Working with WordPress is a pleasure. I find its learning curve is so smooth you will always feel comfortable improving your skills. There are infinite guides and tutorials on how to achieve something following best practices.
It’s no secret WordPress is the most used CMS in the world. This is its best advantage but also its Achilles heel. Due to this popularity, it is often targeted by hackers for profit. According to some sources, in 2018, cybercrime generated at least $1.5 trillion annually.
You might be thinking “well my business is not that important to be attacked, why would someone spend time on that?”
I have some bad news for you. It doesn’t matter if your business is the biggest in the industry or a new entrant, attackers are only interested in what they can get their hands on.
In most of the cases, intruders are looking to use your resources, not your business data.
I’m sure you’re aware of what spam is? Those annoying messages asking you to buy something online. Most cases are sent from hacked sites, damaging your brand and the hard work you’ve created.
Now you understand why security is so important, let’s look at 7 easy changes you can make to ensure your site is more secure:
1. Do not use an ‘admin’ user
This is one of those old school rules you should already know, don’t ever use default login credentials. Doesn’t matter if we are talking about WordPress or your router at home, attackers will always try with default credentials, and one of the most used usernames for WordPress admin users is ‘admin’.
When creating your site just pick something different. If an attacker wants to break into your site and they already know one of the parameters a brute force attack could reveal the other one.
2. Your admin user shouldn’t have the ID 1
You have changed your admin user, cool ... but unfortunately, there is a WordPress feature that can still reveal your admin user name.
Visiting a site and adding ?author=1 at the end will bring up this information in seconds.
This wouldn’t show them your password bu would show your username. This would give them half of your login credentials. Annoying isn’t it?
A solution for this is creating a new admin user and deleting the old one, so the ID won’t be 1. This should be enough to prevent most of the attacks but if you want to keep your site even more secure, you can start creating your users from, for example, ID 6304
Unfortunately, there’s no way to achieve this from the backend and you will need to modify this from the database. So you may need to submit a support ticket to your agency or IT team for this.
3. Hide your author pages
For most sites, there’s only one author, so there’s no reason to have an authors page. If all the content is created by the same user just disable the author page. This can be easily done with some of the plugins you may already have installed like yoast
4. Disable author pages for authors without content
If you have more than one user creating content and you want to keep the author pages, then the best recommendation is hiding the authors that haven’t created content yet from the listing.
The less information that you expose the more secure you are. As with everything in WordPress, a few alternatives are available. One I’d recommend, because all the extra features it comes with, is using ithemes security (formerly known as Better WP Security) - a great plugin to boost your site security.
5. Don’t publish content using an admin user
When you are the only user on your website, it feels really handy just doing everything under the admin user because you’ve access to absolutely everything!
This is, in fact, a major issue. In doing this, you’ll once again be exposing a user with high privileges.
So anytime you create new content, use an author user, rather than an admin. If you’ve already posted using your admin user you can edit bulk your post to re-assign them to another user.
Just go to your post section, select all and click edit. You will be able there to change the user to an author one (previously created by you).
6. Rename the backend access
Keeping your site in ‘by default’ mode makes it easier for an attacker to use their scripts on your site. However, if your site isn’t like the other 99% of sites they won’t spend time investigating how your site is configured. They just want your resources and aren’t interested in your business (most of the time!).
You can use a simple plugin, change wp-admin login, to achieve this. It will rename your backend access without modifying core files. After you activate this plugin, the wp-admin directory and wp-login.php page will become unavailable.
7. Always use strong passwords
What’s the point of trying to secure your site if you use a weak password?
Excuses like ‘I can’t remember it’ or ‘It is too difficult to type’ nowadays don’t work. There are alternatives, and no I don’t mean using a post-it on your screen! Password managers are in abundance, use them!
Personally I like using Bitwarden, an open source password management system to store all of them.
I know seven is a lucky number so I should stop here... but I really like symmetry so let me remind you one of the angular stones when talking about being secure on the internet.
8. [BONUS] Keep everything up to date!
Keeping everything up to date; WordPress core versions, theme updates, plugin updates, etc.. protect you from vulnerabilities and apply fixes to security holes.
If your site follows best practices, this shouldn’t be a problem. You won’t be stuck on an old WordPress version because of the fear of your site not working.
Are all of these steps needed? Yes, absolutely!
Think about those seven tips as layers, if some of them fail you still have others to fall back on and help maintain a secure site. In the real world, sometimes plugins or theme updates break so having multiple protection methods in place help to keep everything safe.
Don’t know where to start or don’t have the time to implement this? Contact our team who can offer you interim or long term support of your WordPress website.