How to secure your WordPress website in 2019
Posted: 7th February 2019
I’ve worked with WordPress more or less since it was released in 2004. In that time I’ve lost count of the amount of conversations I’ve had with website owners (and a few IT professionals) adamant that WordPress isn’t secure. This is only partially true. A bit like your computer at home, if you don’t add some sort of security you leave it open to attack.
WordPress is the most popular content management system (CMS) in the world today. Powering around 30% of all websites and 60% of all CMS’, the scale that WordPress is used makes it a natural target for hackers.
There are however a number of simple ways you can secure your WordPress website. These simple steps will give you the advantage as hackers are more likely to try and hack a website with no security (and there are a lot of those) than waste time trying to hack a site that has already been secured.
Change the default username
Up until recently installing WordPress using the famous 5-minute install resulted in the default username being set to admin. As this was the same for all WordPress installs this meant hackers were already one step closer to gaining access to a site, when you know the username, all you have to do is guess the password.
Hackers will try and gain access to a WordPress website by doing what’s called a brute force attack. A brute force attack is a trial-and-error method used to try and guess the password of a WordPress website, if they already know admin is being used as a username, a script can be created to simply run thousands of combinations of passwords until the correct one is guessed.
So, if your WordPress website still has admin as a username, change it immediately. Make the username and password combinations as complex as possible to ensure brute force attacks don’t happen in the first place.
Rename the default login URL
All WordPress websites have the same admin area login URL which is /WP-admin. This makes it easy for hackers to target the login page as all they have to do is add /WP-admin to the end of a WordPress domain and they know the location to hack.
You’ll need a plugin to be able change the admin URL. There are free options available but we would recommend Manage WP or WPMU Defender. Changing the admin URL to something complex as opposed to /login is also highly recommended.
Add Google reCAPTCHA to your login URL
Once you’ve updated your admin URL you can further secure the page by adding Google reCAPTCHA. Google reCAPTCHA is a free service that helps to protect all websites (not just WordPress) against spam and abuse. Now onto reCAPTCHA version 3, the irritating pop ups from version 2 asking you to select all the pictures of buses or store fronts have long gone. reCAPTCHA 3 works behind the scenes to keep bots and automated software from accessing and abusing your website.
You will need a plugin to secure the WordPress admin area. We use WordPress ReCaptcha Integration. You will need to set up valid API keys from the official Google reCAPTCHA website. Once setup it adds an extra layer of security to your websites and helps keep the hackers at bay.
Keep WordPress core files up to date
WordPress core files are the files needed to make your WordPress website work. These files are the same for every WordPress install. They control the admin area and give developers the control and functionality they need to design and build your website.
The team behind WordPress constantly work to further develop and improve the platform. Part of their job is to ensure WordPress remains safe and secure, so they regularly provide bug fixes and security updates.
WordPress updates come in two forms, major and minor updates. Major updates usually contain new functionality. Minor updates usually contain bug-fixes and security patches. That is why it is important to keep your WordPress install up to date. Older versions of WordPress may contain vulnerabilities which hackers may be able to exploit. Keeping your WordPress install up to date makes hacking your site a lot more difficult.
Keep your themes and plugins up to date
The majority of themes and plugins aren’t built by the WordPress team, they are usually built by third parties. There are pros and cons to this.
The pros are there are thousands of themes available and well over 50,000 plugins on the WordPress Plugins directory.
The cons are a lot themes and plugins aren’t built very well. It’s usually the smaller, less supported themes and plugins that cause problems as they are not kept up to date as they should be.
Hackers are always looking to exploit vulnerabilities in WordPress and themes and plugins are a good place to start. Once a hacker has found a way to exploit the code in a theme or plugin they can gain access to your website and cause all manor of chaos.
If you have a theme or plugins that need to be updated it is likely because the theme or plugin developer has issued an update to tackle bug-fixes or other security issues. If the update contains a bug or security fix it’s important to run the theme or plugin update to ensure your website is protected.
Ban undesirable users
Another way to further secure the WordPress admin area is to ban users after too many failed login attempts. Using the WPMU Defender plugin you can set a limit of three failed login attempts before a user is blocked from the site. They can log in again after a few hours just in case it is a genuine failed login attempt.
The WPMU Defender plugin also allows you to create a username blacklist. You can add usernames such as admin and administrator so any hackers using these username get instantly banned from your WordPress website.
Create strong passwords
This one is a bit of a no brainer. When selecting a new password, or resetting one make sure you follow the prompts WordPress gives you and select something complex. The weaker the password the easier it is for hackers to guess it. Ensure you use a mix of small letters, capital letters, numbers and special characters.
Reset your WordPress security keys
WordPress security keys can be found in the installs WP-config.php file. Security keys are a string of random variables used for the authorisation and encryption of cookies generated by WordPress. Usually these cookies are used to verify the identity of logged in users and commenters. During the install process there is no need to set these keys as WordPress takes care of this as part of the installation process. However once your website is up and running it is recommend to reset these keys every 60 days or so. You can do this manually or to make life easier you can use a plugin such as WPMU Defender Pro.
Automatically log out idle users
If you work in an office environment and have several administrators managing your WordPress website it may be worth setting up the Bullet Proof Security Pro plugin to log out any idle users. This is to protect against anyone leaving the admin area open when they are away from their computer. If you manage your WordPress website from home this may not be such a big issue.
Make regular backups
If the worst does happen and your WordPress website does get hacked an easy way to deal with the hacked content is to perform a restore of your websites files and database.
Restoring the website to an earlier date can save you a heap of time. Rather than trying to remove all the hacked content from your website, a simple restore will take the site back to before the attack happened. You can then secure your website by checking through the steps above, changing all passwords to both the WordPress admin area and the database.
Your hosting provider may already include a backup feature as part of your websites hosting. If not, then you can use one of the many WordPress plugins available such as VaultPress or Snapshot Pro. Website files and databases can be uploaded to a number of cloud storage providers such as Google Drive and Dropbox.
Use an SSL to encrypt WordPress data
You may have noticed that some website addresses start with https:// rather than http://. The s lets you know that the website you are on has an SSL installed. An SSL stands for Secure Sockets Layer. It is a standard security protocol and means your connection to a website is secure and encrypted.
The primary reason to use an SSL is to encrypt the data sent from a users computer to the websites server. This is important because without an SSL any information sent would be unencrypted and therefore potentially view able to hackers and identity thieves. Data sent through your website will usually be done through some sort of form, maybe a contact form containing name, email and telephone details. If you have an e-commerce website customers might place an order using a credit card, it’s absolutely crucial this information in encrypted so that the information doesn’t fall into the wrong hands.
As well as the security benefits to using an SSL there are also some SEO benefits. Google has over 200 ranking factors and one of them is whether or not a website is secure. Additionally, in July 2018 Google began its clamp down on unencrypted websites. From Chrome 68 onwards any website that doesn’t have an SSL is marked as ‘Not secure’. Although this doesn’t impact SEO directly, it isn’t great for your website visitors to see a ‘Not secure’ notification right next to your domain name.
You can purchase SSL certificates from a number of providers but it is worth doing some research on what SSL is best for your business. If you have an e-commerce website you may need an SSL with extended validation (EV SSL) or if you have a web site with a subdomain you may be better off with a wildcard SSL.
Why do people want to hack a WordPress website?
This is a good question. Don’t be too blasé about security on your website, there are a number of reasons hackers will try and hack your WordPress website. It isn’t just big corporations hackers are looking to target, even small websites are of interest.
One of the more common hacking methods is to inject malicious code into your site. The code may contain links to a website the hacker is trying to drive a lot fo traffic too in a short space of time, in an attempt to cheat the search engine result pages (SERP’s). These links can be added through comment spam, hijacking your sites email or even added directly to your WordPress sites theme files.
Another way hackers can target your website is by spreading malware and viruses. This can be done by injecting malicious code into the back end of the website, either into the WordPress core files or by adding additional files that shouldn’t be there. When your site visitors then interact with this code hackers can gain the users information or spread the virus directly to their computer or website.
One of the more obvious reasons a website might hacked is to steal your customers information. This might not be such as issue if you don’t store any customer data on your website, but if you have an e-commerce website you may well have customer names, emails, phone numbers, address’ and maybe even their credit card information. If this data were to get into the hands of hackers then it would be clear violation of the new GDPR laws that came into place on 25th May 2018. The reasons for hackers wanting these details is usually for a monetary gain, either by using a customers credit card or selling the data onto third parties.
Another method is when hackers try to overload a web server with an influx of hits, otherwise known as a denial of service, or a DDoS attack. Once your website hits it’s bandwidth threshold limit, your website goes offline. This doesn’t usually happen with smaller websites as a DDoS attack is usually when hackers are looking to show off, or perhaps they have a personal dislike of the brand they are attacking. They may even send ransom demands.
What happens if my WordPress site gets hacked?
First off, don’t panic. A hacked WordPress website is usually fairly easy to deal with. The first thing you should do is change all of your passwords. This includes all the passwords for the user accounts in the admin area. If you have access and are capable, also change your database password. You should be able to do this from your hosting control panel. The password will also need updating in the WP-config.php file. Remember to use complex passwords. Changing these passwords stops any further attacks on your website.
Once you changed your passwords you can deal with the hacked content. There are a number of ways you can do this. If you are confident FTP’ing onto your server and accessing your WordPress installation files then you can try and identify any files that shouldn’t be there, or any code that has been injected into files where it shouldn’t be. There are a number of WordPress plugins that will help you identify these files. Wordfence WordPress Security Plugin and MPMU Defender Pro are a couple of the better ones. They will scan the entire WordPress directory on your server and highlight any files that shouldn’t be there, or any files with code that shouldn’t be there and present you with a report. You can then work through the report and remove the infected files and code. If the site has been heavily infected there might be many thousands of files you need to go through. In this scenario it is often better to start with a completely fresh install of WordPress and plugins. Then it’s just the theme folder you need to manually tidy up.
If you would rather have an expert deal with your hacked WordPress website there are a number of companies online that offer these services. We would be wary of anyone offering to do it at a low cost as even dealing with a simple hacked WordPress site is probably a few hours work if it is done correctly.
The above said, prevention is always better than cure. If you can action the points mentioned in this article it’s unlikely you will ever get hacked. We mentioned earlier in the article that hackers like an easy target. According to research carried out by Alexa, statistics from 40,000 WordPress websites in Alexa’s top 1 million websites show that more than 70% of WordPress installations are vulnerable to hackers. That means only 30% have at least some security in place. If you can make your website one of those 30% it’s likely hackers will leave you alone and concentrate on the 70% of websites that are vulnerable.
Find out more
We’ve been working with WordPress since it launched in 2004, there aren’t many technical issues we haven’t dealt with and have fixed numerous hacked WordPress websites. If you need some help securing your WordPress website or dealing with a hacked WordPress website please call us on 01626 245061 or email us at firstname.lastname@example.org.