WordPress and Security – an Important Guide

WordPress powers approximately 50% of all the websites online around the world. This means that it is a very attractive platform for hackers to try and compromise as it gives them the ability to take down many websites in just one go.

We’ve prepared this guide to help you understand the risks and threats as well as explaining how you can defend against them. 

Choose a custom username and strong password

The default WordPress login is “admin” and all WordPress hackers know this. Usernames can only be changed using phpMyAdmin after WordPress is installed so it is important to choose an un-common username when installing WordPress.

Assuming you are using Softaculous for installing WordPress, you may specify the username on the installation setup screen.

Good strong passwords are equally important for basic security of your WordPress. Choose a selection of letters and numbers not based on a dictionary word. Worried about how you might remember it? We suggest using RoboForm or LastPass tools in order to securely store all your passwords.

Do not use the same username and password as your hosting account or any other installed web application.

Perform updates on a constant basis

Update your WordPress installation regularly. We suggest that you check for updates at least once a week as WordPress developers frequently release new updates/patches to secure any security holes that hackers have exposed.

You can update WordPress from the admin area or you can update WordPress directly from within Softaculous. Please find a step-by-step tutorial here.

Back up regularly

Back up your WordPress blog regularly. This means that if you are faced with a hacking attack, you can quickly and easily roll back at any time. At Namecheap, we have two backup options available for you.

Recommended backups – CodeGuard

Our partnership with CodeGuard gives you an easy point-and-click method of backing up WordPress. CodeGuard will back up your entire account as well as scan the account for any malicious changes (from hackers) and alert you if it notices anything untoward. Namecheap customers get a significant discount on CodeGuard subscription services. We have created the guide How to backup WordPress site Using CodeGuard to help you get acquainted with this service.

Alternative method – Softaculous backup

Softaculous also has a backup option. Check Backup or Delete WordPress with Softaculouspart of our How to Install WordPress using Softaculous article to learn how to use it.

Use themes and plugins developed by officially recommended suppliers 

Many themes and plugins are available for WordPress offering a variety of options and opportunities for your website. Here are our recommendations on which themes and plugins you should choose.

Free Themes – important note

If you wish to use free themes, we suggest you install only free themes that you can search for through your WordPress Admin area at Appearance >> Install Themes tab. These have all been vetted and approved by the official WordPress developers and are safe for use.

We do not recommend you download free themes from third party non-verified websites unless you are 100% sure the theme you are about to download is “clean”.

Free Plugins – important note

We strongly recommend you only use free plugins that are rated highly and have been recently released or updated. WordPress shows you the star rating and the latest updates for any particular plugin through the WP Admin area once you request for more details of a plugin you liked. A high number of downloads and excellent star ratings mean the plugin is used and liked by many other WordPress users and recent updates show that the developers are committed to keeping it secure.

Paid Themes and Plugins

The following sites offer paid themes and plugins and are reputable:

Security Plugins

We recommend you download and enable the following security plugins. These help keeping your WordPress website secure:

1. WordPress Firewall 2 

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks.

Main settings: 

1. You can choose options and actions that will be blocked by firewall.

2. Here, an email address can be specified to receive warnings and notifications from the plugin.

3. With this option, you can whitelist trusted IP addresses.

2. BulletProof Security 

BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.

There are many options available with the BulletProof Security plugin, and you can find details using “Read Me” option. But the main one we are going to use is .htaccess protection that can be enabled with “BulletProof Mode” radio button for each .htaccess.

 3. Better WP secrurity.

As most WordPress attacks are results of plugin vulnerabilities, weak passwords, and obsolete software, Better WP Security will hide the places where those vulnerabilities live, preventing an attacker from learning too much about your site and keeping him away from sensitive areas like login and admin areas, etc.

Many different security options are available with this plugin, but you can simply enable basic security mode using “Secure My Site From Basic Attacks” (1.)

Or enable each separate option you need (2.) 

Optimization Plugins

Also we recommend the following top rated cache plugins to optimize the performance of your blog.

W3 Total Cache

W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration.

WP Super Cache

This plugin generates static html files from your dynamic WordPress blog. After a html file is generated, your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.

General Security Tips

Always connect securely to your website. When using your web browser, use a https:// connection. You can easily install one of our SSL certificates to secure and encrypt data between your PC/Mac and your website. Some hosting accounts include a free SSL certificate or you can purchase one separately at our SSL Products Page. Prices start at $7.95 per year.

Use FTP securely too. Use FTPS instead of FTP when uploading. This encrypts your FTP connection and any data you upload to your website. You can learn how to use secure and non-secure FTP in the most popular FTP clients with a help of our FTP related articles.

 

Change your passwords regularly and keep them secure. Never used a dictionary word and always use a combination of capital letters, lower case characters, numbers, and symbols.

The tips provided above do not guarantee 100% security of your WordPress website. However, they drastically decrease chances of getting your WordPress installation defaced, hacked, or abused.

We sincerely hope this article helped you enough in securing your online business and becoming a happy customer :)

Introducing EasyWP, the fast and reliable Managed WordPress Hosting solution from Namecheap.

 

28 thoughts on “WordPress and Security – an Important Guide”

  1. Seems like you have introduced new idea to protect blog. I have never tested WordPress firewall and bulletproof security. I will try those.

  2. Very useful blog post on security tips and to keep blog safe, I’m going to install some of the Security Plugins listed here. Once again thanks for this post.

  3. This is a fantastic post for folks who are managing their own WordPress sites. Security is truly a community effort and we’re all responsible for keeping our plugins updates and making sure WordPress is updated to the latest version, particularly when security updates are released. Another great blog to follow is http://blog.sucuri.net/. Sucuri is a firm specializing in Information Security that we keep on retainer at WP Engine to ensure the security of all the sites that we have on our platform.

    It’s worth mentioning that just like how NameCheap is a well-respected and highly recommended domain registrar, there are also a number of Managed WordPress Hosting companies who manage the security for every customer who hosts their website with them. Companies like ZippyKid, Pagely, WebSynthesis, and yes the company I work for WP Engine, provide managed security for our customers. These companies charge about $30 a month for hosting, which can be a jump from $5 a month at a shared host, but having managed security and incredible site speed makes up for the price difference.

    Now, please assume I’m horribly biased in favor of WP Engine, which is why I listed the other companies so you can do your own research if you’re hosting a high-traffic WordPress site that needs top-flight security protocol. There are plenty of great options for hosting companies that will also manage your security for you.

    Thanks again for the article!

  4. Thanks for such a very useful post. I have always worried about my site’s security but don’t really know how to go about protecting it.

  5. WP security plugins? Well that’s new to me. Never thought of it before. Will give it a chance. Thanks for this. Reading twitter sometimes have its own benefits.

  6. I strongly agree to this post. Ever since I started using BulletProof Security and Better WP secrurity all my wordpress sites are never been this safe. Now I discovered WordPress Firewall 2 which looks very promising.

    For my backup plugin I am using BackWPup and pushed my daily backups to SugarSync.

    I am also using Wordfence Security and making a regular scan on my wordpress site.

  7. I use WordPress a lot both for my own sites and for clients of Rose Digital Marketing and your article will help me make them a lot safer, so thanks!

  8. Very interesting blogpost. Would you really suggest to use all of the plugins mentioned above, or is it just a list of plugins to choose from?

  9. After reading this post, I am feeling kinda proud of myself as I have been following all of the security steps described for my WordPress blog. I would also like to add that Better WP security is a must have plugin for all WP installations. Thanks for sharing the essential security tips anyway.

  10. Thanks for This Guide just Purchased a Domain name from NC and gonna start a wordpress Blog i will consider all Your recommendations thanks for grt Blog Post

  11. Thanks for this guide! I had recently registered my domain with GoDaddy, as they offered a big discount with it, I’ll be switching over to you guys once my domain is 60 days old.

  12. Pingback: 5 chequeos básicos de seguridad para WordPress | Blog de diseño web, tecnología y comunicación
  13. Very useful information for those who are starting building their wordpress website. Security of our site is must be think first to be safe from the hackers.

  14. This is really an awesome indepth guide for protecting wordpress website. I am sure going to follow all the options and to harden my site security.
    Thank you very much for sharing this article.

    Regards,
    M Imran

  15. Hmmm.

    I wish there was a good plugin-rating service somewhere out there. My understanding has it, that MOST of the vulnerabilities to WordPress, Joomla, and most other CMS’s are usually from some of the plugins. I have found this to be true of even those released from “official sources”. – So, I believe better security would also involve deciding which plugins you don’t really need, as opposed to those you could not do without, and then removing the unused plugins (which is always a good plan anyway).

    A good site “snapshot” (IE: backup) is always a grand idea! This can be used to detect tampering with the site’s files. So any security plugin worth its salt that has this key function, I would highly recommend.

    Having a good, solid hosting company, though, is where it all starts. If your hosting company is not doing very well in keeping its servers up-to-date and well-maintained, then all the added security in the world will not help you. That’s WHY I switched hosting providers!

    Otherwise,

    Still a great article, even at four years later.

Leave a Reply