A Quick Guide to WordPress Security.

This short guide focuses on WordPress Security. WordPress is one of the leading content management systems or CMS that are in use today. It powers easily one fifth of the web. Because it is so popular it is a high target for hackers. Out of the box or freshly installed (since WordPress doesn’t come in a box) it is very secure software. WordPress has a very good reputation for stability and rapidly fixing holes when they are discovered. That said you can always do a little more.

In analyzing over 500,000 break in attempts on my clients sites 1 particular attack type is the most common. This is what its called a brute force or dictionary attack, and accounts for over 90% of the attempts we see. It basically does what it sounds like it does. It randomly picks a username and then throws a dictionary at the site. Trying every possible combination of passwords it can come up with. If you use a common password it can rapidly break in, so to prevent this you need to use a little caution.

Complex Passwords are Crucial!

First, use a complex password. Don’t use something simple like a name, a date, your phone number, etc. Mix it up and make it something not in the dictionary, and swirl in a few numbers and other characters. This will slow them down, but better than stopping them at the door, is to make sure they can’t even find it.

Don’t Default!

Most software when you install it comes with preset default settings. Many of the web sites that are compromised have never changed from the defaults making it easy for an attacker to get his foot in the door to try to get the rest of the way in. In the case of WordPress the default administrative account is called “admin”. In analyzing the half million attacks, over 90 percent of them were trying to login to “admin”. In order to make your site more secure against attack the solution is very simple. Don’t use “admin” as your username. When you install word press on your site use a different user name and this will block about 80 to 90 percent of the possible break it types.

Limit Logins

The second way to block attackers is to limit the chances to try to login. This is called a login lock out or a strikes system. You heard of the old adage “3 strikes and you’re out”? Well in the case of logging into website this makes great sense. If you limits the number of attempts and block them for a reasonable amount of time, say 5 minutes or even 5 days, you will discourage or at the very least slow down the enemy and they’ll move on to another site that’s easier.

To make the system even more efficient you combine changing your username to something besides the default with the login strikes system and an automatic lock out if somebody tries a non-existing username. This means if someone logs in or tries to login to your site using “admin” and “admin” does not exist they are immediately blocked. The door is slammed in their face, and they could try 10,000 times to login they will never get in.

Use a FireWall

Further increasing your security you could use a program such as Wordfence or iThemes Security that combine many of these features with additional protections. These plugins will add the ability to give people the three strikes and you’re out system, immediately block invalid logins, as well as give you additional protections against other sorts of attacks then you are at risk at.

Stay Up to Date

Also, keep your core software, themes and plugins up to date. Remove inactive, unused or obsolete themes and plugins. The nice thing about WordPress is that often there are many plug ins that do the same thing, so when one fades away, a new one, often with better features and tighter security will appear. Staying up to date is vital in keeping the bad guys out.

Again, Don’t Default!

To complete this first round of securing your site against the majority of the attacks, we again look at the default installation. Many hosts have what’s called a “one button installer”. These are great utilities to help streamline things and make it easier for you to install programs but they also set things up to the defaults. The fault data base prefix for WordPress is WP. Simply changing this prefix to something besides WP will make it much harder for some other types of attacks that do not require a login to be effective. Much in the same way that you don’t answer to a different name they could try accessing WP all they want and if it is JP it’ll never answer will never get in.

So to summarize:

1: Use a different username. do not use “admin.”

2: use a login strikes system and immediately block invalid login attempts.

3: use a good firewall such as a Wordfence or iThemes.

4: change your pre fix to something besides “WP”.

5: Stay up to date and remove unused and unsupported add ons.

This is by all means not an in depth, all inclusive list. Securing a website does take more, but doing these 5 simple things puts your site security ahead of most other sites. Do these five things you run a very good chance of not being one of the hundreds of sites vandalized each day.