Take a holistic approach to account security by keeping not only your WordPress Core secure but all other
related accounts secure such as your host and PHP or database. We recommend adopting the following methods
to keep your WordPress core secure.
- WordPress comes with the default user 'admin'. By keeping this you are making a hacker's life 50%
easier. After all, a username makes up half the login credentials, for this reason we advise
you avoid the username 'admin '. To remove admin and create a new administrator following these
You might think a safe password is just something memorable with numbers, but realistically, a strong
password consists of more than 12 characters combining numbers and upper and lower case letter.
We recommend using a password generator tool to create a strong password for your WordPress accounts,
or anything related such as your domain registrar or cPanel. A hacker could do a lot of damage
if they gained access to these, for this reason, avoid using the same login credentials across
multiple accounts. We recommend using
LastPass to manage your passwords. This is a helpful application that generates strong passwords
and manages multiple login credentials.
Find out more about choosing a secure password. Limit access to your site by granting appropriate user roles.This is crucial if you have multiple
people working on your website. Employees, authors, editors all need their own login credentials
appropriate for the work they are doing. The administrator role has many rights so don't assign
this unless a person actually requires admin functionality. Brute Force attacks can be a problem even if you're not using the default admin and have a strong
password set up. To address this, use Two-Factor Authentication. It’s the standard today for
enhanced security to gain access, Gmail, and Paypal users will be familiar with how this works,
and you can add it to your WordPress as well using the
Google Authenticator plugin. The concept of Least Privileged is giving people permissions based on what they need access to, when
they need it, and for how long. If they need admin access momentarily for a configuration change,
grant it, and remove it once it's resolved. Assigning people the appropriate levels of access
reduce your security risk exponentially. Add a security question to your WordPress login screen using the
WP Security Questions plugin to make unauthorized access even harder. Limit Login Attempts - By default, WordPress lets users attempt to log in as many times as
they want which again leaves sites powered by this software vulnerable to brute force attacks
as hackers can try multiple combinations to crack your password. Fix this by limiting the failed
login attempts a user can make.
- From your WordPress admin panel locate Users and click
Add New. Enter a new user with Administrator role making sure you use a strong password
using the password generator.
- Finalise by logging out of WordPress and log back in with your new user. From the Admin panel,
User and remove the user 'admin'.
- If the account admin has existing posts, assign the attributes and links on to the newly created
Firewalls are a great defense against external attacks but require a bit of work. Firewall plugins
shield your site from all incoming traffic, monitoring traffic and blocking common security threats
before they reach your site. Deploying one of the best ways to stay ahead of emerging threats
used in tandem with a wider security framework. There are two common types of firewall, Cloud
based firewalls and end point.
DNS Level Firewalls are the superior of the two, they route your site traffic through their cloud
proxy servers ensuring only genuine traffic reach your site. On the other hand, an Application
Firewall is triggered after it reaches your server, before your website loads. It’s not the
most efficient way to block bad traffic and not as efficient as a DNS level firewall in reducing
Wordfence for a basic free application level firewall. Another useful firewall service
Sucuri, the leading premium WordPress security company. It offers everything from DNS
Level Firewall, and other prevention services including intrusion and brute force as well
as malware and blacklist removal. Sucuri also employes tactics to improve your website’ performance
by reducing server load, all easy accessible from one plugin. Setting up is straightforward,
you need to add a DNS A record to your domain and direct it to the Sucuri cloudproxy instead
of your website.
Is WordPress updates
Keeping your WordPress up to date should be a matter of course. Make sure your WordPress core files are updated
with the latest release to keep your site safe from outside interference.
WordPress notifies users in their Dash when a new version is released, you can also subscribe to the WordPress
Releases RSS feed for this information. There are also plugins available which keep your site automatically
up to date. Aside from the software, be vigilant with your themes and plugins. Be careful to deactivate
and remove unused themes and plugins, they pose a security risk since they will eventually get outdated
making them vulnerable, so as a rule of thumb, if you're not using it, delete it.
Secure Plugins and Themes
The popularity of WordPress means there’s an expanse of plugins — each one having the potential to open up
additional vulnerabilities. It's best to stick to trusted plugins and themes from the WordPress repository
or well-known companies to avoid future problems. Reputable theme companies or plugin developers are
more likely to be proactive in their approach to security, for example, many of the top WordPress plugin
or theme developers are audited by a third-party before release.
When you install a WordPress plugin, you're granting it access to your WordPress files, directories, and
database. You can't limit this access which is why it's important to understand what a plugin will be
accessing. To get this information read the plugin documentation and reviews to check its reputation.
Once you're satisfied, you can grant a plugin access to your system by installing it.
WordPress users often don’t realize the importance of backups and website security until it's too late and
their website is hacked. If you back up regularly, you can quickly restore your WordPress site should
a problem arise. This makes them an important line of defense against cyber attacks. To be on the safe
side, make regular backups to a remote location (not your hosting account) such as a cloud service.
There are a few ways that you back up your site, some hosting companies provide automated backups. There’s
also an abundance of plugins to get the job done such as
BackupBuddy. These plugins are reliable and most importantly, easy to use.
Your host plays an important role in the security of your site. Many WordPress hosting solutions offer proactive
security practices such as automatic blocking an IP address after multiple failed attempts to log in,
automatic backups and updates and advanced security configurations. If you want to take the worry out
of keeping your site secure, you need look no further than
EasyWP to cover your WordPress hosting and security needs.
Monitor your site
Keeping an eye on what’s happening with your website will give you helpful clues when something might not
be right. Being vigilant can potentially avert untold damage by catching a security breach as early as
possible. For example, regularly check your analytics for any sudden changes to your site’s traffic.
Has it suddenly dipped dramatically? Are users visiting a page you don’t remember creating? Issues like
this can indicate a problem. Use these tools to monitor your website:
- Perform a site search in Google using
"site:http://yourdomain.com" – Are there any sudden or negative changes in the number of
pages indexed? Are all your meta descriptions appropriate?
One of the best tools to help monitor your overall site health and performance in the Google
search index is the Google Search Control. This invaluable application will display a Site
Health alert when any problems are detected or events which prevent google from crawling
- Online scanners such as
Sitecheck remotely scan the look of your website as a user or a search engine would, this
can also be automated with plugins such as
Quttera Web Malware Scanner.
- Availability monitoring services let you monitor how easy your website is for users to access. Plugins
UptimeRobot help with this, it will send you alerts if your website goes down for any reason.
Websitepulse will assist you in monitoring any web page changes which give a warning if your
site has been attacked and alert you within minutes. This gives you precious time to action damage
control which we’ll come to.
- File integrity monitoring systems such as
File Changes Monitor give you early warning of an intrusion by looking at an application
and identifying if the integrity of any files has changed.