[UPDATED] Many site administrators feel that site security is a complicated, development heavy process and, yes, there are a number of security measures that you would need a developer to set up. Nevertheless, performing the four measures in this article can be done easily by a non-developer.
These simple to implement security steps will move your site ahead of 90% of WordPress sites out there and go a long way in avoiding a site hack.
Why is site security so important?
- To avoid site downtime.
- To stay on Google’s safe browsing list (the GSB).
- Prevention is always easier than fixing a hack.
- Once you’ve been hacked, there’s an increased chance of future hacks.
So, what are the things?
- Never use admin as your username.
- Install and configure WordFence.
- Keep WordPress and your themes / plugins updated.
- Use Two-factor Authentication
1. Never use admin as your username.
If a current username is admin, you need to create a new administrator account, and delete the admin account.
- Go to [yourwebsite]/wp-admin and sign in using the ‘admin’ account.
- Hover over Users and click the “Add New” button.
- Fill in the fields – be sure to choose a strong password with at least one symbol. Set the role to “Administrator” and click “Add new User”.
- Log out of the current ‘admin’ account and re-login using the account you just created in step three.
- Go back to Users > All Users. Hover over the admin account and click “delete”.
- Toggle “Attribute all content to” and choose the account you just created in step 3. Click “confirm deletion”
2. Install Wordfence
Wordfence is the premier WordPress security plugin protecting your website from hacks and malware. It does this covering an enormous amount of ground.
Install the plugin following these Wordfence instructions:
As Mark Gibbs from Network World writes: “[Wordfence covers] scanning of the WordPress core, theme and plugin files searching for attacks, repairs compromised files, scans content for bad URLs, provides a real-time traffic view of hackers and crawlers, scans for known malware and backdoors, provides firewalling, rate limits rogue crawlers, intelligently blocks IP addresses and IP blocks, blocks fake Googlebots and brute-force attacks, monitors content leeches, monitors disk space, enforces strong passwords, audits existing passwords, scans for DNS changes, and tracks IP address to their source and acquires detaiedl IP information. Oh, and Wordfence includes a WordPress caching engine that, it is claimed, can increase site performance by up to 50 times!”
As you can see, WordFence is a very detailed plugin; but you don’t need to use everything for it to be effective. Many of the default settings are exactly what you need.
Here are a quick things you can do right away to better configure the plugin:
Go to Wordfence > Options
- Under Alerts – alerts are sent to your email. It can mean getting a fair amount of mail, so you can limit the numbers by unchecking some of the boxes, but I recomend leaving them as is and using an email other than your main email.
- Login Security Options – here you can increase your defence against a “brute force attack”. These options effectively limit the number of attempts any one IP address can try to log in to your site. *Change the following:*
- Lock out after how many login failures. Change to 20
- Lock out after how many forgot password attempts. – change to 20
- Amount of time a user is locked out. Change to 5 days
- Initial site scan + later manual scans (free) or regularly scheduled scans (need to pay if you want to use this feature).
3. Keep WordPress and your themes / plugins updated.
It seems simple, but many people forget to update their plugins and themes. Updates are often security fixes of vulnerabilities that can lead to breach. Set aside a specific time every week to go into the WordPress admin, click Plugins > Installed Plugins in the dashboard, and update those that have updates available. Do the same in Appearance > Themes with any that need updating. (Note: Any themes that do not utilize child themes or custom code plugins for changing design or functionality will have any changes overridden when the theme is updated. Ask your developer if you are unsure.)
4. Use two-factor authentication
Two-factor authentication adds a second level of authentication to a login. It means that while a brute force attack on your site might be able to access the one level of authentication, it would also have to access this separate level at the same time. This greatly reduces the chances of such an attack.
I suggest trying out Clef, which is extremely simple two-factor authentication app and plugin where you simply point your phone at the log-in screen to login. It uses the highly trusted RSA public-key cryptosystem.
How to set up & use Clef:
- Install and activate the plugin.
- Clef will appear in your menu with the words “needs setup” beside it. Click there then click “get started”
- Under “To use Clef, you need two things: the plugin on your site and the app on your phone.” Click “Get the Clef App” where you can very easily text yourself a link to the app.
- Once you have the app on your phone, you are prompted to create a PIN number.
- You then synchronize the app with your WordPress site. Open the Clef app and point your phone at the waves on the screen. Hold for a few seconds and you app is now in sync with your WordPress site. At this point, every time you go to login, you will be asked to hold your phone up as your means of login. Takes 1 second and you are logged in!
There is an excellent, in-depth Clef tutorial here with further setup details which also includes info on how to disable your regular passwords.
Avoid most free themes. Use only trusted plugins. Themes are not that expensive. If you are going to go with a free, pre-designed theme, I suggest sticking to WooThemes free themes.
Read reviews on plugins. If you are newer to WordPress, stick to plugins that have 1000s of downloads and at least a 4 star rating.
For those comfortable with accessing files in the site ‘backend’ via FTP for transferring files to the server (or you can ask a developer):
Even if you leave it at the measures introduced in the article, you will have greatly reduced the possibility of a site hack. But there is more you can do. Below are some ideas to look into if you want to take it further. I don’t go into detail in this WP security basics article but will likely be the subject of a more advanced article.
- Make security changes to the wp-config.php file including installing security keys. More info.
- Strengthen file permissions. More info.
- Use SSL: it’s the ‘s’ in ‘https’ More info.
- Find a webhost that offers the use of SFTP instead of FTP. More info.
- Change the WordPress Database Prefix. Through database or using the easy to use plugin Change DB Prefix. More info.
Taking the precautions in this article is well worth your time. Recovering from a successful hack will quickly prove to be much more time and resource consuming. So go ahead and implement them today!