Securing your WordPress site should not be a job left exclusively to those who are expert system administrators. With some new tools and good hosting, you can secure your site by yourself and today I’m going to show you how to do just that with the least amount of plugins possible. Following my own advice of “the less plugins the better”, in today’s article I’m going to use just one! First thing first though, let’s start by taking a look at what can be done on a server/hosting level.
On your Hosting
The first step to having a secure site comes directly from your hosting account. If your site isn’t secured by an SSL certificate (i.e. it doesn’t have that sexy green padlock), now is the time. Securing your site with a certificate is easy enough and everyone should be able to do it from cPanel & Plesk based services without outside intervention, but even if help is needed any good hosting support team will help you set one up and the process is usually dead quick.
There are a number of different SSL certificates out there, but for the benefit of the ‘everyday’ reader I’m just going to go through the most common type, and also the one that happens to be free – Let’s Encrypt.
Before enabling https inside WordPress we need to load the certificate into our domain. This is fully automatic on cPanel through a button and some newer cPanel installations come with automated Let’s Encrypt certificates so as soon as your account is created you’ll have a certificate loaded into your domain. If you’re using Plesk, you can create a Let’s Encrypt certificate from the main menu. You should also include the “www” and mail certificate. This will increase the security of your site by not allowing it to load unsecure content and it’s the most recommended first step to secure your site. Furthermore, Google are rapidly cracking down on sites without valid SSL certificates by penalising their rankings – so to not have one will only damage your SEO potential!
SSL Certificates can be a little finicky sometimes, so if you spot any errors in your configuration I’d advise running your site through whynopadlock.com and following the steps outlined there.
Check those file permissions
The single second most important security rule is to limit file access to Read Only on the following files: wp-config.php, wp-settings.php, .htaccess and index.php in the WordPress root folder.
The only role that should have “write access” on these specific files should be the owner. No other group should have any other permissions applied as those files will be read by WordPress alone. This will effectively reduce the security risk of your site by not exposing any kind of access to the outside world.
If your site got hacked through insecure file permissions or gained a malicious worm, this is how it might look:
This is a classic example. Notice the @include surrounded by /*f2e34*/ ? That code is actually a “worm” that was injected by bad file permissions into a WordPress site. These kind of codes could potentially create a backdoor for anyone to access your site and inject advertising, steal information and many kinds of other bad behaviour. This is why manually changing permissions on those important files is so essential. I’ll come onto the practicalities of how to check and change file permissions later in this article.
Within WordPress Admin
Now let’s tweak our WordPress site to improve the security even more. The first, and simplest step after you have your shiny new SSL Certificate is to change your site address to https. You do this by going to Settings > General and updating the site prefix there.
Once our site changes to https we can move forward and install a security plugin. For this tutorial I selected one of my favourites and that’s iThemes Security. This is a very straightforward plugin to use and does not add any latency to your site.
The first thing I do once the plugin is installed is to limit login attempts as this helps against one of the most common hack types on the web – bruteforce attacks. You’re free to modify the variables as best fits your needs, but I always go for somewhere between 3 and 5 attempts before a user is locked out. If a genuine user does end up getting themselves locked out you can always undo the lock on that account very easily from the plugin settings, so it’s not the end of the world if that does happen.
A good technique to block login attempts is to also to just change the login page to something else. This will effectively remove the wp-login link from WordPress so any automatic login attempt will be responded with a “disabled page”. Put whatever login url you want and the plugin will disable the standard login page and do the rest. Just be sure to remember what you set it to before saving!
Securing your database is also good practice. Lots of attacks try to hijack the database by accesing the default wp_ tables. By changing the prefix of those tables to something else you’re creating an extra step for any automated attacker to be able to get in. Always run a backup before doing this though, and ideally, do this as one of the first steps in a fresh WordPress install, as it can end up breaking things!
How do I check and change those file permissions you mentioned earlier?
I’m glad you ask.
Now that iThemes is installed, it’s really easily to detect whether any of your files are insecure. Simply head to the plugin settings > file permissions > show details. From here you can run a quick scan of your root folder and iThemes will warn you if there are any things that need looking at. Hopefully you’ll get a nice list of green, but if not the process of updating your permissions is simple.
I change permissions by heading into my FTP client and updating them that way. It’s quick, simple and efficient. You can then reload the permissions details in iThemes to instantly check that your changes have taken effect.
If you’re not comfortable using an FTP client, some hosting panels will have a file permissions section, but failing that you can ask your host’s support to change these for you and they can do that quickly and easily on your behalf – just make sure to re-run the check in the plugin settings to make sure they’ve done it correctly!
Other useful tips
iThemes has a plethora of options and I’d be here for ever (or at least longer than I can be bothered and without getting hungry and fed up), so in short as long as the above tips are followed, I’d recommend running the Security Check option of the plugin and following any steps that it tells you to. It’s very straightforward to use and there are hundreds of tutorials online if you want to dig a bit deeper and use some of the more advanced settings.
My final piece of advice is simple;
Use a strong password.
It pains me to think of how many admin passwords I’ve seen over the years along the lines of ‘Admin123’ and ‘Letmein’. Regardless of how strictly you follow WordPress security settings, you’re opening yourself up to easy intrusion if you’re not password smart. A handy rule of thumb is to use a password longer than about 8 characters (I go for 16 to be extra secure…), and to choose a random combination of alphanumeric characters and special symbols. Think of it more of a pass key than a password – it shouldn’t resemble a word.
I like to use Ben Kennish’s password strength checker. It gives a good idea for how strong your password is and, on average, how long it would take a computer to crack. I’d advise you head there now and test some of your passwords. It may shock you!
*Disclaimer: I don’t use the above password anywhere 😉
So that’s it! Follow the steps listed above and you’ll be well on your way to having a more secure WordPress site.