It can’t be said enough. WordPress is the most popular CMS (Content Management System) on the planet. It’s used by more than 63% of all websites using a CMS, and 43% of any kind of website. That sort of popularity makes it attractive to hackers, so knowing and implementing some basic WordPress security tactics is critical.
At its core, WordPress is a secure platform. The problem is, as soon as a new user installs it, there’s a chance of them doing something that will diminish its inherent security.
So let’s walk through some steps you can take to lock down your WordPress site a little bit more. This is assuming you’ve already installed and activated a security plugin. And created a strong admin password. If not, do that right away, and then consider the following.
WordPress Security Tip #1 – SSL
Depending on your host, there’s a good chance they offer a free SSL certificate to ensure all data is transferred securely.
SSL, which stands for Secure Sockets Layer, is what turns your HTTP address into an HTTPS address. The certificate is proof that your website has been bound to a cryptographic key pair that includes a private and public key.
If your host doesn’t include a free certificate, check out Let’s Encrypt.
WordPress Security Tip #2 – Themes
There’s a good chance that one of the first things you’ll add to the WordPress core files is a theme.
WordPress offers an endless array of themes via its theme repository, and you can also find countless themes — both free and premium — online. However, you must choose a theme with caution. Anything that’s in the WordPress repository has been verified and anything else is potentially unsafe. There are many reputable WordPress theme developers and it’s a good idea to stick with them. Although this typically means you’ll have to pay for your theme.
This isn’t to say that all free themes are problematic, but you want to do your due diligence and make sure you’re getting it from a trusted developer. A developer who is not adding code and malware to your theme that you are unaware of. Because yes, that does happen.
Whatever you want your WordPress site to do, there’s typically a plugin that will do it for you. And just like themes, you can find them in the WordPress plugin repository. However, plugins are often abandoned by their developers and you shouldn’t install a plugin that’s not kept up to date.
WordPress is continuously finding and announcing plugins that have developed security vulnerabilities. And that information is available to anyone, including hackers. If you don’t have automatic updates turned on or don’t make a habit of regularly checking for updates, there’s a good chance a hacker will have written a script and let it loose on the world wide web, actively looking for sites that have that vulnerability.
Keep your themes and your plugins up-to-date.
WordPress Security Tip #4 – Core Updates
This is more important than ever. In the past, WordPress used to offer security support for a larger selection of older versions. But as of the end of 2022, they will no longer issue security updates for some older versions, specifically versions 3.7 through 4.0.
Failure to update your site increases your risk of getting hacked.
It’s good practice to keep your site up to date with the most current version, but at the very least, make sure you’re using version 4.1 or newer.
Backups and updates should happen in tandem. Meaning if you’re about to update, it’s a good idea to take a backup before doing so. Having said that, backups should be a regular part of your routine.
When talking about WordPress security, it often means keeping it secure from outside attacks. But another form of protecting a site is making sure you can revive it if something goes wrong. And that’s where backups come in. If you’ve updated a theme or plugin and it breaks something on your site you’re secure knowing you have a backup to roll back to.
How often you back up your site will probably depend on how often you update your content. Just be sure to regularly schedule backups. Your host will often keep a few, but you won’t have local backups as well.
Need a backup plugin? One option is UpdraftPlus.
WordPress Security Tip #6 – Limit Login Attempts
Out of the box, WordPress allows users to make unlimited attempts to log in by default. This opens the door to brute force and dictionary attacks — which are both attempts to crack your password and gain access to your admin area.
When you use a plugin to limit login attempts it will track the number of times an IP address tries and fails to log in. And then it will block that IP address.
Full-featured security plugins will typically have this feature, but you can also find feature-specific plugins like Limit Login Attempts.
WordPress Security Tip #7 – Event Logging
For sites that have multiple users or authors, monitoring user activity is important. It’s important because even though they don’t have full admin access, these users can still make changes that could impact site security.
For example, you might have a WordPress site that allows contributors or authors to publish their own articles or other content. This could involve uploading different media files. Or someone could unpublish something you don’t want unpublished.
Having a record or audit trail of anything that happens on your site that impacts security means you’re always aware of site activity and, if necessary, you can take immediate action.
Additionally, it provides a record of legitimate changes that a site administrator may make and potentially need to backtrack on. For example, a plugin update that causes something to go wrong.
An activity log can help you find the cause of a problem and then your backup can help you reverse the problem.
If you aren’t currently using an event logging plugin, check out WP Admin Audit.
WordPress Security: Make Sure You Cover the Basics
WordPress security is rarely one-size-fits-all. There are several extensive security programs that offer a full array of features that you can pick and choose from, but you also have the choice of layering your own selection of security plugins. For example, an independent backup plugin paired with an independent admin audit plugin.
However you choose to do so, just make sure to cover all of the WordPress security basics.
Check out our article on how to harden your WordPress security beyond the basics.