October 20, 2014

WordPress Security Best Practices

WordPress Security Best PracticesWordPress is an awesome website platform! We love it. We come from an era when it took hours, days, weeks, even months to create a website (back in the good old 20th century–1990s).

Now, you can literally create a fully-functional ecommerce-enabled website in minutes. Set it up and add content. Done.

However, WordPress does have a few security vulnerabilities. It’s not really WordPress that is to fault for this–it’s the “bad guys.” We must do what we can to keep the bad guys at bay. Or–at the very least–encourage them to stay away from your WordPress website and move to an easier target.

In that light, we want to give you some “WordPress Security Best Practices.”

WordPress Security Best Practices

Nothing has ever been hack-proof. Nothing will ever be hack-proof. But you can cut your risks of security breaches by following our advice below.

  1. Never use “admin” for an Administrator account. Doing so gives the bad guys a headstart on guessing your login. Use something cryptic like Su9*w$RJCc9C. Of course, this is not easy to remember, but it’s not easy to guess either. That’s the point. Writing it down or storing it in a password manager like LastPass will go a long way toward securing your WordPress installation.
  2. Use a strong password. Use LastPass to assist.
  3. Change your WP table prefix to something other than “wp_” — again, the hackers know the default prefix so make it hard for them to guess–again, use something cryptic.
  4. Only give access to your WP dashboard to those with a need. If an employee leaves your company, for example, remove their access, or at least change their password and user role to the lowest level possible (subscriber).
  5. Make frequent backups of your site and test the restore process on occasion. If somebody does hack into your site and defaces it, you can migrate to another webhost or simply restore a backup on your current webhosting account.
  6. Limit your login attempts. Hackers try “brute force” logins by guessing usernames and passwords, spread over thousands of automated login attempts. WordPress does not limit logins. You can use one of several plugins to limit logins from a specific IP over just a few tries.
  7. Set up your .htaccess files in specific locations on your site. Check out Website Defender for more details.
  8. Use only the plugins you need for your site. Remove those you don’t use any longer.

If you happen to use plugins for some of the tasks above, make sure you remove them once you have completed your tasks. Otherwise, a hacker (or disgruntled employee) could use them against you!

We put together a comprehensive guide to WordPress security called WP Secure Pro — it’s 27 videos that show you exactly how to do the above and much more.