WordPress Security: Make it Harder for Hackers with These Tips
The Importance of WordPress Security
Many know that WordPress is a fantastic tool, which is probably why WordPress is powering a giant portion of websites.
However, because WordPress use is so widespread, it’s also a target for digital attacks. So how do you protect your WordPress site? The answer lies in good security practices.
Tips from Pair’s Security Experts
We talked to our Security and Abuse team lead, Jaime, and others to see what security practices they recommended. We’ll go over their recommendations in more detail below, but here’s a sneak peek:
- Use Strong Passwords
- Keep WordPress Up-to-Date
- Remove Unwanted Plugins and Themes
- Install a Security Plugin
- Change Your WordPress Username
- Move Your WordPress Login Page
- Create Backups
Would you rather watch a video about this information? Check out our webinar.
Use Strong Passwords
Using a strong password is the first step to a secure WordPress site. With password-cracking software evolving all the time, a “John1990” password is no longer sufficient.
So how do you come up with a strong password? Our security experts had a few tips:
- Make the password at least eight characters long
- Use a combination of upper case, lower case, numbers, and symbols
- Don’t use special dates (like the year you were born or your anniversary)
- Don’t use personal information like pet or kid names
- Don’t recycle passwords. Use a unique password for everything.
You may wonder why using personal information is discouraged. This is due to the rise of social media and how we typically share our personal information. With a few pointed Google searches, someone can likely find out a lot about you. They can then take this information and give it to their password-cracking software for a more focused attack. So instead of using your pet’s name, you can increase your password’s strength by using a word or phrase utterly unrelated to your personal life.
You may be thinking, “These tips are great in theory, but not in practice. How am I supposed to remember them?” The answer is: use a password manager.
Password managers are a great way to store your passwords. Plus, many offer additional security features, like strong password generation or letting you know if your password was leaked on a different site. Our security experts say that some common password managers are:
Keep WordPress up to Date
WordPress updates are more than just new features (and compatibility issues). They also install security patches that protect your site from the worst-case scenario. That also goes for plugin and theme updates.
When you let your WordPress site fall behind updates, you’re falling behind the best level of security.
If you’re using a Pair Networks WordPress installation, then you don’t need to worry about the core updates as much. After a certain period, we will automatically update your installation to the most recent version of WordPress. This automatic update helps keep your installation secure without bothering you. However, this does not apply to plugins and themes. You will need to initiate those updates.
How to tell if you have updates
Not sure if you have updates? WordPress has a handy little notifier right in the WordPress admin interface. Just log in and look at the top navigation bar. Do you see a little circle made of arrows? This icon indicates something needs to be updated. Click on this icon, and it will take you to the update page to update your WordPress installation, plugins, or themes.
The easiest way to do this is to click the Select All checkbox, then choose to Update Plugins or Update Themes (depending on what needs updated. In some cases, you may need to do this for both themes and plugins). If you’re afraid this will break your site, you may want to set up a testing site first. Our Managed WordPress hosting comes with a staging site feature that makes this easy. Check out how to set one up here: Setting Up a Staging Site.
Using WordPress Auto-Updates
WordPress launched an auto-update feature in WordPress 5.5. It’s built directly into WordPress, so you don’t need to set up a fancy configuration or use a plugin.
Using the auto-update feature is great if you don’t want to consistently check your website for updates. However, keep in mind that updates may tweak how your site looks as plugin structures change. So, if you’re okay with a bit of variation, auto-updates are incredibly helpful.
Auto-update needs to be turned on for each plugin or theme. This means you can pick and choose which plugins and themes should update automatically and which ones shouldn’t.
For plugins, you need to go to the Plugins page and click the Enable Auto-Updates button next to the plugin.
If you want to enable auto-updates on themes, then go to your Themes page (Appearance > Themes), then hover over your theme and click Theme Details. On the Theme Details page, click the Enable Auto Updates button.
Remove Unwanted Plugins and Themes
Have you ever installed a plugin just to see how it worked on your site, then decided you didn’t like it? Many people do this and, after deactivating it, never entirely remove it from their installation. While this may seem harmless, the truth is that even if a plugin is deactivated, it’s still exploitable.
So the best course of action is to remove unwanted plugins or themes from your WordPress installation. Don’t let them sit unused. Not only do the extra plugins/themes bog down your site, but they also add that many more potential sources for security breaches.
Plus, if you’re not paying attention to the deactivated plugins, you may not notice if a developer stops maintaining them. Plugins and themes that are no longer maintained can end up being taken over by malware and inject your site with malicious code. So if you install a plugin, but never remove it, it could easily become a problem. So do yourself a favor and fully remove plugins and themes that are not activated on your site.
Install a Security Plugin
WordPress security plugins can give your WordPress security an edge. “A security plugin for today’s standards with WordPress I think is pretty much a must.” says Jaime, Pair’s Security and Abuse Lead. “With our WordPress hosted websites, we include WordFence with the accounts already pre-installed.
“But there are other plugins out there. Securi offers a security plugin. Jetpack has a security plugin built-in… iThemes Security is another big one people use a lot. They all pretty much do the same thing.
“One of the reasons,” she continues, “I particularly like Wordfence is because they have a built-in firewall that doesn’t require any special configurations with your web server… It just works. WordFence also has an option that it will automatically email you when there’s any updates for your plugins or themes available. It’ll also notify you of any suspicious activity on your account. It monitors all of the core WordPress files. So if any of the core WordPress files were to be modified, WordFence will automatically notify you and then give you the option to restore the core file back to its original state.”
Like the sound of WordFence? The best part is that all of these features Jaime mentions are available on the WordFence free version, which comes pre-installed on every Pair Networks WordPress installation.
And you don’t have to worry if you don’t fully understand what the security plugin is telling you. Pair is here to help!
“If you’re using a security plugin, ” Jaime says, “and you get a notification and you’re not sure what to do with it, send it on over to email@example.com. We’re always available. We’ll answer any questions that you have in regards to that. And we can just look to make sure that nothing is going with the site. We do the intrusion detection at no cost if you do happen to be exploited, so always reach out to us first.”
Change your WordPress Username
The default WordPress username is well-known,and thus it’s often the first combination tried when trying to break into your WordPress installation. If you change your WordPress username from the default “admin” you automatically make it that much harder for people or bots to guess your login credentials.
We take customer security seriously at Pair Networks, which is why our WordPress installations automatically do this for you!
Move Your Login Page URL
Like the WordPress username is known, so are the default login URLs website.com/wp-admin.php and website.com/wp-login.php. However, If you change your login URL, it is harder for bots/hackers to locate your WordPress login page. They can’t brute force their way into something if they can’t find the entrance.
You can do this with a plugin like WPS Hide Login.
In the event of a breach, backups can save the day. You can use them to roll back your site to before the issue, plus they’re handy to have around if something goes wrong while you’re doing site testing. For all the reasons why backups are a good thing (and ways to take backups), see our blog: Why You Should Take Regular Website Backups
However, for security – Jaime recommends keeping a remote backup of your website somewhere in case of the worst-case scenario. “When you create a backup, you always want to store it remotely – somewhere else other than your Pair Networks web server.” Jaime says. She says she personally stores hers on USB drives. “Then you have a backup that’s going to be free and clear if you get a virus on your personal computer or your website gets exploited, then you have a clean backup somewhere that’s not going to be accessible. But if you keep the backup on your Pair Networks hosting account and you get exploited, chances are your backups are going to get exploited as well.”
We’re Here to Help
Have questions about these tips or need help implementing them on your own WordPress installation? Contact our 24/7 support team. They’re available any day of the week, every day of the year to help customers like you get the most out of your web hosting.