WordPress powers 43.2%, when you are that powerful you’re going to get some attention from a few attackers, hackers and mischievous internet pirates. Let’s secure your WordPress site to make their lives a little harder.
The truth of it all is that if someone really wants to hack our site they will. But most internet pirates are looking for easy targets, a site they can take over in a few easy clicks. By making their lives harder we can keep our site, our business and our customers safe.
Before you proceed with any of the below security tips remember to back up.
Table of Contents
DON’T use Admin as your username
Admin is the default WordPress username, that means it’s the first one in a hackers list. It would surprise you how many people don’t change it.
We can create an Administrator account in WP-Admin > Users, press the Add User button. Fill out the details of our Admin user, but this time use a username like firstname.lastname or greatestb0ss. Under the Role section select Administrator.
Logout of WP-Admin and then Login to WP-Admin as our new admin, delete the user Admin.
We can now use this new Admin user to perform any administrator tasks like updates, installs, etc
Tip: If you only have one email address we can use a simple trick to gain unlimited emails in Gmail, this will save you signing up for a new email address for your new Admin.
Create and use an Editor account
Every time we post using our admin account we are publishing our username and other unique details, helping hackers and internet pirates break into our site.
Creating an editor account can limit our exposure to hackers as an editor user can only publish and manage posts, including posts created by other users. No Admin rights.
We can create an Editor account in WP-Admin > Users, press the Add User button. Fill out the details of our Editor user, under the Role section select Editor.
Strong Passwords
It might surprise some of us that ‘password’ is one of the most commonly used passwords, along with 123456, 123456789, qwerty, iloveyou, princess and dragon.
Don’t fall into this basic trap, use standard password rules like using a combination of upper and lower case characters, use numbers and a mixture of symbols.
Neverg0nn@gIveyouUP
Many browsers have a ‘Suggest Strong Password’ feature. Use it.
Update WordPress Plugins regularly
WPScan documents and tracks all WordPress vulnerabilities. There’s 100,996 issues with plugins currently documented, that’s just the ones we know about. Compared to vulnerabilities for themes and WordPress itself it clearly dwarfs any other component of our site.
Developers update software to support new features and close security holes in its code. We should regularly login to our Admin account to update these plugins, so we can secure your WordPress site.
Please follow our WordPress Backup recipe before cooking
Tip: reading the Change Log of our plugins lets us see new features that are available. We can then use these features to potentially improve our users’ experience.
Limit the number of plugins
Plugins help us perform tasks we can’t always perform ourselves but the more we have the more we increase potential for something to go wrong.
One way of helping reduce our number of plugins is to deactivate plugins we are not using regularly. EG backup plugins, migration plugins, plugins provided by our host.
From WP-Admin, Select Plugins > Installed Plugins from the right-hand side menu
Review each plugin, do we need it? Do we need it all the time?
Deactivate or delete each plugin.
Limit the number of themes
Just like our plugins, if you are not using a theme then remove it.
If you are using a Child Theme, remember you will need to have 2 themes installed. The parent and the child.
From WP-Admin, Select Appearance > Theme from the right-hand side menu
Click Theme Details of any theme we are not using
Click Delete to remove the theme.
Don’t use Nulled plugins.
Like everything in the world WordPress has its own black market economy. If there is a plugin you want or need, then pay for it. Someone has taken the time and effort to write code to help us on our journey and they need to feed their family. Hacked plugins, often called Nulled, may have malicious code added which will steal data and cause harm to our business.
We hope these simple tips have helped you secure your WordPress site.
TweetStruggling with the above recipe? Hire a chef to do it for you
Image Attribution: Pirate Vectors by Vecteezy