Keeping your WordPress site secure

WordPress is one of the most popular content management systems (CMS) used for Websites. This popularity is largely due to the ease of use, the ability to easily change the look using an extensive themes library and the ability to add new functionality with plugins.

This popularity does come at a price, as WordPress is a major target for hackers.

Over the years, we have found some best practices to help keep your WordPress secure.


1) Recommended Plugins

Wordfence – this plugin has a lot of security features built in and is normally the first plugin we install. More details about the plugin and its list of extensive security features can be found on the plugins page

Better WordPress reCAPTCHA – This plugin adds a CAPCHA to the login page and can be used with popular contact forms to prevent bots automating login attempts. It includes a nifty image option to prove the user isn’t a bot. Again, more details can be found on the plugins page

There are many more plugins that deal with security. These two are by no means the only security plugins, but they have proven effective for our own hosted sites.  WordPress also have their own security recommendations and go into more depth about the options to secure sites.


2) Keep your WordPress version up-to- date (including themes and plugins)

This is probably the number one reason for hacked sites and is the most important step.

We always tell customers that if they do not keep their sites updated, then it is not if their site will be compromised” but when their site will be compromised”

You could have the most complex password or the most secure hosting platform on the planet, but if you let WordPress  get out of date it will make your site vulnerable.

Once a site has been compromised, it’s often added to the hackers list of vulnerable sites (basically a list of soft targets). After that first compromise, hackers will keep on trying to access the site even after it’s been secured, so keeping everything up to date becomes even more important.

WordPress regularly release updates which contain new features, but also critical security updates to the WordPress core files.

The newer versions of WordPress can be updated through the dashboard using the options found in the ‘Updates’ section. Remember that any themes and plugins also need updating, however the dashboard will also show any pending updates to these as well. See the Updating WordPress Guide for more info.


3) Use STRONG Passwords

Many potential vulnerabilities can be avoided with a good password. This is true for any service accessed online, be it web sites, email or social media websites (e.g. Facebook).

Remember that hackers don’t sit at their keyboard typing different passwords – they use special hacking scripts to ‘brute force’ sites by sending thousands or requests, which will undoubtedly contain all the common and weak passwords.

Things to avoid when choosing a password:

  • Any permutation of your own real name, username, company name or name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password.
  • All lowercase passwords.

Examples of bad passwords:

  • password
  • Pa55w0rd
  • 123456
  • Letmein!
  • hello
  • Liverpool1

(Yes, we see sites still using these password types).

Examples of good passwords:

  • Vfjhd98”Endif4gtr
  • Wniref7£$Dmdf98
  • JFR%TFj%^FG&fgh

It is often said that the only secure password is the one you can’t remember.

The only problem with the good passwords (and the quote above) is you’d need a photographic memory to remember them. A solution would be to write the passwords down, but keeping a written record makes the passwords vulnerable.

There are also password management programs like Keepass or Lastpass

These store your password and only require you to remember one master password.

One other  practice (which is gaining in popularity) is to use password phrases for your logins: Select something unique or specific only to you. If you have a blue Ford Fiesta built in 2009 you could use Ford2009BlueFiesta.  Including the full stop increase the complexity.

WordPress also allows spaces in its password so even Ford 2009 Blue Fiesta is usable.

I have a red d@g and g@ld cat.

The sky was beautiful, the lake was blue and clear.

These types of passwords are extremely hard to guess or for automated brute force scripts to crack, but they are far easier to remember.

There are some caveats to using pass phrases (for example, don’t use lines from famous films or song lyrics). Adding unexpected characters, a full stop, hyphen or exclamation mark will also make the password harder to crack.

Adding two step authentication would also make a passphrase more secure.


4) Change WordPress’ Initial User

The username for the account is also another step in the account security.

By default new WordPress installs want to use admin as the first user. As this is common knowledge, brute force scripts will often default to using admin for the username. By simply altering the username you increase security significantly. Just as with passwords don’t use your own real name, company name or name of your website.

If you already have a poor username you can delete it. Simply login, create a new user (make sure the user is set as an administrator), login as the new user and remove that old user account.

If you like to edit WordPress while in a public environment (for example, an internet café) create a new user with limited access. The editor user type is perfect for this.

5) Avoid Themes and Plugins from Unknown Sources

Be very careful downloading themes and plugins from unknown sources. WordPress keeps an online plugin and theme directory which we recommend you use to find new content.



6) Backup WordPress

When making any changes to WordPress, we recommend making a backup first. This means that if you do make a mistake or the worse happens, your site can be restored.

A phrase we use within Daily, is: “If your site data is important, you will make a backup. If you don’t keep backups, your data isn’t important”. We keep overall platform backups of entire platforms for the event of a Disaster Recovery situation, but this is not intended for individual sites or email.

We offer a full Daily or Weekly backup service for our Linux shared hosting packages for any customers who do not want to maintain their own backups

There are also plugins which can be used to make the process of making backups easier.