For the most part WordPress is a good option for your web site. With its extensive repository of themes and plugins WordPress provides site owners with many options for design and content. Also, the fact that WordPress is built on php and MySQL, two open technologies with large developer bases, site owners can leverage a high-level of customization. But, in spite of all the good things, WordPress site security can be a significant challenge.
Because of the structure of a WordPress install plus the fact that most sites employ a theme and multiple plugins, a significant quantity of executable code can be exposed to the web browser creating exploitable opportunities for attackers and automated botnets. These botnets are particularly dangerous because they ping web sites looking for WordPress installs then they continuously try exploits in an attempt to gain access to the site or to upload malicious code. I have several clients with high SEO ranking sites that are constantly targeted by automated attacks, sometimes receiving thousands of exploit attempts a day.
Fortunately there are a some WordPress site security steps site owners can take to make their site less vulnerable to attack.
8 steps to better WordPress site security
- Complete your site installation as quickly as possible. It is possible for attackers (or botnets) to take control of your site when WordPress installation is in progress so don’t start the installation until you are prepared to complete it.
- Change the default administrator user name to something other than “admin”, preferably something that is hard to guess. Since “admin” is the default, attackers usually try that user name first. Guessing the correct user name is a huge leap toward gaining access to your site with only the password left to crack.
- Make sure all passwords are strong. Avoid using words found in the dictionary and please don’t use “let me in” or anything simple like that! I frequently see easily guessable passwords on existing installs.
- Only install themes and plugins that have a large number of active installs and good review ratings. A poorly built theme or plugin can be a gateway for an attacker to gain access to your site. You can also search the theme and plugin name online to see if security issues have been identified and not yet fixed.
- Install and properly configure a quality security plugin that includes an endpoint web application firewall. I like Wordfence. The free version is excellent and the paid version is even better. You can find it here, or install it from your dashboard.
- Block browser access to wp-config.php and xmlrpc.php on your web server. For Apache servers this usually achieved with .htaccess directives while the method for other web servers will vary.
- Delete any unused or deactivated plugins and themes because even deactivated code can be exploited.
- Keep the WordPress install, themes and plugins up to date. I know it can be time consuming to do this and sometimes upgrades can cause issues with site operation, but this is one of the most important things you can do to keep your site secure.
Updated 11/15/2017
The folks at Wordfence posted a great checklist on securing a WordPress site. It is well worth reading.