admin login into WP dashboard. If you have an SSL certificate installed, the data is sent encrypted through the web.
The main reason for WordPress updates is maintaining security, as each new release patches the loopholes that could potentially be used by hackers to penetrate the previous version of installations. So when a new stable version is released, make sure to update the engine, but only after a full backup in case something goes wrong and you need to restore the site.
You can check how to backup your site below. By the way, you will always be notified of fresh releases by WordPress itself – with a pop-up in your admin panel, so keep an eye on all these notifications.
However, it is not only the engine that requires updates, but themes and plugins as well. You will also be notified about their new releases in your WP dashboard Updates section. To check the theme updates you can go to Appearance -> Themes, and if you want to see the plugins updates, go to Plugins -> Installed plugins.
I know, now you think: “Pffft! Password, at least this I know!”. But how come that “123456" and “password” are the all time most used passwords for years. So, forget about “qwerty,” “1234567,” “iambatman” and the like.
Generate a really strong password with upper and lower case characters, numbers and symbols.In addition to memorizing it, note it down and keep it somewhere safe in case you forget it. Use the same tactic for your hosting passwords as well – your hosting control panel, database, FTP/SFTP. Make sure they are all different.
A lot of passwords are broken by brute force attacks – that’s when hackers use software to generate trillions of guesses to match your password. There are a number of ways to counter this tactic: you can add a captcha to the admin login page to prevent bots from entering passwords, limit the number of login attempts from the same IP, hide the login page so only you and people you trust can access it, enable double authentication (get a text message with a new password to your mobile phone each time you log in as administrator).
All these actions can be done with free plugins. Some plugins concentrate on only one method like Limit Attempts, WPS Hide Login, Captcha on Login or Duo Security (before using any of these, please make sure you read the reviews) while others let you employ several at a time. Check out our guide about other Must-have WordPress plugins, and a guide to WordPress security.
The standard login name that comes by default is “admin”. It is always “admin” for everybody. So, you see, it is better to avoid obvious logins like “admin,” “admin123,” etc. and to use a custom one instead.
If you are installing the engine manually, you will be able to specify a custom login during the installation. However, if you use a quick install tool, you will end up with the standard “admin” login. In this case, you can create a new administrator account in your Dashboard (Users > New User) with a custom login name and delete the default one. Pay attention, when deleting the old administrator account. When WordPress will ask you: “What should be done with content owned by this user?”, choose the option “assign it to the new user”.
When you install WordPress, you have to create a database with a specific name and prefix. The default prefix is “wp_,” but it is better to change it to improve security. Of course, this hindrance will be no big deal for experienced hackers, but it will definitely increase your database protection against bot attacks.
An easy way to change the prefix is by using a plugin, e.g. Change DB Prefix.
Do not turn your precious website into a dump. We often install plugins and themes, try them out and realize we’re not going to use them or they become outdated in a while and we deactivate them and install different ones instead.
This is perfectly normal. Just make sure you delete the stuff you are not using any more. Keeping such extensions, especially outdated ones, is a security hazard as they may have holes which hackers can take advantage of to break into your website.
Web spam (spamming in comments and contact forms) is often regarded as a mere inconvenience rather than a security concern. However, it may be used by hackers to probe your submission forms for vulnerabilities and if one is found, use your mail server to send millions of spam messages. If the bad guys succeed in this scheme, it is your server and your site that will take the hit for spamming.
How do you prevent spam attacks on your site? First, you need to use a reliable script for your contact form, preferably one with field validation, to prevent bots from filling out the form with jibberish. Contact form 7 is a popular choice with WordPress users as it will will filter out the “stupid” bots.
The “smarter” bots can be stopped by enabling a captcha, for example Google reCAPTCHA, and comment filtering with an anti-spam plugin, such as Akismet (but make sure you study the manual thoroughly before you start using Akismet or you risk facing lots of issues). Alternatively, you can install a more secure paid plugin for your contact forms, e.g. Gravity Forms.
This one requires a higher level of technical knowledge, so probably you’ll need an experienced webmaster to tackle this for you.
Basically, this file, when placed in a corresponding directories, lock the access to these directories and files that can be potentially exploited by hackers. It is created automatically when WordPress is installed.
With the help of .htaccess, you can decentralize the control and access to your website folders in order to increase website protection.
If you had never thought about WordPress security issues and have just read the tips above, you must be feeling alarmed at how much work there is in store for you to guarantee the site security.
The good news is that WP developers have been working on WordPress security for years and have developed multiple plugins that can ease the process of setting up your security, so check them out:
In very deed, you do not need to use even half of these methods together. Make sure your computer and hosting are secure, choose a couple of other methods you find preferable in your situation and constantly monitor your site.
Now that your WordPress is secure you can make it beautiful and functional. Check out these premium WordPress themes.
BTW, do you have your personal WP security tricks? If so, feel free to leave them in the comments below.
Simon is a TemplateMonster sales operator who helps small businesses and startups by day and passionately rocking on the stage with his bass guitar by night. Simon is a truly creative spirit and idea generator who can draw almost everything he imagines.