Knowing how to best protect your WordPress blog is an important aspect of maintaining a blog. It seems that almost on a regular basis a WordPress blog gets compromised by a malicious visitor, who installs malware, deletes files, or simply defaces the blog.
As I read about how blogs get hacked I also realize that many of these hacks could have been prevented with regular maintenance, or by following stricter security protocols. While you can’t eliminate security holes from being available in code, you can take measures to mitigate the problems security holes can cause to your blog.
Being reactive to security threats to your WordPress blog is the best defense to ensuring your blog is protected from malicious users. Below are 10 proven ways that you can protect your WordPress blog so you can worry more about the content of your blog, rather than the security from malicious users.
1. Backup your WordPress site
While backing up your site won’t protect it from malicious visitors, it is one of the most important tasks that you should perform. There are two main reasons you should backup your site:
- To have a copy of your site before something goes wrong.
- To restore your site when something does go wrong.
Whenever you are about to make a major change to your site, such as update WordPress, you should always perform a backup. This way if your site has any issues after the change, you can restore your site to how it was before the update by restoring the backup.
The above statement also holds true for when a malicious user does gain access to your site. You can restore to a previous version of your site from backup to get your site up and running much quicker than if you were to figure out how to undo what the malicious user did.
I have used two backup plugins with great success:
- UpdraftPlus Backup and Restoration: This is a free backup/restore plugin that is easy-to-use and allows you to backup to different cloud-storage providers. There is a premium version with additional features.
- BackupBuddy: This is a premium plugin that can do everything you want in a backup/restore plugin while making it easy to schedule daily backups to a cloud-storage provider of your choice.
2. Keep WordPress updated
Many security holes are found after a version of WordPress has been released. When one a security issue is found and fixed, a new version is released and you will be notified on the admin dashboard of your site.
It is very important that you keep your version of WordPress as up-to-date as possible to fix any security issues. Many WordPress sites have been hacked because the WordPress version was old and malicious visitors have used previously fixed security holes to gain access to the site.
It may be intimidating to update WordPress because you are worried about something breaking on your site. The best option is to create a local copy of your site on your computer, perform the updated, and everything is working, log into your online site and perform the update.
3. Manage and update the plugins
Much like the WordPress core, plugins can also have security holes. Since there are thousands of plugins, and probably the same number of plugin authors, the chances of introducing security holes is much higher than with the WordPress core.
You should ensure that you update any plugins that have a more recent version available. Doing so will ensure you close any potential security holes introduced by the plugin.
While you are updating plugins, you should also review the list of plugins installed on your site. If you can uninstall and delete a little used plugin, or replace it with your own code or HTML, then you should remove the plugin completely.
By removing unused, or rarely needed plugins, you reduce the chances of security holes being found in your site.
4. Update WordPress themes
While themes may seem harmless, they do run code like the WordPress core and plugins. While themes aren’t updated as much as the WordPress core, or plugins, you will find that they are updated every month or so. You should also remove any themes that you aren’t using to avoid any security issues, as well.
5. Use a difficult-to-guess administrative user name
The administrative user name you use to log into your WordPress site should be difficult to guess. While this isn’t the best way to avoid having someone attempt to login to your site, it does add another layer of complexity.
When I was monitoring failed login attempts on my blog, the most common ID attempted was ‘admin’. In fact, ‘admin’ was used in over 90% of the failed login attempts, which is why you should definitely avoid using that as your user name.
Some additional user names to avoid:
- Your actual name – both first and last name.
- Any user name you have used online at any site. For example, don’t use the same user name you used to sign up on a forum.
6. Use a strong administrative password
Create a strong password for your administrative user name. A strong password will consist of alphanumeric (letters and numbers), and punctuation, and be at least 15 characters in length.
If you want to get really creative, you can also use the full ASCII character set by pressing and holding ALT and typing in a number from 0 to 255 on your keyboard.
You can also use a password manager like LastPass to generate a random password and then save it in LastPass so you won’t even need to remember the password.
7. Enable two-factor authentication
More and more online sites are enabling two-factor authentication. Two-factor authentication means that after you enter your username and password, you also need to enter additional information that you have on your.
In other words, you log in with something you know, and something you have.
There are different ways to enable and use two-factor authentication. The easiest way for me is to use the WordPress plugin Google Authenticator that will require me to enter a six digit code from the free Google Authenticator app (iOS, Android) on my smartphone.
8. Restrict user access
If you manage a site that has many users, then you will want to ensure you only provide the level of access that is necessary for them to do their job. In WordPress, user access permissions is managed by a role.
There are several different roles and capabilities in WordPress, and you should take the time to read through what each roles can do, and then decide what role each user on your site should be assigned.
9. Install an overall security plugin
While I did mention managing the number of plugins you have installed as a security measure, there are some plugins that can help protect your site. Some are much easier to use than others, and some have different features.
I haven’t used too many security plugins, but have used the following:
- Wordfence: This is a popular security plugin that is easy to setup and use. It provides many alerts through email when an issue is found so you always know when action needs to be taken.
- Sucuri Security: Another easy to use and setup plugin that provides security notifications via email.
- Bulletproof Security: This plugin is for the advanced, technical user as it manages to include a layer of security at the .htaccess level. This plugin does require some knowledge of how .htaccess works.
The list above is in now way an exhaustive list, they are just plugins I have used or continue to use.
10. Use a strong hosting password
All of the above tips can be bypassed if a malicious user is able to gain access to your host. Once they gain access to your host, all of your sites are open to anything they choose to do.
The best security you can put in place is to make it difficult for the malicious user to gain access by creating a strong password for you hosting account, much like your WordPress administrative user.
The same password rules apply to your hosting account as it does to your WordPress account.
The 10 tips that I have provided above won’t provide 100% protection, but it will make your blog more difficult to access for malicious visitors.