So you find yourself with a WordPress website. What now? Your WordPress website is powered by PHP code and a database. This is what allows you to log in, update pages, upload images, and archive expired content, all through your web browser. This is convenient for managing a website, and part of what makes WordPress, and other CMS tools, so popular. The tradeoff with this convenient access is the risk that someone who you don’t want to get access will. This could be either through obtaining a trusted administrator’s credentials or exploiting some vulnerability in your site’s PHP code. If a bad actor gains access to your site, the attacker can cause lots of damage to your site and your brand’s reputation. A hack can make it nearly impossible to effectively manage your website. To ensure we can leverage our website as an online asset, we first have to make sure our website is secure and we know how to recover from an attack. Let’s look at some strategies.
Backups for Secure WordPress Hosting
First and foremost you need regularly scheduled backups of your site. Backups are essential because if anything does go wrong then you’ll be able to restore your site back to normal.
Many WordPress hosting providers automatically backup your site on a regular basis. This method is preferred because the hosting provider probably provides an easy way to restore a backup, usually with just a few clicks. Easy backups and the ability to quickly restore from a backup are important features to consider when selecting a hosting provider. For example, WP Engine has simple and powerful backup tools for all plans. This is one of several reasons we use and recommend WP Engine.
If your hosting doesn’t offer a backup solution you’ll have to handle it yourself. There are many plugins available that can backup your site. These can either store the backup on the same server as your website, or on a different cloud storage service, such as Dropbox, Google Drive, or Amazon S3. The free version of the UpdraftPlus plugin is a great place to start, and they offer premium upgrades with additional features and support. UpdraftPlus also has UI to easily restore a backup with a couple of clicks.
When you make backups, make sure to consider what you backup. In general you can backup the database, WordPress core, the themes, the plugins, the uploads, or any combination of the previous. The database is the most dynamic part of your site, so it should receive the most backups. Uploads can be backed up less often.
So now that you have backups in place, what steps can we take to reduce the chance of ever having to use them? Let’s look at some areas that need attention.
The most basic security measure for any web application, including WordPress, is encryption with HTTPS. This ensures that your username and password are encrypted during login so that they can’t be stolen by someone who may have tampered with the public Wi-Fi network you may be using. Most hosting providers can install an HTTPS certificate for you for free, or you can use a plugin like Really Simple SSL to get a certificate and it will help you install it. The plugin also helps configure WordPress to support HTTPS correctly by changing the site URL, and URLs in the content, to HTTPS.
The next area to consider when evaluating WordPress security is the PHP code of WordPress itself and all the plugins and themes in use. You can have a 100-character password, but if the PHP code that checks the password is faulty, the password is useless. Now we’re not saying you need to read all the code to make sure it is correct–even if we haven’t read all the code in WordPress. In practice, code security essentially boils down to two concerns:
- Evaluate the reputation of the code before you install it.
- Update the code when an update is available!
WordPress is the most popular CMS in the world, so you can rest assured that many people are motivated to ensure the code is secure. (This also means many bad people are motivated to exploit WordPress–thus, here we are.) As far as plugins and themes are concerned, as long as you only install plugins and themes from the official WordPress repository with good reviews and many installations, or purchased from reputable WordPress developers, a typical WordPress site manager can’t be expected to do much more than that. Basically just don’t install code you downloaded from suspicious sources on the internet. If you want to conduct a more thorough evaluation, check out our article on how to evaluate plugin quality.
The next step is part of the ongoing maintenance of your WordPress website. Periodically WordPress and your plugins and themes will receive updates that contain new features, bug fixes, and–what we’re concerned with right now–security patches. Keeping WordPress and plugins and themes up to date is the single most important, and easiest, way to protect your site from getting hacked. If you use paid plugins or themes, they are typically licensed for one year, so you’ll want to keep track of when your licenses expire so that you can renew them, otherwise you won’t be able to update. Some plugins offer lifetime licenses that do not require renewal, so that can simplify things if you plan to use a plugin for many years to come.
So now we have a solid base to work from–reputable code that is up to date, and we have backups in case anything goes wrong. What additional steps can we take to go above and beyond these basic protections? Let’s take a look!
As we discussed at the beginning, your WordPress website is a dynamic web application that allows administrators to log in and update the site. The risk with this is WordPress doesn’t know the difference between a legit administrator, and a malicious administrator–it treats them the same. So if a malicious user (whether human or bot) can somehow log in as an administrator, then it has free reign to do anything a normal administrator can do–including delete files and content. Now you can see why it is vital to secure the login functionality on your site. So how do you do this?
The most effective way to secure your website login is to add 2-factor authentication (2FA). This adds an additional layer of security to your login form beyond the username and password. So once a user enters the username and password, they are prompted to enter a one-time password (OTP) – usually a 6-8 digit code – sent to their email, phone, or generated by an OTP app, to finish logging in. This ensures that even if an administrator uses a weak username and password, and a malicious user is able to guess it, they still won’t get access to your site. The Two-Factor plugin is free, and a great way to add 2FA to your site.
Attackers sometimes try to simply guess your password by trying every combination possible in a so-called “brute-force” attack. This is pretty time-consuming for a person to try, so that’s why bots have been created to guess passwords really quickly. One way to mitigate this is to add reCAPTCA, which allows humans to log in like they normally would, but blocks bots. The CAPTCHA 4WP plugin is a free way to add this to your login form. Another brute-force strategy is to track login attempts and start blocking requests if the same user fails to log in many times within a short period of time. The Wordfence plugin can automatically block login attempts if it notices this behavior.
By default, WordPress sets the initial administrator username to “admin.” Because it is the default, attackers target this username often, so you should remove this user. Wordfence can also block anyone trying to log in with the username “admin.”
So now our login form is secure. Great! Do we need to worry about anything else? Let’s look at a couple more strategies to level up our WordPress security.
Next Level Security
The first way to level up your WordPress security is to install a firewall. The purpose of the firewall is to process the request before WordPress, and if it appears to be up to no good, shut it down before any harm is done. A malicious request will contain common markers that reveal its bad intent. The Wordfence plugin can detect malicious requests like this and block them.
Another way a request can be suspicious is where it originates from. There is a lot of malicious traffic floating around the Internet, so people have started collecting the IP addresses of malicious/spam requests into lists for other people to use. Wordfence offers access to their frequently updated database of bad IPs as a paid upgrade so your site will block these requests right off the bat without wasting any more of your server’s time.
You should also consider keeping PHP itself up-to-date. Just like WordPress, vulnerabilities are discovered in PHP over time, so updating PHP when these are patched ensures you won’t suffer damage. Hosting providers usually can update this for you. WP Engine even provides a way to update PHP yourself and try it out before switching over.
Finally, you should consider putting your WordPress site behind a reverse proxy, such as Cloudflare. The reverse proxy sits in front of your website, so all users connect to the proxy instead of your website. This allows the proxy to block Distributed Denial-of-Service (DDoS) attacks, which would normally overwhelm your website with too much traffic and cause it to crash. WP Engine’s “Advanced Network”, a free upgrade for all plans, enables a Cloudflare reverse proxy automatically in front of your website.
Hopefully, you now have a more holistic idea of how to secure your WordPress site. We touched on several security plugins in this article. A lot of them have overlapping features and paid upgrades. Here is a list of popular security plugins for you to evaluate which one fits your needs best.
And here is a checklist summarizing all the items we went over.
- Set up backups
- Use HTTPS
- Only install reputable plugins and themes
- Keep WordPress, plugins, and themes up-to-date
- Add 2FA to log in
- Add reCAPTCHA to login
- Block brute-force login
- Block/Remove username “admin”
- Block malicious requests with a firewall
- Block IPs that are known to be malicious
- Keep PHP up-to-date
- Put WordPress behind a reverse proxy