Make your WordPress site more secure – part 1


Is WordPress a secure platform for your website? In the past, a number of high-profile security vulnerabilities have led many people to conclude that is isn’t. However, these vulnerabilities have always been fixed quickly, the product has matured and security updates are released every few months. I would say that WordPress is now an extremely secure web-development platform.
 
Of course, hacking still affects many WordPress sites, simply because of the sheer number of WordPress sites out there (it’s the most popular CMS in the world). Its popularity, especially with inexperienced users, probably makes it a particular target for hackers. But, with a bit of effort, you can tighten the security of your site and considerably reduce your chances of being attacked.
 
Over the next few posts I will describe some of the security measures that you can take. In this post, I will start with the obvious (and easy) ones:
 
1. Use secure passwords
It’s obvious, but always worth restating. Make sure that you have secure passwords for WordPress, SFTP, control panel, database and any other logins. Passwords should be a combination of upper- and lower-case letters, numbers and special characters and should contain no recognisable names or words (in any language). Passwords should be changed regularly. I suspect a large proportion of hacked websites could have been avoided with better passwords.
 
2. Don’t use ADMIN as your WordPress username
I’ve written about this in a previous post. Many attacks target common usernames such as ADMIN, ADMINISTRATOR, TEST…. ADMIN is a particular target, as it was the default administrator login for earlier versions of WordPress. If you’re using ADMIN (or any other guessable word or name) as your administrator username, change it immediately: create a new administrator user, log in as that user and delete the old one, reassigning all of its content to the new user.
 
3. Don’t use unencrypted FTP
Use SFTP, FTPS or SSH to transfer files to and from your server, so that passwords are encrypted and cannot be intercepted by an attacker.
 
4. Use the latest versions of WordPress, templates and plugins
WordPress is updated regularly, as, hopefully, are any templates and plugins that you use, to fix security vulnerabilities. It is essential that you keep all of this software up to date.
 
5. Use trusted plugins and themes
Do not get plugins/themes from untrusted sources. Restrict yourself to the WordPress.org repository or well known companies.
 
6. Use a good hosting company
Make sure your hosting company takes security seriously, has appropriate firewalls on the server and runs secure, stable versions of all server software.
 
See also:
Make your WordPress site more secure – part 2
Make your WordPress site more secure – part 3
 
If you’d like help with making your WordPress site more secure, or if you’d like a review of your site’s current security set-up, please get in touch.