Tom Hickey

September 2, 2015

A WordPress Security Primer

Over the last few years we’ve helped several companies clean up compromised WordPress sites.  Nothing strikes fear into heart like seeing “This site may be hacked” appear next to your site name in Google search results. There are a handful of common best practices for securing a WordPress site.

Limit Access

Sometimes a WP site is compromised by hackers getting getting ahold of an administrator username and password.  More dangerous is a hacker who has full FTP access. We’ve seen cases where a number of people (usually developers) were given individual FTP accounts to access a site.  Once this was done everyone promptly forgot that these accounts existed, even when the person they were issued to stopped working on the site. Make sure that old FTP accounts are deleted – usually through your web hosting company’s control panel or with the help of tech support – or at least change the passwords frequently.

Unique Usernames

After cleaning up one hacked site recently we installed the WordFence plugin (extremely useful – more info below) to monitor login activity.  We were alerted to A LOT of failed login attempts which likely means that the site was still on some hacker’s list as a vulnerable site.  Repeated login attempts are usually all about trying to guess a common username and password to get access.

90% of the failed attempts were using the username “admin.” So, first things first, DON’T use the default WordPress administrator username of “admin” because it’s just saving someone who wants to break into your site a critical first step.  Make it something memorable but make it different.

One behavior of WordPress that isn’t strictly secure is that it will tell you if you’ve entered a correct username when logging in.  This can theoretically be exploited by an attacker to guess their way to a valid username.  WordFence (and some other plugins) has an option that sets one ambiguous error message: “The username or password you entered is incorrect.”

Strong Passwords

We hear it all the time: a strong password is usually pretty long.  Short ones are much easier to guess/crack.  Here’s the obligatory XKCD strip explaining the realities of password strength:

Remembering a lot of passwords is one of the banes of modern life but there are now password managing plugins for most major browsers or services like Passpack.

Keep Your Site Updated

A WordPress site is made up (broadly speaking) of three components: the Core Files which provide all of WP’s general functionality, the Theme which uniquely customizes the look and behavior of the site, and Plugins which provide special features for the site.

The WordPress team updates the Core Files pretty frequently, often to address security issues and, ever since version 3.7, WordPress will automatically install these files as critical updates become available. Most popular and well-maintained Themes and Plugins are also updated periodically.  If they were downloaded from WordPress’s repository then you should also get alerts for new versions while in the backend.

However, if you’re maintaining a lot of site and/or you tend not to log into the dashboard of your sites very often then it’s trickier to stay up to date.

A simple way, via Plugin, to manage automatic updates for your WP site.

WordPress article on manually configuring all types of automatic updates (requires PHP knowledge).

Updating a component of a WP site always carries a small risk that it will break something that was already working.  The main way to avoid this is by taking the usual precautions: never modify the WordPress’s Core Files directly.  If you need to modify WP’s default behavior you can usually find a plugin that does what you want or, with PHP knowledge, write your own code using the Plugin API.  If you want to make changes to a Theme then use a Child Theme.

Even with those precautions it’s always possible something unexpected will happen, so, always…

Backup Regularly

Depending on who your site is hosted with, you may have access to some sophisticated backup options through a CPanel or similar backend.  Your hosting company is also most likely making periodic backups of your site but to have real control over your data, and be able to respond quickly to attacks or site problems, you’ll want to do your own backups.

One of the most popular backup plugins is Updraft Plus.  The free version is very a full-featured and easy to configure tool that allows you to backup your entire WP installation: database, themes, plugins, uploads, and (if you choose) the Core Files as well. Backups can be saved to a cloud storage location like Google Drive or Dropbox (more options available with the Premium version).  Restoring any backup can be accomplished with just a few clicks.

Security Plugins

There are a handful of popular WP security plugins out there but the one that I’ve found most useful is WordFence.  There is a premium version available that provides a number of additional features, but for most people’s needs the free version will give you solid coverage and is highly configurable –

  • alert you when one of of the Core or Theme files on your site has been changed
  • search for known malware on the site and, often, automatically repair the problem
  • alert you to all kinds of site activity including successful and failed logins, post creation and updates
  • block any IP address that fails a particular number of login attempts for a defined length of time