5 Simple Steps to Achieve Better WordPress Security
Table of Contents
Hackers attack websites every 39 seconds on average, a Clark School study at the University of Maryland shows. Since more than 40% of the web uses WordPress, it is one of the popular targets in danger of hacker attacks. What is more, as an open source software, which every developer can contribute to, there can be some potential vulnerabilities in the code. Cyber criminals take advantage of WordPress security vulnerabilities and other issues that can be easily avoided such as common usernames, weak passwords, outdated plugins, and others.
Thankfully, there are at least 5 easy things that you can do â usually without the help of a developer â to improve your WordPress security.
Most Common WordPress Security Issues and Vulnerabilities
But first, letâs take a look at some of the most common WordPress vulnerabilities and issues that cyber criminals tend to exploit when attacking a website:
- Out-of-date core software
Having an out-of-date core software is one of the things that hackers look for in a website. Thatâs why you need to be on the watchout when an update comes out for a program or library.
- Outdated themes and plugins
Make sure all your themes and plugins stay up to date, so that any existing bugs get fixed with the newest release.
- Brute force attacks
You can stop brute force attacks in several ways such as using a security plugin or having brute force mitigation with your web hosting provider.
- Malware
Prevent the injection of malicious software to your website by different means such as malware scanners and cleaning services on a regular basis.
- Denial of service attacks (DoS) or Distributed denial of service attacks (DDoS)
One way to avoid these types of attacks is having a caching system or a DDoS mitigation system built in the infrastructure of your web hosting provider.
- Poor hosting environment
When searching for a hosting partner, make sure they have a good reputation, deep WordPress knowledge, and above all, can be trusted.
This is just a small part of it. Watch the full video below for more in-depth information about these vulnerabilities, and the things you can do to protect your site.
Improve Your WordPress Security in Five Easy Steps
Are you ready to address these vulnerabilities on your own? To take the burden off your shoulders, Iâve got you covered with five easy steps to follow in order to make your WordPress website more secure in just a few clicks:
1. Change the Admin Username
This one is a no-brainer. If you are still using admin, administrator, or anything really easy to guess as your administratorâs username, STOP! To compromise your site, an attacker needs 2 things â a username and a password. If you use a default admin username, then youâve given them half of what they need. Letâs make it a little harder, shall we?
To change the admin name manually, you need to:
- Log in using your existing Admin account.
- Under âUsersâ click âAdd Newâ.
- Create a new user account and make it an Admin. Make the username anything you want, except for Admin, Administrator, or your name.
- Log out of WordPress and log back in using your new Admin account.
- Click on Users to list the users, and under your original admin account, click âDeleteâ. Make sure you select âAttribute content toâ and select your new admin account, so you donât lose any content.
If you want to disable common usernames in just one click, install the SiteGround Security plugin. Itâs a free tool that provides you with easy options to protect your site and will greatly improve your WordPress security. Use it to disable the creation of common usernames and if you already have one or more users with a weak username, itâll ask you to provide new one(s). Additionally, when toggled, a pop-up window will appear where youâll be able to choose a new username and automatically replace the existing weak one(s).
2. Enforce Strong Passwords
Yes, most people love using their birthday as their password. You know who likes it most of all? Attackers. See, weak passwords are easy to guess. If you post on social media:
âZOMG, My Little Pony II is my FAVOURITE MOVIE! Going to see it tomorrow for my birthday!â
Youâve just given an attacker a critical piece of information. At this point, they are going to start trying passwords and usernames related to the movie and/or your birthdate. Anything youâve posted on social media gives attackers a little more information to work with. This isnât necessarily a WordPress security issue, itâs a failing of humans.
HINT: l33tsp34k âLeet Speakâ or replacing letters with numbers doesnât fool attackers either. They figured that one out before you did.
So what works? Strong passwords. Long, random strings of letters and symbols are great. The problem with this is that, since they are hard to remember, we tend to write them down. If you lose the book you wrote them down in, then an attacker has the keys to the kingdom. (The book being physical OR electronic). If you are in the habit of doing that, Iâd strongly advise you to check this article on securing passwords with Have I Been Pwned.
WordPress now has the functionality to generate strong passwords, but it doesnât require them. There are plugins however that will enforce this for you. If you go to wordpress.org/plugins and enter âstrong passwordsâ, youâll find several to choose from. Install one of these plugins.
If you have regular users as well as admin, authors, etc., you may want to only enforce strong passwords on your higher-level accounts to reduce the friction your users have in registering and logging into your site.
If you are wondering how to deal with strong passwords without writing them down, invest in a password manager. Most modern ones work on both desktop and mobile and will sync your data across all your devices.
In case you want to learn more about the importance of WordPress security and to discover more than 20 tips on how to keep your WordPress website safe, get SiteGroundâs free ultimate guide to WordPress security:
3. Implement Two-factor Authentication
âTwo-factor Authenticationâ, or 2FA is not a new security concept. For decades, financial institutions have relied on âFobsâ (small devices you can attach to your keyring that have a display and give an ever-changing number) as an additional factor in logging in.
The overarching security concept is âSomething you know, something you have, something you are.â In 2FA, we pick two of these. When you log into a website without 2FA, you only use the âsomething you knowâ â the login and password. Regardless of how strong you think those are, there is a chance that they can be compromised. 2FA adds a layer on top of that, the âsomething you haveâ.
These days, instead of having to issue each admin user a fob, we have smartphones and software that can take the place of fobs. If you have a modern smartphone (one made in the last 5 years) it can run an app that functions as the âsomething you haveâ.
The most commonly used â although by no means the only â app for 2FA is âGoogle Authenticatorâ. Itâs the most common because it is free. Before you go down the road of 2FA, make sure that Google Authenticator is available for your phone.
If you already use a plugin like the SiteGround Security plugin, youâve got everything you need to set up 2FA. You just need to enable this option from the pluginâs dashboard and all admin and editor users will be asked to configure their two-factor authentication on their next login.
Once the 2FA is implemented and after your user clicks the login button, they will be taken to a second login screen that will ask them for their âtokenâ. If they have set up their app properly, they will open the app, find your website in it, and type in the number on the screen. This number changes every 30 seconds. The number is called a âTime-based One Time Passwordâ (TOTP). Your phone and the plugin you use both know how to calculate it, but no one else does. When they type in the token and press the button, the plugin will calculate the appropriate TOTP and then verify that it matches what the user typed in. Based on that it will either allow or deny the login.
Keep in mind that some 2FA systems are not based on apps but on text messages sent to your phone with the tokens. Beware that these are not secure, so you need to avoid them.
4. Enforce HTTPS
This one you should already be doing. If youâve been living under a rock though, a couple of years ago, Google came right out and said that if your site isnât running HTTPS, they will rank your site lower than other sites running HTTPS. SEO aside though, HTTPS keeps all your traffic encrypted and away from prying eyes. If you are not running HTTPS, any user sitting in a coffee shop is broadcasting everything to anyone who cares to watch. (technically, âsniff the wifiâ)
If you are not using SiteGround, then this involves working with your hosting provider to purchase and install a secure certificate. Then, you need to tell WordPress to change its URL to HTTPS.
If SiteGround is your hosting partner, all you need to do is use the SSL Manager to get a free âLetâs Encryptâ certificate. Once SiteGroundâs control panel obtains and installs the certificate for you, all you need to do is click âEnforce HTTPSâ and voila, your entire site is now encrypted.
5. Keep Your Plugins up to Date
I donât mean just the main ones, I mean every plugin you have installed on your site, every time there is an update. Why is it important to keep your plugins updated?
The main reason is of course WordPress security. Good plugin authors address security WordPress issues when they are reported and release patches as soon as they can. If you have auto update turned on, you donât even have to do anything, youâll get the new code. If you donât, then, as soon as you log in, and notice that there are updates, go to Plugins, click on the update buttons, watch them all update, and then try and remember why you logged in in the first place.
If you are a SiteGround client, you can take advantage of SiteGround WordPress AutoUpdate tool. It keeps your WordPress sites safe and up-to-date at all times. Among other things, it also takes care of your plugins. In this tool, you could enable the plugin auto updates option from settings. If you do enable that option, on each WordPress update performed, SiteGround will check if your plugins are up-to-date too and if not, will update them for you.
If you can measure down-time in dollars, then itâs worth your time to make sure you are always on the latest and greatest version of everything and that the important plugins on your site are constantly being maintained. Make sure that your WordPress security updates are among your top priorities.
Extra Steps to Make Your WordPress Site More Secure
For some extra tips on making your WordPress website even more secure, watch the full video below and then follow the recommended steps. Keep in mind that many of these you can do yourself in just a few clicks, if you are using the free SiteGround Security plugin.
Final Thoughts
The secret about site security is that itâs not one big thing you do, itâs about doing a lot of little things. These few easy steps will help you improve your WordPress website security. Each layer of security you add to your site makes it a little harder for attackers to get in. You donât have to have an absolutely secure site to be safe, you just have to create more work for the attacker than what is actually worth breaking in. Attackers eventually get tired and move on to easier targetsâŚthose sites whose owners havenât read this blog post.
Comments ( 18 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Eric
I have set-up the SSL and enforced HTTPS, but both my sites show "Not Secure" in the brewers window. How do I get rid of "Not Secure" to Secure?
Hristo Pandjarov Siteground Team
Use the SG Optimizer plugin, it will reconfigure your site to use https with one click :)
Tim
what about changing the login url from wp-admin to something else?
Hristo Pandjarov Siteground Team
Simple but effective solution to block the most basic attacks. You should do it :)
Boris McWhiter
How do you do it?
Joel
How do you change the login url?
Hristo Pandjarov Siteground Team
You can use the custom login url plugin: https://wordpress.org/plugins/custom-login-url/
RSA
FWIW, the Customer Login URL plugin hasn't been updated in over 5 years. Wordfence calls it out as abandoned.
Hristo Pandjarov Siteground Team
Thanks for reporting this :)
Jan
Instructions available for Site Tools, but what about cPanel? Where is SSL manager for cPanel? Don't forget your longtime loyal customers who you haven't migrated to Site Tools. There are quite a few tutorials that don't include cPanel instructions. Very confusing and frustrating.
Hristo Pandjarov Siteground Team
The SSL Manager is available for years in cPanel. You can follow this tutorial: https://www.siteground.com/tutorials/cpanel/cpanel/ssltls-manager/
John Paul
4. Change the default login url.
Gali
Hi, I was told to change the wp-admin to a less known and meaningful string, lets say 'bigjaw'. how do I do that?
Hristo Pandjarov Siteground Team
You can use one of the many plugins for custom login url in the WordPress plugin repository :)
Haris
Will changing the wp-login directory mess up with plugins or theme or in updates?
Hristo Pandjarov Siteground Team
If done properly - no.
Robbin
Good article. Keep posting informative posts. https://www.promocodeshub.com/hostgator-promo-codes
Kathy
Really appreciate ALL your tips and advice, as I am a novice in this world of creating and maintaining a website. Great support, thank you. :-)
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through