Share This: RSS
June 15, 2015

WordPress Security Best Practices

Is WordPress Under Attack?

Some think so and research estimates that 30,000 websites are hacked each day with most of the sites belonging to small businesses. We are now fixing over one hacked website per day at Graphically Speaking.

To help minimize this problem we have developed a new list of security best practices. We created it to ensure all websites we develop are highly secure. We recommend you implement these solutions to minimize the chances of your website being compromised.

Top 21 Best Practices for WordPress Security

  1. Use a strong password. It takes only 10 minutes to crack a lowercase password that is at least six characters long. If you add two extra letters and a few uppercase letters, that number jumps to three years. Add just one more character, some numbers and symbols, and it will take 44,530 years to crack.
  2. Change the default “admin” username. WordPress creates a default administration user, titled “admin”. This is a common target for hackers because they already know the user name; they just need to figure out the password. A unique username and a strong password is the best combination to prevent brute force attacks.
  3. Out-of-date WordPress installation. When WordPress releases new versions and updates, installing these updates will reduce vulnerabilities and help keep your site secure.
  4. Out-of-date plugins. Same as above. We have seen a huge increase in attacks through out-of-date plugin files.
  5. Lack of email validation. If you allow people to sign up or create a member account on your WordPress site, make sure you require an email validation to complete registration.
  6. Failing to log out of the admin panel. It is important that you log out of your dashboard when you are finished editing your site.
  7. Lack of security plugins. There are several good security plugins available which will help protect your WordPress website - some provide a summary of what you can do to protect WordPress even further.
  8. Login error messages. You should customize the error messages on your login screen because a hacker can tell if they have the user name or the password wrong - or if both are wrong.
  9. Not using two-step verification for admin user login. Don’t just use the basic login step for your dashboard, add the two-step verification to take it a step further. This can typically be accomplished with a plugin. Click here to see an example of such a plugin.
  10. Login attempts not in place. Make sure you place a login attempt on your WordPress site. After a user fails to login a set number of times, they will be locked out.
  11. Stay up to speed. You or your web developer should always stay up to speed with what’s going on in the WordPress forums. The best way to prevent an attack is to be knowledgeable and proactive.
  12. Is your admin login wp-admin? Change the link for your WP login to something unique. Having the login as wp-admin is a hackers dream.
  13. WP Config file default location. It is a good idea to move your WP Config file to increase security.
  14. No CAPTCHA. Use CAPTCHA for logins, forums, and other areas. This helps keep out automated scripts and bots.
  15. Bad or insecure themes. Always get your themes from reputable sources because poorly developed themes can have code in it that makes it easy for hackers to access your site.
  16. Out-of-date themes. Check often for updates on the theme you are using. A hacker can access your website through outdated theme files.
  17. Multiple themes installed when you're only using one. If you have multiple themes installed but are only using one, it's best practice to delete or remove the themes that you are not using.
  18. Insecure web hosting. Always ensure that the hosting company you are using is secure and reliable. Shared hosting plans host multiple websites on the same server space. Another website on the same server space could be the source of infection if a web hosting company is not monitoring their sites or servers properly.
  19. Bad plugins. Always know what plugins you are installing on your site. Some plugins are created just to access your WordPress site. Do your research before installing a plugin by reading forums and reviews. If you happen to see a plugin you want to install that hasn’t been updated in years by its developers... it's safest not to use it.
  20. Remove disabled plugins. It is a good idea to remove any disabled plugins. If they aren’t being used, there isn’t a good reason to keep the code on the website.
  21. Hacker code. Be wary of any code you place on your site. Hackers love providing code on online forums and instructional websites for the purpose of gaining access to your website.

Why Are So Many Sites Getting Hacked?

Next issue we will discuss why so many sites are getting hacked and what the hackers are trying to accomplish, the damage that might have been done and best practices for recovering from an attack.
Prev article Next article
Share This: RSS

What People Are Saying About Us

What People Are Saying About Us

I absolutely love the new website, congratulations. I’m looking forward to continuing to work with you in the future.  Great job.

- Cloverdale Paint -

This is amazing and thank you again for all of your great work, we love it!

- Mr. Lube -

The site looks fantastic and is a piece to be proud of. Your team worked well with our management team. We would recommend Graphically Speaking in building a quality site.

- Squamish Terminals -

Bottom line... I would not hesitate to endorse Graphically Speaking, without reservation.

- Thomas FX Group Inc. -

Thank you so much, we are so happy with the design, and you nailed it first time. We wanted you to know we are really thrilled.

- PainPro -

You have completely impressed me with the depth of the work.

- Bezdan -

On behalf of the Webtech team, we want to say thank you for your efforts in the launch of our new website, and for helping us meet our rushed deadline.

- Webtech -

Graphically Speaking provides an expertise that never failed to impress. Their skillful team provided a level of direction that was both disciplined and creative. A very tough combination to find when collaborating in today's world.

- British Columbia Pharmacy Association -

Your team has provided us with excellent support in the areas of website strategy, design, and search engine optimization, usability testing and general ongoing project management.

- The Jim Pattison Auto Group -

I want to express my thanks for the amazing work you and your team put in.

- Absolute Software -

I am pleased with the design, UI and insights from the usability testing that has allowed us to develop an award-winning website. Job well done.

- City of Richmond -

I wanted to reach out to you to let you know how happy we are with the results of the work your team has done on our new website. Your team has helped improve our site while supporting us during this process.

- IABC Calgary -

I want to thank you for the custom development of our Product Information Management system. Well done to the architects, programmers, account, and project managers.

- Cloverdale Paint -

The new website is definitely a success. Once again, I would like to thank you and Graphically Speaking for helping us out.

- EasyPark -

You, and the teams behind you really do such amazing work and truly boost the capabilities of our team here at Canfor. Thanks for all your work!

- Canfor -

Some of Our Credentials

  • Microsoft Gold
  • Google
  • Adobe Magento
  • Shopify
  • Progress Sitefinity
    Elite Partner
  • Project
    PMP Certified
  • Certified UX & UI
  • Certified

Graphically Speaking

#840 - 1140 West Pender Street Vancouver, BC, Canada V6E 4G1

Call us 604.682.5500
Toll Free 1.877.875.4337
© 2023 Graphically Speaking Services Inc.
All right reserved.