As a wildly popular content management system (CMS) that powers millions of sites on the Internet, WordPress is an attractive target for hackers. You can never guarantee that a website is fully protected from potential exploits, particularly when the platform in question relies on – or supports – a multitude of open source or third-party technologies.
However, there are steps you can take to protect your website from most types of intrusion, many of which are reasonably simple. As the developers of WordPress state, security comprises three domains: People, Process, and Technology. As such, best practice for securing your website isn’t just about your configuration – it extends to your office or home environment, your working practices and the people you collaborate with.
Here are a few tips you can use to improve the security of your WordPress website.
- Keep your WordPress installation, themes and plugins up to date
The WordPress platform is in active development, which means that updates are released regularly. Some of these releases focus on feature enhancements but most, if not all, include patches to improve the security of the platform. You can review the changelogs for the platform over at the WordPress Codex.
Be sure to install WordPress updates as soon as possible following their release. If you’ve installed WordPress via the Softaculous App Installer in cPanel, you can take advantage of automatic upgrade features for WordPress itself as well as supported themes and plugins.
Once enabled, your site will be automatically upgraded to the latest versions of your software as soon as they are available.
Pay special attention to plugins and themes that are no longer supported or updated by their developers. These may include outdated libraries or other supporting software that have known exploits. Later versions of these libraries may have been patched, but as development of the plugin or theme is dormant, your installation may not have received these updates.
- Block access to your WordPress administration area
It’s a good idea to only permit WordPress administration access to those people that really need it. Of course, your administration back-end is password protected, but you can create an additional layer of security by blocking access to your /wp-admin/ folder, or the wp-login.php file specifically, based on the visitor’s IP address.
This method is particularly effective if you or your other WordPress administrators have Internet connections with fixed or static IP addresses. To find out your IP address, simply visit https://www.whatismyip.com/ and note down the numbers listed.
You can use a .htaccess file to restrict access to your server. .htacces is a configuration file used by the Apache web server, which rules override global settings for the directory in which it is placed. You may find that .htaccess files are created automatically on your server, when you install popular web applications like WordPress, Drupal and Magento. However, if one does not exist, it can be easily created in a text editor and uploaded to your server. You can also create one directly from cPanel’s File Manager.
To read more about restricting access to your website using .htaccess, check out this HostPapa knowledge base article: How to restrict access to your website with .htaccess and the cPanel IP Blocker
Include the following command in your .htaccess file, replacing the xxx entries with your actual IP address:
Deny from all
Allow from xxx.xxx.xxx.xxx
This blocks all access to the WordPress login page, with the exception of connections coming from the IP address listed (your home or office). To permit additional IP addresses to access the page, simply repeat the Allow from line and include the IP addresses you wish to add (one IP address per line).
- Do not use an “admin” username
Just as millions of WordPress installations rely on a wp_ database prefix, millions of WordPress administrators use the same user name. You guessed it, “admin”. Sure, it’s convenient and easy to remember, but by using the “admin” username, you’ve already given potential hackers a vital piece of data they need to exploit your account.
Go with a different username and you’ll immediately protect your site from a swathe of basic brute force attacks.
Find out how to edit WordPress user accounts in the following HostPapa knowledge base article: How to add/remove/manage users in WordPress
- Use complex passwords
Changing your admin username is the first step in protecting your account. The second is strengthening your password. WordPress prefers the use of strong passwords but is pretty lenient if you wish to be lazy. If you haven’t already, it’s time to abandon that traditional password and use a password manager application such as LastPass or 1Password. Alternatively, try a passphrase instead.
For more tips, check out this great advice on strengthening your account password over at WordPress.com.
- Do not use a wp_ database prefix
When configuring your WordPress website, try not to use an obvious WordPress database prefix such as wp_. This “default” prefix is used on millions of active WordPress installations, again, making it an attractive target for random, brute force attacks.
In truth, changing the prefix may not deter skilled hackers that are specifically targeting your installation, but it can add a little extra protection.
Head over to WPMUDev, where you’ll find a detailed explanation and instructions for changing your WordPress database prefix on existing installations.
- Install virus protection and regularly scan your computers for malware
Alongside protecting your server, you should also ensure that the PCs you use locally are safe from intrusion. Install an antivirus program on all of your PCs and ensure they are kept up to date with the latest virus definitions.
- Regularly scan your website for exploits
It may not always be obvious that your website has been compromised, particularly if an attacker is seeking to capture customer or user data. However, security scanners such as the one available from Google can check your website for known malware, blacklisting status, website errors, and out-of-date software.
- Regularly back up your WordPress installation
Should you experience an attack, the easiest way to ensure your data is safe is to hold one or more backups of your WordPress installation. Be sure to regularly download backups of your website to your local PC and archive them offline for safety, on a USB drive or even CD/DVD.
WordPress includes an integrated cloud backup and restore feature called Vaultpress, but you can also backup your websites using cPanel at no additional charge. To find out more, read this HostPapa knowledge base article: How to access your HostPapa Automated Website Backup control panel
Together, these simple steps can dramatically increase the security of your WordPress installation, protecting it from unauthorized access and data loss. For further questions or if you need help, please open a support ticket from your HostPapa Dashboard. Follow this link to learn how.