Default Banner

Securing a WordPress site

09/01/2018
Securing a WordPress site

WordPress is a very popular content management system (CMS) on the internet nowadays, so it is only natural that it brings with it security concerns and is prone to increased risks of attack when vulnerabilities are discovered in its system.

Running a site based on WordPress means that one must make an extra effort to protect both site and visitor data. Because of the ever-changing updates that come with the WordPress CMS system, as well as the many developer plugins that are in use, 100% protection is obviously not possible, but there are a number of measures one can implement to really help towards protecting a WordPress installation from becoming prone to the majority of attacks.

Update, update, update!

It is very important to make sure that the core WordPress files and all installed plugins are updated to their latest versions. These updates will likely contain security patches so that even if the identified vulnerabilities are not so easy to hack, it is still very important to have them fixed in order to maintain system stability.

Watch your back!

Equally important is to ensure that the WordPress administration area has restricted access. This area of the WordPress installation is where the site administration takes place through an online dashboard. Access should only be given to people that need to have access. Another worthwhile setting is to restrict the number of incorrect login attempts for the site. In this way, one can protect against brute-force attacks and people trying to guess password combinations. Of course there are plugins that have been developed specifically to manage such criteria such for example a plugin called “WP Limit Login attempts” – needless to say, it is important to ensure that even this plugin is kept updated!

Don’t call yourself “admin”

The majority of attackers assume that the administrator username for any system is “admin” since it is normal with WordPress, as with other systems, that at when a fresh installation is made, the administrator user is created automatically and the username is invariably called “admin”. It is strongly recommended to create a new administrator and delete the one that was installed with the WordPress installation and to be a little creative when changing the administrator username and password. This can be done from the dashboard settings.

Use email to log in

By default, WordPress accepts a username to log in. Using email instead of a username is more secure because usernames are generally quite easy to predict while emails are not. Additionally, every WordPress account is created with a unique email address. To assist this, there are some plugins available such as “WP Email Login” which enables users to log in with their respective email address. 

Use a strong Pa$$W0.r;D!

Strong passwords are an important feature of securing any system access. Based on accepted recommendations, one is to use a combination of small and capped letters, numbers and special characters. Doing this will increase the difficulty of the chosen password being guessed.

Rename the WP log in URL

By default, the WordPress admin area URL is “www.yoursite/wp-admin” or “www.yoursite/wp-login.php”. Since hackers know this default and direct URL, it is very easy for them to try and brute force their way in. They try to log in with their GWDB (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: “admin” and password: “p@ssword”… and millions of such combinations). By installing a plugin such as “Lockdown WP” site administrators can rename the backend URL with any address that is desired.

Backup regularly

It is important to keep an off-site backup of the Wordpress site because no matter how secure the installation is, there is always room to improve. Regular backups will ensure integrity of site information and performance – should any situation occur, the backup can be used to restore a site installation. Generally, one could backup prior to any updates.

Protect the “config”

The “wp-config.php” file holds very crucial information about the WordPress installation, so it can be considered as one of the most important files in the site’s root folder. Protecting this file means that the WordPress installation is protected. If this file is inaccessible to hackers, it will greatly increase the difficulty for a breach in security to take place. A simple step such as moving the wp-config.php file to a higher level than the sites root directory will also secure the file from hackers.

 

While the evolving world of the WordPress platform and third party customised plugins might offer ease in terms of setting up a website, the multiple updates required to maintain such a scenario are not always correlative and so 100% protection of such systems are clearly difficult but taking these simple steps will go a long way to helping maintain the integrity of a WordPress installation.

 

Matthew Spiteri is frontend developer at Deloitte Digital Malta. For more information, please visit www.deloittedigital.com.mt/web-mobile-development