Here’s a compilation of some of our best practices for WordPress security. These are good measures you can take as an average user without either coding expertise or server administration experience. We believe they drastically decrease the odds of a Wordpress site getting hacked, and we’ve been able to observe them effectively protecting our own websites and some of our customers’.
You’ll see me recommend the free plugin All-in-One WordPress Security several times in this post. In addition to many, many things this plugin can do, All-in-One WordPress Security makes all of the following suggestions very easy. I personally don’t turn on all of its features, because there are a lot, and some cover the same bases as other features, but in addition to using its login lockdown, database prefix, and failed login records features, it can help with everything below. However, this plugin is not at all required for any of these suggestions, and much of what it does is above and beyond these top-five suggestions.
Let me tell you, learning to keep your WordPress site secure because it’s already been hacked is not the way you want to do it. Once hackers get in, you have to take drastic measures to get them out and keep them out. We’ve scrubbed a few hacked client sites lately and it’s tedious, grubby work. The minor inconvenience of applying security measures in advance is vastly preferable to the major inconvenience of cleaning up a hacked WordPress site–and most of these suggestions are easy.
1. Don’t Name Your User Something Obvious
If the attacker knows your username, that gives him half of the user-password puzzle. When your username appears as the post author, or anywhere else on your site, an attacker then only has to guess half of your login credentials. Why make it easier for him?
In WordPress, under your user settings, you have the option of making your public display name anything you want, using your first name, last name, and nickname fields. It should NOT match your login username.
Attackers will also try to guess your user name from context. The first thing they try is “admin.” (Never name your user “admin.” If you have an “admin” user, delete it and replace it with a different one.) Then they may try your site name, site title, or contextually important key words, so don’t use those in your username.
The plugin I mentioned, All-in-One Security, allows you to view login records, including failed login records on your site, so it can allow you to see what usernames attackers are trying. This can be useful. If you see one of your valid usernames is compromised, you can delete and replace that user, or at least ensure that user has a very strong password.
2. Use a Strong Password
This is simultaneously the single most important and easiest step you can do. One of the hack recoveries I’ve been involved with was a site that I could tell got hacked through a weak password.
Passwords that use straightforward English words are easier to crack than ones that don’t contain only dictionary words. Passwords that contain “admin” or the user’s name or the name of the website are particularly easy to guess. The worst are generic passwords like password, changeme, 123456789, etc.
What does a strong password look like? welovecats is weak. w3l0v3c4ts is better. gU’^P-!zc}z58N/U is best. The WordPress user preferences page will now generate strong keywords for you.
One thing that strikes me using All-in-One’s feature to monitor failed login attempts is the volume of failed login attempts from unknown users. I see around a hundred per day on some of our sites. And if All-in-One’s login lockdown feature were not in effect, forcing the attacker to change IP address every time login fails, there might be many more. How long will it take to crack your password?
Use KeePass or another password tool
Why don’t people use hard passwords? Because what’s hard for a machine to crack is also hard for a human to remember and to type. Well, there are solutions for that. We use KeePass, a free tool, to manage our passwords. You can copy/paste your difficult-to-type passwords straight out of KeePass into your WordPress login. A strong password is 1000% worth the slight inconvenience, and you realize this if you ever need to clean up after a hack — or pay a technician in limbs and firstborn babies to do it for you.
3. Update your Plugins & Core!
I would rank this as the next important after your password, yet most WordPress users I’m familiar with are fairly delinquent on their updates. I’ve been involved with at least one hack recovery that was due to an out-of-date version of WordPress.
New versions of WordPress (and other software such as plugins) sometimes contain fixes for discovered exploits. When you continue to host old versions on your site, hackers can utilize those known exploits, especially if your WordPress installation broadcasts its version in the footer or some other location. Most modern themes are smart enough not to do this. But that does not mean an attacker coming across your site won’t try the old exploits. Also, WordPress and plugin versions may be publicly available if someone uses their browser’s web inspector or a crawler bot to view your site’s code.
4. Don’t Use wp-login.php
If the attacker knows your site is a WordPress site (which is easy to tell), then they know your login page is probably wp-login.php, the WordPress default.
The easiest way to change this is with a plugin, such as All-in-One Security. There are others — Rename wp-login.php or Loginizer. I haven’t tried either of these two, but they have good ratings as of this writing.
When I do this, I try not to name the login destination something too obvious, but something that I or the client will remember. One way to do this is to name the page something tangentially-related to the site. For example, if you’re doing a site for a local airport, you could name it takeoff or tarmac.
I don’t know that renaming the login is super-effective, but I don’t think it hurts to do it. When I use All-in-One security to monitor failed login attempts, it seems clear to me that hackers who specialized in this sort of thing are still easily finding a way to attempt logins.
5. Advanced: Disallow Scripts from Your Uploads Directory
Some host services (e.g. Dreamhost) do this for you when you install WordPress (via Dreamhost’s One-Click Install). Dreamhost does this by creating an .htaccess file in your wp-content/uploads directory with only one line:
To do this yourself, you can open a text editor and creat a file named ‘.htaccess’ with NO extension. Save it with the above line, and upload it by FTP into your site’s uploads directory.
In the hacked sites I’ve examined, I found the attackers did add files to the uploads directory. These files were named like you would expect WordPress files to be named, but there should not be such files in your uploads directory. By placing this .htaccess file in your uploads directory you prevent script, especially php, from running in that directory.
Bonus Tip: Keep a Clean Server
I think that hackers like messy filesystems, because it makes it easy to hide malicious code in plain sight. If you keep lots of directories on your server in addition to your WordPress files it gives hackers lots of creative places to store code. For example, if you have old site backups, development directories, image or pdf repositories, or personal files sitting on your server, hackers can tuck code in these places that either interacts with your WordPress site or that facilities easier access to your site or server.
These days, personal files can be stored at Dropbox or other cloud storage services. Images or pdfs needed by your public site can be moved into your WordPress media library.
The most dangerous thing you can do it leave old WordPress installations sitting somewhere on your host’s server. If you have a development site or an old backup of WordPress sitting there, it can be subject to those known exploits mentioned above. If they can get into this old version of WordPress, they might be able to access your whole server, or at least interact with your current WordPress site.
WordPress Security: Helpful Plugins
In addition to All-in-One Security, I have found Exploit Scanner useful for identifying potential malicious code on sites that were hacked or I suspected to be hacked. Exploit Scanner will scan your WordPress files for common signs of bad code. It will (usually) find a lot of false positives and it is up to you to recognize files that should be there and that should not, but it can help you get a sense whether something fishy is going on beneath the hood of your website.
I am also asked frequently in the same breath as the WordPress security topic for recommendations about comment spam. This is related, as spam containing links to malicious websites is basically a type of insertion attack. We usually install WP Spam Shield. It’s free, kept up-to-date, and seems effective.
Have ten gazillion spam comments in the backlog that need moderated? Bulk Comment Remove will delete ALL pending comments with a single button push. Make sure you don’t have any legitimate comments hiding in there!