8 Tips for Keeping your WordPress Installation Secure
We have been working with WordPress since our business was started in 2005. We have followed the software’s progress as it moved from a blogging platform into a very powerful content management system that is behind some of the most popular websites on the Internet. As of August 2013, WordPress is used by more than 18.9% of the top 10 million websites online.
Unfortunately, as the software’s popularity has risen, so have attempts to exploit – or hack – the software. In this digital age, unfortunately hacked websites a commonplace. Your own website may have even been hacked at one point.
Iceberg Web Design takes website hacking very seriously, which is why we do all that we can to protect our customers’ websites from being exploited. Though WordPress itself has many security features built in, there are a number of things that you can do to strengthen the admin side of your website even more.
We utilize a number of additional security measures when we develop WordPress websites. From the use of security plugins to common sense practices when setting up your website, keeping the software updated, and strong security measures on our hosting servers, we are doing as much as we can to prevent hacking attempts before they even begin.
Following are 8 security steps that we take to ensure that our customers’ WordPress websites do not fall victim to hacking attempts.
#1: Don’t Use “admin” as Your Login ID
When WordPress was first released, it came with a pre-defined Admin username of – you guessed it – “admin”.
Many hackers use software that continually tries to log in using one username and hundreds or thousands of password combinations. The most common username used for WordPress hacking attempts is “admin.”
#2: Use A Strong Password
I can recall more than 4 cases over the last 10 years when we helped clean a hacked website because the website owner was using the username and password combination: admin/password.
I don’t think I need to go into detail about how important it is that you choose a strong password for your WordPress login – or all online accounts you have. The more difficult your password is to guess, the more difficult it will be for hackers to gain access to your website. Use a combination of capital and lowercase letters, punctuation marks, and numbers.
If you’re having problems coming up with a password, here is a link to a random password generator you can use (we recommend choosing at least 12 characters for a very strong password!)
#3: Keep the software updated
As soon as software is released, hackers are working around the clock to find a way to exploit it. In turn, the software developers are working to secure the software and prevent hackers.
Every new release of WordPress contains fixes and patches that address vulernabilies that hackers may find. If you keep your website and plugins running on outdated software for too long, you are running the risk of being exploited.
As part of Iceberg’s monthly website hosting service, we update all WordPress websites we develop as soon as we determine the most recent release is stable and compatible with our themes and plugins.
#4: Limit Login Attempts
Have you ever forgotten the password for your e-mail or online bank account, only to try logging in 20 times and eventually be met by a screen telling you that you’ve attempted to log in too many times, and the account is temporarily locked?
A similar security measure works for your WordPress installation. There are a number of plugins that will do this, but the one we use most frequently is called “Limit Login Attempts.”
This plugin gives uses a set number (default is 4) of attempts to log into the WordPress admin screen. If a user fails to login in after 4 attempts, access to the Admin page is disabled for a set period of time. The plugin checks the IP address of the user attempting to log in, and can be set to ban a computer or IP address completely if the number of failed login attempts becomes excessive.
#5: Get Login Notifications
Another option to keep hacking attempts at bay is to be notified instantly by e-mail whenever someone attempts to log into your website.
The WP Security Login Notification can keep an eye on your website and let you know exactly when people are accessing – and trying to access – the admin side. Every time someone tries to log into the back end, you will receive an notification e-mail that includes the time, IP address, and username that was attempted. You’ll also be notified whether the login attempt was successful or failed.
For websites with a lot of login traffic (e-commerce websites, for example) this may not be the best option. If you have orders coming in frequently, or customers accessing their accounts, you’ll end up receiving a mass number of e-mails every time a customer logs in. However, for websites with only a few users this plugin is also a great way to keep track of how often your users are logging in to manage content on your website.
If you install a login notification plugin like this one and notice that your website is still receiving multiple failed logins per day, it may be time to consider hardening the WordPress installation with .htaccess protection (the next step).
#6: Use .htaccess Protection on the wp-login.php File
You can add some extra protection to your website by placing a server-level password on your wp-login.php file. Unless you are familiar with password encryption and advanced website editing, this is typically something that you will want to contact your website hosting provider about.
.htaccess protection will add a pop-up box login, which is required before a user even hits the standard WordPress admin login page. This is the strongest level of protection you can place on your WordPress installation: it prevents hacking attempts before they even start. Robots and automated computers scanning the web for insecure WordPress installations will give up on trying to hack your website as soon as they hit the admin file.
Unfortunately, this strong WordPress protection is not suitable for every website. E-commerce websites, for example, need to allow their customers to access many of the Admin files in order to check out and manage their account. In this case, preventing access to the admin file would also be locking out legitimate customers. Fortunately, utilizing a number of the other options outlined here will still drastically reduce your chances of being exploited.
Iceberg Web Design places this .htaccess protection on all WordPress websites we develop that do not have public customer logins.
#7: Make Daily Backups
One of the features of Iceberg Web Design’s hosting service is that we perform daily backups of all website files, databases, and e-mail accounts. In the unfortunate event that your website has been exploited, we have the ability to quickly revert the site to a pre-hacked version.
There are WordPress Backup Plugins that you can download and install on your own website. However, we recommend also checking with your hosting provider to see if they provide server-level backup services for your site.
#8: Use a Reliable Website Hosting Provider
Choosing a secure, reputable website hosting provider is your first step in insuring that your website remains hack-free. A huge percentage of exploited WordPress websites are in part because of hosting vulnerabilities.
There are many choices when it comes to website hosting service, and it can be easy to lean towards the company that offers the cheapest solution. Don’t simply choose the cheapest website hosting service you can find – make sure you do your research to find out who is behind the service. “Mega” hosting providers can sell their services for cheap because they have hundreds of thousands of websites on their servers. However, this value hosting can lead to security vulnerabilities in the future.
Iceberg Web Design’s website hosting servers are located at the SAVVIS Datacenter in Boston – one of the most secure datacenters in the world. We also have introduced an additional security measure on our hosting servers to prevent WordPress from being hacked. If our servers detect more than 20 unsuccessful login attempts in 15 minutes, the Admin page of your WordPress installation will automatically be locked for 20 minutes. This will encourage the hackers to move on.
Please feel free to contact us if you have any additional questions or concerns about your WordPress installation. We work hard to ensure that our customers’ websites remain free of exploits, and strive to do all that we can do protect them.
If you have any other great tips for securing WordPress websites, please leave them in the comments below!