How to Secure your WordPress website
Managed WordPress hosting services (like Pressidium) normally place a significant amount of emphasis on the security of their hosting platform. A significant array of features are deployed to help keep WordPress websites hosted on these systems secure. There is only so much that a WordPress host can do however to ensure the security of a WordPress website. Website owners have their own role to play in making sure their websites stay secure. In this article we will take a look at the steps you can take to secure your WordPress website.
Many website hacks happen as a direct result of actions (or inactions) taken by website owners. Things like failing to update plugins to the latest version or using a weak password all result in exploitable weaknesses running through your site that hackers will target. The good news is there are a number of simple steps that you can take to help keep your WordPress website secure. These include:
- Ensure that you and any other website users are using strong passwords
- Use a Captcha mechanism
- Use Two-Factor Authentication (2FA)
- Delete inactive users
- Use a ‘limit login attempts’ system
- Always keep your core files, plugins and themes updated to their latest version
- Change your default login URL
- Avoid using nulled themes and plugins
Let’s take a closer look at some of these steps and find out how you can apply them to your website.
Ensure that your users are using strong passwords
There is no server-side firewall or other hosting security system that can protect your WordPress website from a weak password. Despite the known issues with using a weak password, stats suggest that an astonishing 35% of users still use weak passwords to secure their WordPress website despite being prompted by WordPress to choose a stronger password.
Perhaps the conclusion that can be drawn from this is that some users simply aren’t aware how vulnerable their website becomes when a weak password is used. Unfortunately, hackers long ago worked out how to take advantage of users who choose predictable passwords that follow certain patterns (like a date of birth or the name of a pet). Others, whilst being aware of the vulnerability of weak passwords continue none-the-less to use these perhaps because it’s the easy thing to do. After all, remembering a simple password is much easier than a more complex one that is constructed of random letters, numbers and symbols.
Fortunately there are a number of plugins that can be used to compel users to create a truly strong password. One such plugin is the iThemes Security plugin.
To make use of this feature, install and activate the plugin and then head to ‘Configure settings’.
Tick the ‘Enabled’ checkbox and then, in the dropdown menu that appears, select the user groups you want to apply your new ‘strong password’ policy to.
And that’s it! New users will now see a message that prompts them to enter a strong password when they register on the website or try and update their password.
Another option is the Force Strong Passwords plugin.
This is a free plugin and needs no configuration at all. Once it is activated, any attempt to change the password to a weak one will trigger this message in your Admin area: “ERROR: Please make the password a strong one”.
Another plugin, the All In One WP Security & Firewall offers a similar password strength tool that can be deployed. This is ideal if you are already using this security plugin.
WooCommerce users can take advantage of the WC Password Strength Settings plugin which allows website owners to dictate the password strength level required. Select from five password levels ranging from “Anything Goes” to “Strong Passwords Only”
Without doubt, your password offers a critical line of defense against hackers. The stronger it is the better. Ideally a password should be unique, randomly generated and updated regularly.
Use a Captcha mechanism in the login form
A captcha’s purpose is to distinguish humans from ‘bots’ which are software applications that carry out automated tasks. Hackers can make use of these to try and gain access to websites via the login page by instructing the bot to make continual attempts using random data in order to access a website. A captcha is designed to help prevent these kinds of attacks on a site happening by distinguishing between humans and bots. Captchas have been used for three decades and are still deployed on countless websites to help protect them against bot activity.
A captcha can be added to your WordPress website with the goal of blocking bot login attempts. An easy way to do this is by installing the Login no Captcha reCaptcha plugin which takes advantage of Google’s captcha system.
When installed you’ll see the familiar reCaptcha checkbox appear beneath the login panel. Tick this and you’re away (assuming you know the correct username and password anyway!).
To get the plugin working you’ll need to sign up for a free Google reCaptcha account which will then allow you to generate a site key and a secret key.
How to generate the site and secret key:
- Login to your Google account (you’ll need to register for one if you don’t have an account already). Head to the Google reCaptcha page and click on ‘Admin Console’ which appears to the top right.
- Click on the ‘Plus +’ icon that is again on the top right to register a new website. Fill in the required information.
- Hit the submit button and you’ll see a page like this:
You’ll then need to paste these values into the boxes in the plugin settings as promoted.
Two-Factor Authentication (2FA)
Using a Two-factor authentication process will add an extra layer of security to your websites login pages by preventing what’s known as a ‘brute force’ attack. These kinds of attacks are where a bot tries to continually login to your website using passwords and usernames that have been guessed (normally following some pre-defined lists that take advantage of known ‘weak’ passwords such as 123password and so on. The bot will continue to try and access your site until it’s successful which is bad news on two fronts First, if it gets the password correct your website has now been hacked. Secondly, these continual login attempts can increase server load and thereby slow down your website for legitimate users.
Fortunately, there are third party plugins available which can help stop this.
The Two-actor plugin by Plugin Contributors is a useful, easy to use plugin that provides websites with two factor protection by forcing users to supply an authentication code alongside their normal login credentials. This code can be sent via email or generated using a one-time password generator such as Google Authenticator.
Google Authenticator Plugin
The Google Authenticator plugin is another popular 2FA plugin that can be deployed to protect your WordPress website. This completely free plugin provides a raft of 2FA authentication options including SMS and of course by using the Google Authenticator app. Setting this up is fairly quick and easy. Just follow the prompts when you activate the plugin.
Delete Inactive Users
Another easy target for attackers are website user accounts that have not been used for a long time. The result of this is that the password is often weaker than it might be if the user had created the account recently or was regularly logging in to the website. Because of this it’s well worth periodically deleting any accounts that are inactive.
You can use a plugin to easily detect these inactive users such as the When Last Login plugin.
Once activated, it simply adds a custom column to your admin users list table that displays the timestamp of the last login date and time of that user. You can sort this column thereby at a glance being able to identify inactive users which means you can then delete them if appropriate.
Then on User -> All users sort by the added “Last Login” column:
Limit Login Attempts
Another way you can add an extra layer of security to your WordPress site is by limiting the number of login attempts allowed within a certain timeframe. This technique thwarts bots that make continual login guesses. In addition, some plugins that provide this functionality can also block the IP address from which the login attempts originated from and in doing so stops that particular bot operating from that IP address from trying repeated attacks on your site in the future.
A good plugin that offers this functionality is the free Limit Login Attempts Reloaded plugin.
With 1+ million installations at the time of writing you can be confident that the plugin works well.
After you install and activate it head to the Settings menu and then click on ‘Limit Login Attempts’. You’ll be able to alter a range of parameters including the number of retries allowed before the user is locked out of the website.
Limiting login attempts is an extremely effective way to protect your website which is why we enable this as a default on all Pressidium hosted websites.
Note: If you are using Jetpack a recent feature release called the ‘Protect module’ includes a limit login attempts system as a default. This system also provides information on the login attempts blocked and the option to whitelist IPs. If you are using this plugin then there is no need to install a separate ‘limit login’ plugin.
Keep your core files, plugins and themes updated to their latest version
Among many other benefits, updating your WordPress core, theme and plugins is critical for your website’s security. Stats show that outdated versions, themes and plugins are the most popular way hackers gain access to websites making keeping these up-to-date a top priority.
At Pressidium we automatically update the WordPress core to the latest version after first testing it to ensure there are no key issues that would cause our clients problems with their websites. Because these updates are carried out automatically, you can rest assured knowing your website is always running the latest version of WordPress.
Host your website with Pressidium
60-DAY MONEY BACK GUARANTEE
In addition, we make updating plugins on websites hosted with us as easy as possible by providing a plugin update facility that is accessible via the Pressidium dashboard. This allows our clients to see at a glance if their website(s) plugins need updating. If so, the update can be undertaken with a couple of clicks from within the Pressidium dashboard. We also regularly scan websites hosted with us for plugins that have known vulnerabilities and will inform the website owner of this vulnerability via email. In cases where an out-of-date plugin poses an extreme risk to a website we will even proactively update this on behalf of the website owner.
Change your default login URL
Now that we’ve run through ways of securing the login page (in effect protecting the ‘front door’) let’s take a look at options for hiding the front door ensuring a burglar (or hacker!) can’t even try to gain entry.
A great way of doing this is to change the location of the default WordPress login URL by changing it to a custom one. In doing so you instantly block traffic from wp-login which in turns means you shouldn’t experience any brute force attacks on your website.
One such plugin that allows you to quickly change the location of the login page is WPS Hide Login.
Avoid using nulled themes and plugins
Nulled themes or plugins are ones which typically contain malware or modified code designed to cause harm. They are often available ‘on the cheap’ which is why they appeal to people. After all, no-one really likes having to spend money on premium themes and plugins. With some nulled themes and plugins available for a fraction of the cost of the ‘genuine’ version, you can see why they are tempting to use.
In reality, the ‘savings’ you make using nulled versions can often be overshadowed by the costs incurred as a result of your website being infected with malware. Even if they don’t contain malicious code, they will often have annoying ads and popups that can ruin the experience of the plugin or theme. In addition, they are of course not supported by the original developer meaning there is no-one to turn to if something goes wrong.
In short, don’t use nulled themes or plugins… it really isn’t worth it!
A hacked website is in no-one’s interest (apart from of course the hacker). Whilst high quality, managed WordPress hosting can significantly improve the security of your website it’s also important to remember that you, as the owner of the website have a role to play in securing your website as well.
Following even some of the simple steps outlined above can really help improve the security of your website and are well worth implementing.