WordPress is a popular content management system (CMS) that allows you to create a website or blog from scratch. If you’re not familiar with WordPress, it’s important to understand how it works before you start securing your installation. WordPress is a free and open source CMS that can be used on any platform. It’s easy to set up and use, making it an ideal choice for small businesses and individual bloggers. However, if you’re using WordPress on a website or blog that could be accessed by the public, it’s important to secure your installation. There are several ways to secure WordPress installations: by using a password manager such as LastPass or iCloud Keychain, by using a security plugin such as WP Security or CloudFlare, or by using two-factor authentication (2FA). Password managers are great for protecting your WordPress passwords. They store your passwords in an encrypted format and can help you keep track of multiple WordPress passwords. You can also use them to protect other online accounts that are connected to your WordPress site. WP Security is an excellent security plugin for WordPress that helps protect your site against unauthorized access and theft. It includes features such as two-factor authentication and encrypted password storage. CloudFlare is another security plugin for WordPress that helps protect against attacks from malicious websites and hackers. It includes features such as automatic HTTPS protection and fraud detection. 2FA is another great way to secure WordPress installations. Two-factor authentication requires you to provide two pieces of information – your username and password – when logging in to the site. This allows you to remain authenticated even if someone tries to log in without those pieces of information.
Why Do I Need to Secure WordPress?
WordPress’s popularity makes it a target for hackers. With millions of users worldwide, attackers get the most bang-for-their-buck by exploiting such widely used tools. A single exploit could allow a hacker to compromise hundreds or thousands of websites, which could mean that your website is one of many affected.
The primary ways that WordPress gets hacked or compromised are from easy-to-guess passwords, and the compromise of themes, plugins, and an outdated WordPress installation. Keeping strong passwords and usernames, themes, plugins, and core installations updated with the latest patches can go a long way in protecting your server from attackers.
Let’s take a look at how we can update these items and ensure that our WordPress installation is up-to-date.
Creating a Secure Username and Password
While you cannot change the username set during WordPress installation, we can create an alternate administrative user that does not have an easily guessed username such as “user” or “admin,” which may have not been a consideration during installation. Then we can create a secure password for the original administrator account, so it will not be guessed.
Easy-to-guess usernames allow attackers to guess common usernames and password combination to gain access to your WordPress installation. By having an obscure and unique username, even if your password is something simple like “password,” attackers will still have to guess your complicated username to gain access.
With a username like “mywebsite123987@#$@!”, hackers will find it difficult to compromise your server this way.
To create a new user, open your Dashboard and navigate to Users.
Select Add New in the top navigation to create a new user.
Be sure to provide a unique and hard to guess username and password, with 12+ characters including letters, numbers, and symbols.
Assign this user the Administrator role, then select Add New User.
Now, we can go back to the Users page and select our original administrator account named user.
Generate a new password for our original user that will be impossible to guess. Now that we have our alternative administrator account, our original account named user can have a very long complicated password,so it is not brute-forced by attackers from being such a common username.
Changing the WP-Admin Login URL
Another great way to secure your login pages is by changing the default login URL of wp-admin to something unique. This way, attackers can’t automatically attempt logins on your website via the default example.com/wp-admin/ URL and will have to guess your (securely named) login page to attack your website.
While this is not a supported feature of WordPress, we can accomplish this in one of two ways. Using a plugin or manually modifying files to make our changes.
For this article, we will be manually modifying our files and do our best to stay away from unnecessary plugins.
It is important to note that these modifications will not carry over to WordPress updates and could cause some issues in the future. To ensure smooth updates, it is recommended to keep a backup of all modified files and restore them before updating. Then you can simply make the same changes again to restore your secured WordPress login URL.
To begin, you will want a good text editor like Notepad++ that has a strong find-and-replace function. Once we have this, let’s find our wp-login.php file in our WordPress root directory.
First things first, make a backup of this file in case we need to revert to the original login URL at some point. Once this is done, open wp-login.php in Notepad++ so we can issue the find-and-replace module we need to secure our login page.
To access the find-and-replace module, navigate to Search in the top menu and find Replace.
Once the module is open, In the Find What: field enter wp-login and in the Replace With: enter your desired login URL. In this case, I have chosen custom_login to be our newly designated login page.
Select Replace All to replace all occurrences of wp-login.
Save your file and navigate back to the WordPress home directory. Time to rename our wp-login.php file to custom_login.php.
Now, to test that our change worked, access the wp-admin directory on your website. In my case, it is located at http://localhost/wordpress/wp-admin/. Upon loading this URL, you should find it gives an error or a “Page Not Found” warning. This means our login URL has changed and cannot be found by hackers using a default login URL!
Let’s open the correct login page now, in my case located at http://localhost/wordpress/custom_login.php.
Congratulations! You have changed your default login URL to a more secure unique URL that will be harder to guess by hackers. This will keep your login page from being bruteforced by programs looking specifically for the wp-login.php URL. One step closer to security!
Keep Plugins, Themes, and Core WordPress Up to Date
The single most effective way of protecting your WordPress installation is to keep themes, plugins, and the core WordPress installation up to date.
Plugins and themes are often targeted by hackers as they tend to be developed by third-party developers with somewhat limited resources, as opposed to the WordPress organization whose priority will be security and bug testing any official plugins and themes.
Themes and plugins are created however the developer decided to write them, and they are not often thoroughly tested against exploits. This can cause problems for users once an attacker finds a bug in theme files that may not have been updated for all users. This can happen years later, too.
Plugins work the same way but may be more widely utilized by WordPress users, which makes plugins an ideal target for hackers. There have been many cases where plugins installed by millions of users are exploited, and all websites with the affected plugin can be compromised if not updated.
To manage updates for WordPress, navigate to the Dashboard and find Home.
This page will help you manage core updates, theme updates, and even plugin updates in one central place. You will be notified of any outdated extensions and given the option to update them here. You will only need FTP access that has modify rights on the theme, plugin, or WordPress installation.
While WordPress often provides warnings on the main Dashboard page for outdated files, check this WordPress Updates page often and be sure your files are up to date. Patching outdated files is one of the most effective ways to prevent simple takeovers from attackers.
Minimizing Use of Plugins and Installed Themes
It can certainly be a challenge keeping themes and plugins up to date with the latest patches, especially if you are using dozens or more themes and extensions. One of the easiest ways to minimize this risk is to limit the amount of plugins and themes you are using.
This gives exponentially less attack vectors for hackers for every plugin or theme that is not installed and may have potential exploits. Additionally, uninstalling deactivated plugins and themes will prevent even unused tools from being exploited in the future by serious bugs.
Once you have decided not to use a plugin, go ahead and remove it entirely from your website. Even old deactivated plugins have been found to have serious bugs that were compromised by hackers on a large scale.
While there seems to be a plugin for everything, even some of the things we did today, minimizing your use of plugins and theme installations will certainly help protect your website from easily exploitable bugs that hackers may find even years down the line. If possible, have only the default theme and the one you are using installed, and as few plugins as possible to get your site working.
Remember, the more users that have a plugin or theme installed, the juicier the target is for hackers to find an exploit for.
Back Ups for Remediation and Peace of Mind
A final step in protecting irrevocable compromise is to keep secure backups. If there is an announcement of a bug found in a plugin or WordPress, you might be able to revert to a more secure installation or simply remove the affected files from the live website.
If the exploit is serious enough, you might want to have a fresh installation of WordPress and simply import your posts to the new and secure installation.
While there are a million ways to back up your data, we will show you the most basic form of backing up WordPress files using the built-in Export tool.
This tool is located at Tools > Export in the WordPress dashboard.
From here, you can manually export posts, pages, media files, or all content.
This will not back up your theme or plugins in anyway, nor will it back up any modified files like our custom_login.php page. However, in the event of a disaster, you will have secure backups of all your posts and pages to be easily imported to a new installation.
Alternative methods of backing up your files include exporting the SQL database as a whole. But once compromised, it is hard to tell exactly what files and data are at risk of a long-term backdoor. If your WordPress installation has been compromised, it is best to start over on a fresh installation with as little leftover files as possible.
Security: A Never-Ending Job
While this guide only touches the surface of security, these are some of the most effective methods to prevent a total compromise of WordPress. These are the most utilized attack vectors by hackers and securing these systems will secure your site from the most common and automated attacks running against WordPress installations worldwide.
A strong username and password that is not easily guessed, a custom login page, and up-to-date plugins, themes, and core installations will go a long way in securing your server. Combine that with strong backups and minimizing third-party tools, and hackers will have significantly less vectors to exploit against your WordPress installation.
Combining strong WordPress practices with strong server security practices like encryption, firewalls, and malicious activity detection will keep your website secure and a safe place on the web!