Your All-in-One Guide to Secure WordPress Sites
WordPress is the most popular content publishing platform in the world, powering over 30 percent of websites – more than 75 million! That prominence makes WordPress websites an attractive target to hackers, criminals, and other bad actors. It’s essential to make sure that WordPress security measures are in place and as strong as possible.
Media Temple’s been protecting WordPress sites for as long as WordPress has been around, so let’s break down how you can secure your online presence.
Why WordPress Security is Essential
Hacking and data breaches are becoming more and more common. With WordPress running a significant number of business and individual websites, criminals expend a great deal of their resources to access, steal, and expose information stored in WordPress.
The main threat to WordPress doesn’t come from the core WordPress application or the hosting, but rather the numerous third-party plugins that every WordPress website has access to. It’s estimated that 97 percent of all hacking attempts against WordPress installations are made against plugins, rather than the core WordPress code.
The security vendor, Sucuri, reported that 90 percent of hacked websites were WordPress-based. The combination of popularity, plugins, and security vulnerabilities means that any WordPress site manager must put robust steps in place to defend against illegal access attempts and potential breaches.
Install and Use Plugins to Secure WordPress
It might seem a little odd, but even though vulnerable plugins are the main way that criminals can hack into a website, secure plugins are one of the best ways to protect it. We’ve suggested several plugins below that can help you strengthen and maintain security on your WordPress site.
Keep Your WordPress Installation and Plugins Up-to-Date and Secure
The key to reducing WordPress and plugin vulnerabilities is to update them as soon as new versions come out. WordPress and plugin vendors do identify security issues and patch them as quickly as possible. Most managed WordPress hosting providers, including Media Temple, will automatically update your core WordPress install, but you’ll still need to ensure your plugins are updated regularly.
You can do this in your WordPress administration panel. Go to “Plugins > Installed Plugins,” select all of the plugins in the list and choose the action “Enable auto-updates.”
Understand and Set User Permissions and Roles in WordPress
WordPress assigns roles to certain types of users, specifically Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. Each of these roles has varying access to the WordPress back end and different abilities to make changes to site functionality. One of the first things a WordPress site owner should do is to go through each of these roles and set permissions for them.
Although each role will have default permissions set by WordPress, you still want to fine tune exactly what those roles can and cannot do. The easiest way to do this is to install and configure the Manage WordPress Permissions and Edit User Roles plugin. Once it’s installed, just go to “Users > Capabilities” in your WordPress admin panel to set permissions.
Insist on Strong Passwords from WordPress Users
Many attacks on WordPress come from hackers “brute-forcing” account names and passwords. One of the techniques they use is to try common password combinations that are often used by people across many websites. In fact, it’s estimated that 35 percent of WordPress users do not use strong passwords. You can lessen this risk by insisting on strong passwords to access your WordPress site.
The easiest way to do this is through plugins. There are several available including:
Once you have installed a password security plugin, you can set it to require certain types of password from a user. For example, insisting they use letters, numbers, and characters, or setting a minimum length that a password can be.
Enable a Web Application Firewall for Your WordPress Website
A Web Application Firewall (WAF) monitors network traffic sent to and from a protected website. A WAF automatically blocks problematic traffic to prevent hacking and reduce denial of service attacks. You can install WAF plugins, but these are not always as effective as dedicated, cloud-based WAFs. Media Temple partners with Sucuri to offer a comprehensive security pack including WAF to block hacks and attacks:
- Stopping brute force attacks on login pages, one of the most vulnerable parts of your site.
- Critical threat protection in line with the Open Web Application Security Project (OWASP) Top Ten list.
- Preventing Distributed Denial-of-Service (DDoS) attacks.
Encrypt and Protect WordPress Web Traffic Using SSL and HTTPS
Hypertext Transfer Protocol Secure (HTTPS) and Secure Sockets Layer (SSL) are best-practice technologies for securing data for your WordPress website. HTTPS and SSL certificates work together to ensure that all traffic between your website and a client, like a web browser, is encrypted from start to finish. This provides an extra layer of security when accessing sensitive information. Media Temple provides SSL certificates in addition to its hosting services.
Limit Login Attempts and Enable Two-Step Verification for Users
The admin login screen is a primary target for hackers. In addition to insisting on strong passwords, there are a couple of other security options you can put in place.
Limiting Login Attempts to Your WordPress Website
A brute-force attack relies on a hacker repeatedly accessing your WordPress admin login page and attempting to break the password. Limiting the number of login attempts means that WordPress will reject logins from the same user name or IP Address once they have tried to access the website a certain number of times. Plugins that can restrict the number of attempts a user can make include WP Limit Login Attempts and Limit Login Attempts Reloaded. Once you’ve installed and configure the plugin, users have a maximum number of attempts they can make before they’re locked out of the admin login screen for a certain length of time.
Enabling Two-Step Verification for Logins
Two-factor or multifactor authentication means that a user needs more than just their username and password to get into a WordPress site. Other forms of authentication might include a one-time password (OTP) sent via text message, a secure key fob that generates unique numbers, or a biometric scanner that detects voices or fingerprints. There are many security plugins and some other WordPress security features that will let you add new forms of authentication.
Explore Other WordPress Security Plugins
There are many WordPress security plugins that can protect your website. Here are some of our recommendations:
- Sucuri: Scans and removes attempts to download spam or install malware on your WordPress website.
- SecuPress: Protects against brute force logins, problematic IP addresses, and malware.
- MalCare: Provides instant WordPress malware removal.
- iThemes Security: Offers two-factor authentication, malware scans, password security, password expiration, and numerous other features
Choose Media Temple for Best-In-Class Hosting
Here at Media Temple, we provide some of the best WordPress hosting in the world. In addition to our state-of-the-art servers and hosting expertise, you can take advantage of our security and content delivery network services for a blazingly fast, safe, and secure WordPress experience.