June 15, 2015
WordPress Security Best Practices
Is WordPress Under Attack?
Some think so and research estimates that 30,000 websites are hacked each day with most of the sites belonging to small businesses. We are now fixing over one hacked website per day at Graphically Speaking.
To help minimize this problem we have developed a new list of security best practices. We created it to ensure all websites we develop are highly secure. We recommend you implement these solutions to minimize the chances of your website being compromised.
Top 21 Best Practices for WordPress Security
- Use a strong password. It takes only 10 minutes to crack a lowercase password that is at least six characters long. If you add two extra letters and a few uppercase letters, that number jumps to three years. Add just one more character, some numbers and symbols, and it will take 44,530 years to crack.
- Change the default “admin” username. WordPress creates a default administration user, titled “admin”. This is a common target for hackers because they already know the user name; they just need to figure out the password. A unique username and a strong password is the best combination to prevent brute force attacks.
- Out-of-date WordPress installation. When WordPress releases new versions and updates, installing these updates will reduce vulnerabilities and help keep your site secure.
- Out-of-date plugins. Same as above. We have seen a huge increase in attacks through out-of-date plugin files.
- Lack of email validation. If you allow people to sign up or create a member account on your WordPress site, make sure you require an email validation to complete registration.
- Failing to log out of the admin panel. It is important that you log out of your dashboard when you are finished editing your site.
- Lack of security plugins. There are several good security plugins available which will help protect your WordPress website - some provide a summary of what you can do to protect WordPress even further.
- Login error messages. You should customize the error messages on your login screen because a hacker can tell if they have the user name or the password wrong - or if both are wrong.
- Not using two-step verification for admin user login. Don’t just use the basic login step for your dashboard, add the two-step verification to take it a step further. This can typically be accomplished with a plugin. Click here to see an example of such a plugin.
- Login attempts not in place. Make sure you place a login attempt on your WordPress site. After a user fails to login a set number of times, they will be locked out.
- Stay up to speed. You or your web developer should always stay up to speed with what’s going on in the WordPress forums. The best way to prevent an attack is to be knowledgeable and proactive.
- Is your admin login wp-admin? Change the link for your WP login to something unique. Having the login as wp-admin is a hackers dream.
- WP Config file default location. It is a good idea to move your WP Config file to increase security.
- No CAPTCHA. Use CAPTCHA for logins, forums, and other areas. This helps keep out automated scripts and bots.
- Bad or insecure themes. Always get your themes from reputable sources because poorly developed themes can have code in it that makes it easy for hackers to access your site.
- Out-of-date themes. Check often for updates on the theme you are using. A hacker can access your website through outdated theme files.
- Multiple themes installed when you're only using one. If you have multiple themes installed but are only using one, it's best practice to delete or remove the themes that you are not using.
- Insecure web hosting. Always ensure that the hosting company you are using is secure and reliable. Shared hosting plans host multiple websites on the same server space. Another website on the same server space could be the source of infection if a web hosting company is not monitoring their sites or servers properly.
- Bad plugins. Always know what plugins you are installing on your site. Some plugins are created just to access your WordPress site. Do your research before installing a plugin by reading forums and reviews. If you happen to see a plugin you want to install that hasn’t been updated in years by its developers... it's safest not to use it.
- Remove disabled plugins. It is a good idea to remove any disabled plugins. If they aren’t being used, there isn’t a good reason to keep the code on the website.
- Hacker code. Be wary of any code you place on your site. Hackers love providing code on online forums and instructional websites for the purpose of gaining access to your website.
Why Are So Many Sites Getting Hacked?
Next issue we will discuss why so many sites are getting hacked and what the hackers are trying to accomplish, the damage that might have been done and best practices for recovering from an attack.