Last Updated on August 1, 2020
Hardening Your WP Installation
WordPress security has come a long way since its inception back in 2003. Built on a foundation that’s free and open source, it’s content management system structure can make it a target for nefarious hackers especially if you don’t know what you’re doing. As part of every new website project, I make changes to the basic WordPress installation to keep the bad guys out and the good stuff in. If you’re a newbie to website management, here are several critical WordPress security principles to follow:
Change the Table Prefix
There is a default prefix that’s part of WordPress’ standard installation. If it’s a default, then you know it’s not a secret and therefore presents a WordPress security risk. I routinely change the table prefix; we recommend modifying the standard prefix of “wp_.” If you’re not sure, check in your database table and follow these instructions.
Change Default Admin Account Login Info
If you have “admin” as your administrator username, then you’re hanging this sign on your website: “feel free to break in and mess stuff up.” We counsel our clients to use strong passwords that include numbers and special characters. Worried that you’ll forget this complicated password and get continually locked out? Then consider using a password vault like LastPass.
Keep WordPress Version Secret
My philosophy is to keep a website’s core up-to-date. Meaning, keep the WordPress code and plugins current with the latest possible versions. However, I keep the WordPress version hidden. Note: there are lots of plugins that let you do this simply.
Add 2-Step Authentication
Adding 2-step authentication provides yet another layer of protection. When logging into WordPress you enter the username and password; the user name can be guessed by simply looking at authorship on blog posts. Users often use easy-to-remember passwords that are easily cracked by brute force software. Requiring a security code makes it that much harder to break into your website. There are two 2-step plugins I recommend: Google Authenticator and Clef. Note: you only need one.
Use VaultPress’s Protect & Sucuri
Part of JetPack, VaultPress performs comprehensive security scans. For a nominal annual fee you get brute force attack protection, uptime monitoring, and priority support. Sucuri provides two paid services: cleaning up of a hacked site as well as protection for DDoS (Distributed Denial of Service) attacks, vulnerability exploit attempts and more brute force defense.
When it comes to data, it pays to backup. One of my favorite plugins is WP-DBManager. As your database (which includes content, settings, etc) is the backbone of your website, I also recommend using a cloud backup service such as VaultPress. Using a belt and suspenders may be a fashion faux pas, but if you’ve ever had to restore a website after a catastrophic event, you’ll appreciate this redundant approach.
Use Plugins that Use Coding Best Practices
If you have commissioned a coder to develop a custom WordPress theme or plugin, make sure they follow WordPress Coding Standards. If their response is “huh?” when asked, then look for another developer. By not following the Codex’s best practices, you are putting WordPress security at risk.
What other practices do you use to keep your website safe?