Keeping your WordPress website secure is terribly important. And, it is not as hard as you might think.
WordPress is open-source software used to build websites; it is often referred to as a Content Management System (CMS). In general, a CMS provides structured management features that support the creation and modification of digital content using a simple interface while hiding minor or global details (unless required), and can usually support multiple users working in a collaborative environment. Of all the major CMS in use today, WordPress is far and away the most popular, currently powering 27% of all websites on the internet.
This website was built using WordPress, as are all the websites we develop. WordPress is not necessarily better than its competitors, like Drupal and Joomla, but we believe it is at least as good; there are plenty of sound reasons why a person would choose a CMS other than WordPress, and every project and user is unique. We only use WordPress because we believe it is powerful enough to support any type of website, because we believe it is the easiest CMS for us to teach even our most novice clients to use, and because it has a massive and active global community available to support issues.
However, being the most popular website building software in the world has some disadvantages, and the biggest is security. Due to it’s immense popularity, WordPress can be a popular target for hackers, malicious code distributors, data thieves, and other nefarious types. The internet is dark and full of terrors, and they are attracted to healthy prey; creating a hack or exploit for WordPress has the potential to get you access to more websites than any other CMS due to the sheer volume of WordPress websites.
This does not make WordPress any less secure than any other CMS; in fact, we would argue that it makes WordPress the most secure. In any event, hackers are going to hack, and stealers are going to steal, and that is just the world we live in.
Fear not, friends! That massive and active global community that supports WordPress never sleeps, and is always working to keep up with or stay ahead of security issues. With a little bit of TLC, you can help securue your WordPress site right now..
We’ve prepared for you five simple things you can do on a regular basis to help keep your WordPress site secure. If you keep up with these, you can protect yourself from the majority of threats targeting WordPress sites today.
Preface: Back It Up
First, make sure you are backing up your website. And make sure you have backups of your backups. This is so important, it is not even part of the list. We have our server backup all websites on scheduled intervals, and we also use software on the website that runs backups regularly, and we store a copy of those websites off-site in a secure cloud storage platform. If that sounds like overkill to you, it isn’t. If someone has hacked into your website and you have no backups, all of the investment you put into building the website, and all of the data you’ve collected from users (like comments and registrations and payments and subscriptions and sales) could be lost. Forever. Even if you are running backups on the website, if they are not stored off-site, a hacker can easily access those files from most configurations and delete them as well. Even if your server has a firewall and lots of solid protection, if the hosting accounts become compromised everything could be lost. Forever. Back it up, back it up, back it up.
OK, on to the list. Most WordPress sites are hacked because the username and password to get into the site were guessed by automated software, because people were granted privileges to access the site that they did not need, or because software on the website was outdated. So let’s get to it.
Secure Rule 1: If You Are Using “Admin” As A Username, Stop It
When you set up WordPress for the first time, it will create an account for you with the username “Admin”. This is the standard for all new WordPress sites. The problem with that username is that most people keep it, and this means that most WordPress websites have an Administrator-level user with the username “Admin”. In other words, if a hacker is trying to gain the username and password to get into a WordPress site, the odds are for most WordPress sites, the hacker is already halfway there. By relying on the fact that most people still have an “Admin” username on their WordPress site, all that’s left is guessing the password (that’s next).
For a variety of good reasons, WordPress does not allow you to change usernames. This is to maintain the integrity of the database, but it is also the likely reason why so many WordPress sites still have an “Admin” username. So what do you do?
Simply create a new administrative level user for yourself and then delete the original “Admin” user. Here are the steps:
- Backup your entire website.
- From the left-hand menu, hover over Users, then click on Add New
- Fill in all of the user fields with new info; you’ll need to use a different email address than the “Admin” user account, but you can change the email address later.
- Select Administrator from the Role drop-down.
- Click on Add New User.
- See the new administrative user you just created.
- Log out.
- Log in with the new administrative user you just created.
- From the left-hand menu, click on Users.
- From the list of users, delete the original “Admin” user.
- IMPORTANT: If you have created any posts with the original “Admin” user, YOU MUST select your new admin user from the Attribute all posts drop-down, and click on Confirm Deletion. If you fail to attribute the posts to your new administrative user, those posts will be deleted, and you’ll have to restore your website from a backup and start this process all over again.
- Once the original “Admin” user account is deleted, this task is complete.
For a more detailed description of this process, with screen shots, click here.
Secure Rule 2: If You Are Using A Password On This List, Stop It
Here are the two golden rules on passwords: Do not use a bad password, and do not use the same password on multiple websites.
We have written the past about using bad passwords, and it continues to be a major problem. Every year, this website compiles a list of the worst passwords from North American and Western European users, and they rarely change all that much from year to year.
Here are the Top 10 Bad Passwords from the 2015 list, ranked most-popular first:
Just like using “Admin” as your username, if you use one of these passwords, you are giving the would-be hacker what they need to get into your site. Hackers use computer programs to try one password after another, and you can believe that those programs start with the passwords like the ones on this list first.
Use a password a password or passphrase of (at least!) twelve characters or more with mixed types of characters. Don’t use a password that makes sense, no matter how clever you think it is. Be random; make it ugly.
And perhaps even just as important as using a good password is to *only use that password for your WordPress site*. I know, I know…it is way easier to come with a complex password that you can remember, and then use it for all of your websites. Here is the problem: if you are using the same password for Netflix, and your WordPress site, and Facebook, and any other site, and any of those sites has a data breach where passwords are exposed, hackers will attempt to login to all of your accounts with that same password. If each site has its own password, you are fine. If you are using the same password on multiple sites, any site with that password is now at risk.
There are encrypted password keepers that you can purchase and install on your computer and mobile devices, that allow you to generate random, complicated, and ugly passwords and store them for each website. Some are better than others, but if using one will help you to manage your passwords, we highly recommend it. We use them for everything.
If you do nothing else, do the first two steps on this list. If you take care of your Username and Password, you have eliminated the vast majority of risks to your WordPress site. But not all of them…
Secure Rule 3: If You Are Giving Out Administrative Level User Accounts, Stop It
WordPress has a very powerful system of user “roles and capabilities“. Basically, you can create user accounts for other people and by setting them at a specific role, you can manage what they can (and can’t) do on your website. Out of the box, those roles are: Administrator, Editor, Author, Contributor, Subscriber.
The problem is that people are unsure what all of the different roles do, so they assign anyone else who needs access to the website the highest level: Administrator. Every Administrator-level user you have on your website has the ability to destroy the entire website. For every Administrator-level user you have, you must concern yourself non only if you can trust them, but also if you can trust that they will care for their username and password as discussed above.
Because if you can’t feel that kind of trust, or if they are not careful, your website will have security holes big enough to drive trucks through.
We’ve put together this list that shows very clearly what each WordPress role can (and can’t) do. It is available as a free PDF and formatted so you can print it out on one standard sheet of paper.
Every organization should take care to review this list and assign the proper user roles to each person that has access to the website.
Secure Rule 4: If WordPress Tells You Stuff Needs To Be Updated, Then Update It
Remember that “massive and active global community that supports WordPress and never sleeps” we described earlier? Listen to them!
WordPress sends out a lot of updates to its core software throughout the year; in most cases, the primary purpose of these updates are for security purposes. There is no reason to wait; when a WordPress update is release, BACKUP YOUR WEBSITE, and go ahead and update it.
The additional software that is installed on your site — plugins — are also being constantly updated (at least, they should be). Not all plugins are cut from the same cloth, some are better than others, and some are supported better than others. Usually, when a plugin needs to be updated, it is because it needs to keep up with the latest WordPress core software update, or because the developer uncovered a security risk, or even sometimes because they are adding new features. Sometimes, for all three! In any event, you *should* be able to update your plugins as they require updates. If you are using quality plugins, or the people who built your website are using quality plugins, then upgrading *should* not be a problem. Our recommendation is to update, and then check from functionality and make sure all is working as it should. Of course, just to be on the safe site, BACKUP YOUR WEBSITE before you update plugins.
For a more detailed explanation, check out this article.
The biggest reason people don’t update the software on their WordPress site is fear that things will break or stop working. If this is a real fear, if by updating software on your WordPress you believe there is high risk that things will stop working right, then you have a poorly built website. Of course there is a risk that even the best plugin updates could break something, that even a core WordPress update could break something, but 99.9% of the time, if it does, it is because of some shoddy development on your site. We feel like having outdated software poses a far greater risk to your website than a software conflict from installing updates; however, we only use highly trusted, professionally built software on the websites we develop. Part of the reason we invest in that often expensive software is so that we can trust the development. We feel like if you truly can’t or don’t want to risk updating software, it might be time to consider rebuilding all or part of your website into something more stable.
Secure 5: If You Give Other People Your Administrative Login Credentials, Stop It
Sometimes, you need to let someone else behind the curtain. A friend or family member who wants to help, or a developer who wants to fix something, or even a boss who just wants to “check one thing”. It might feel like it is OK to just give them your username and password to log it, but it is not. This is a really horrible thing to do. Don’t ever do this.
What you want to do is create a new user for them, and set their role at the lowest level possible for them to do whatever it is they need to do. The fact is, another person’s browser or computer could be infected, and when they log on with your credentials, you could be opening up a Pandora’s Box of problems. Just take the 30 seconds (literally about 30 seconds, people) required to create a new user account for them, OK? Promise?
Are these steps all you need to do to secure your WordPress site against all malicious attacks? No! Frankly, there is nothing you can do to protect anything on the internet from all attacks, but taking these precautions will protect you against most attacks.
Here is a more comprehensive, “advanced level” list of things you can do to further secure your site: 20 Simple Tricks To Secure Your WordPress Site in 2016. Every single one of these tricks you can complete will make your site more secure.
Like all things in the world today, increasing security seems to have an inverse effect on convenience; some of these tricks make slow down your website, or make it too cumbersome for users to engage with your website, or even cause problems with membership and e-commerce sites. Striking the right balance between making your site as secure as possible without sacrificing usability is the real trick, and it might require investing in some professional help to get it just right.
No matter how far you go in attemptig to secure your WordPress site, please just BACK IT UP first!
Good luck out there!