WordPress is one of the most popular blogging and website platforms currently on the web. It is currently estimated that there are approximately 1.3 billion active websites at this time, it is believed that 445 millions of them are built with WordPress. Due to the popularity of the platform though and the nature of open source, there is a constant battle of balance between security on the core platform and the external plugins and themes. Below are some tips on how to simply improve the security of a WordPress website.
1: Don’t use a default username
Quite often when setting up a new WordPress website, most users just use the default admin username. Don’t do this, rather have a name instead for the administrator username as quite often there are those that will try to brute force the admin username on WordPress login URLs.
2: Change your login URL and hide your WordPress
This can be simply done with a number of plugins, both hiding your login page for your WordPress website and hiding any sign that the website is built with WordPress is a way to deter some of those that wish to hack your website.
3: Enable 2FA on your WordPress
Ensure to enable 2 Factor Authentication on your WordPress for that extra layer of security. This can be done by using a WordPress defense plugin such as WordFence which allows you to use Google 2FA solutions and has a number of other features that will help to secure your website.
4: Update your Core, Plugins & Themes at all times
Due to the dynamic nature of open source, WordPress are constantly releasing new security updates for the core platform. Plugins & Themes should also be regularly updated and be careful of those that are no longer supported by developer or have been forgotten about.
5: Delete and remove unnecessary Plugins & Themes
If you don’t use a plugin or theme, delete it from your WordPress install as they can add more opportunities and vulnerabilities on your website.
6: Whitelist your IP for Admin login
Another form of defense you can take for your WordPress website is to whitelist your IP (if it’s static) to allow you to login from only allowed locations to edit the website. This will further reduce opportunities of hackers getting admin access on your website.
7: Ensure your Hosting is secure such as cPanel.
A lot of WordPress websites use a web hosting control panel such as cPanel, always make sure that you use a strong password and if possible enable 2FA to ensure better security. Often enough this is neglected and a compromise of the web hosting control panel is just as bad if not worse than the compromise of the WordPress website.
8: Use a strong password
This should go without saying but always use a strong password policy on your WordPress website to ensure that your WordPress is secure, use a combination of lower and upper case with symbols and numbers. A new method also to add in is a long phrase to make it even harder to crack.
9: Defend your users through the blog
Often enough if your website has a blog that updates regularly, make sure to create another user for just posting on the blog and do not use the Admin account to post blogs. This will make it harder for hackers to discover which account is the administrator one if they can’t see the name and if they do somehow manage to gain access to the account that’s blogging they will only have very few permissions on the backend.
10: Disable comment fields and filter all contact forms
If you do not use the comment section on the website, make sure to disable them as they will often be spammed and could be vuln to Stored XSS. Not only that, also make sure to filter all contact forms to allow only certain symbols allowed to ensure no XSS can be done on that either.
WordPress is a constant evolving platform and while it does have a lot of issues due to being open sourced, with careful attention and being prepared you can advert a lot of vulnerabilities it’s often plagued by being careless or neglect.
Subscribe to the Edgescan blog to receive updates.
Theo Goyvaerts
Edgescan