10 Steps to a Secure WordPress Website

10 Steps to a Secure WordPress Website

Reader Comments (138)

    • It’s not a matter of being outdated — the math doesn’t actually change. Multiword phrases have always been even better than code strings. If you read the article, a random 6-character string will still take 219 years to break with a brute force attack. I do like multiword phrases because they’re extremely secure and they’re something a human can remember.

      • Sonia, agreed. The key is making the transition from simple to some level of complexity. Combining these password recommendations with software solutions that “put delays” in the process can easily push those math out by 20X. These solutions include the Limit Login plugin for WordPress and “Faile2Ban” on the server side for FTP/SFTP.
        Ben, thanks for sharing as the math chart helps to clarify.

    • Ben, great link. I’m not necessarily sure I’d say that the password policy described in the article is “outdated,” as even the article you link to states that “gibberish” passwords are essentially secure; but, it does make the great point about spaces in passwords, which add an extra layer of security…plus provide the additional benefit of allowing you to use real words that can be more easily remembered. I’m all for any policy/strategy that increases security. Thanks for providing the link.

    • Yes. A good idea. Just be sure not to log into lifehacker with any password that you care about. When lifehacker was hacked, my email and password were posted in plaintext for the world to see. When LinkedIn was hacked many encrypted passwords were discovered by brute-force guessing. No matter how fancy a password is, it had better be unique to each site. I recommend 1Password, or a similar tool, to generate and store long unique passphrases.

        • Sherrell, yes you should start worrying. The hackers are out in force doing everything from sniffing wireless access points to simply brute force bombing sites to the tune of 5K tries per hour. If they don’t get it one way, they’ll try another. Get a good secure password manager and mix it up. You don’t have to go overboard. Just don’t make it easy for them.

        • And think about how many large sites have been broken into in the last year. If a hacker gets your password & login from one site, you’ve opened up every site you belong to.

    • I don’t believe it’s outdated. There are just some more tips out there that we could add to it like this link you have here. This is one of the reasons I like to read blog posts. I find more tips on the comments.

  1. I am one of the advocates which tries to educate people on why it is so important to prevent getting malware for their websites and the tips you shared are the first must do steps for anyone with a WordPress blog and not only.

    Then they should look into securing the admin section with a security certificate and deny access to specific files and directories on the server, such as wp-confg.php or wp-admin.

    • Eugen, great insight. We actually do a decent number of hard denies at Synthesis (e.g. readme.html) and custom denies for those who want them. I agree on the cert approach. Not always affordable for all but as a site grows it is worthy of consideration. Thanks for the input.

  2. Some great tips. One thing I’d like to add on teh password issue. If your system supports it, use a passphrase. There is a great visual that demostrates the passwords we are trained to use are actually a mess.
    http://xkcd.com/936/

    If you don’t want to click through it basically says that complex passwords like “Xa3th3r#” look secure but are shockingly easy for a computer to crack using a brute force hack and are crazy hard to remember, especially if you are taking the time to protect each site with a different password. A passphrase is much easier to remember and much harder to crack. For example, I might use this on my design blog (might but don’t) “Wh!te spac3 is the right place to start your design!” Since it is my design blog it should be easy to associate with that and be different from the ministry blog that might be (but isn’t) “For G0d so loved the whole world that H3 gave H!s only son”

    In other words, make your site secure and your life easier by using pass phrases when possible.

    • Nick, thanks for sharing. Combined with Ben’s comment above, there are some quantifiable rules readers can use.

      Personally, I’ve found password peace in utilizing a pass phrase and combining it with a Yubikey which generates a key based on a physical device. The device is smaller than any other key on my keychain and tough as nails.

    • The was mentioned in that Lifehacker article above — a six string random number takes more than 200 years to attack using brute force, which doesn’t seem too bad to me. πŸ™‚ Note that Jerod recommends a password that is at least 10 characters.

      One problem with pass phrases (I’ve seen it) is they become hackable when you use a guessable phrase. Since many of us have such publicly visible personas, you want to be careful about using quotes, etc., even if you put some “Leet” character substitutions in.

      • a six string random number is very hard to memorize which leads to putting it somewhere it can be found. Sad but true. What is worse, it might have once been something that can take over 200 years to guess, but with computer calculations increasing that is no longer true. It can be cracked in just a couple of days now.

        As for the guessable passphrase. Yes. that can be a huge issue. The same ideas that apply to passwords also apply to passphrases. Random is best, but if you pick a phrase that has meaning to improve the memorable nature of the passphrase, avoid things you say regularly. Try to use one non-dictionary word and avoid common phrases that might be included in a list of “top 1000 quotes” or something. See my examples (which are not pass phrases I use or even remotely close to the ones I use)

        • I use a secure password manager for that. And even a couple of days is fine for me — your host should be shutting down brute force long before that.

          My main concern is I don’t want anyone changing 9E1jS!0i,&d to “I love [my kid’s name].”

          I still think pass phrases are excellent, mind you. For any system that allows spaces, I’ve used them for a lot of years.

          • Plus 100 billionty for that. That is right up there with using your birthday or anything else that a tiny bit of research could supply. Personal information does not belong in a password in any way shape or form.

  3. Thanks for sharing these great steps to making sure your WordPress website is secure.

    Another point is to make sure you know when your hosting will renew. I didn’t choose to automatically renew my hosting and received the message, “This website has been temporarily suspended.” It was worse than receiving a rejection letter from a publisher! I immediately renewed my hosting and my writer website is up and running.

    I also think it’s important to use a ‘secure’ theme. The free WP themes are okay, but it’s better to buy a theme from a reputable company that updates its themes to be compatible with the latest WordPress installation and plugins.

    • Amandah, yes! It can be easy to overlook something like hosting/domain renewal, but those are fundamentals that simply need to be in place. Excellent tip. And I could not agree more on themes. It is so important for the theme you are using to be responsive, especially to WordPress updates. That is one huge reason why investing in a premium theme is worth it many times over.

  4. Jerod, This is very helpful and something I have been thinking a lot about lately. I like Nick’s idea of passphrases too that have to do with the blog’s theme. I am wondering now about cookies that remember our password on our computers. Are those a no-no?

  5. There are some nice WordPress plugins that make your site more secure, I believe I use WP-Secure on all my sites. I also run the sites using Cloudflare which keeps a lot of bad traffic from reaching the sites.

  6. I use managed hosting which focuses on speed and security.

    My site loads in under seconds and most of time in under 1 second.

    I also install an all in one security plugin which covers the 7 most common methods hackers use to get into your site.

  7. I wrote an article for my blog on this very topic. Firstly, not every site allows a password phrase to be used so the mixture of uppercase, lowercase letters, numbers and symbols continues to be your best bet. I use Lastpass to generate and remember new passwords, then I just need one master password to get to my Lastpass account.
    If you have trouble creating a password, use some of the serial number of your phone, laptop, tablet, etc. These devices are always with you so remembering the password is a snap.
    http://www.writingsofamidlifeman.com/money/password-protection-made-kinda-easy/

    • Thanks for posting the link. Some good tips in there, especially for those who do want to stick with a long, random string. What you mention is a good way to keep it random AND memorable, which is such a big challenge.

  8. Thanx for this very useful reminder!
    Indeed when working online you can easily forget that you can get hacked…

    Not putting in place some security measures is like leaving the door to your brick and mortar business open at night….

    I need to review this part seriously!

    What about password managing softwares?
    Are there secured enough? Would you recommend to use them?

    Thanx a lot

    • Checked it out and the lite version of that plugin does appear to make it pretty easy to change the admin user. Pretty robust plugin there that does A LOT. Worth a look.

  9. I agree, excellent (if somewhat terrifying) post. A real kick up the backside. Some great tips here that I’ll work my way through. The wobbly eyed Shining Jack Nicholson will give me nightmares tonight. I’ll probably have nightmares about Jack hacking my website!

    • Amanda, that was the idea! I tried to find the creepiest animated GIF I could. Didn’t take long once I saw that one! Security is worth getting a bit terrified about, so long as the terror drives useful action to make sites more secure.

  10. Great post. Passwords, admin users, etc. Those are all pretty standard but I like that you bring in the hosting aspect because this is incredibly important. Not only for your domain but if you’re on a shared server, every other domain as well. A hacked site that is sitting next to yours is going to impact your site in much the same way.

    • Mike: A thousand times…yes! So many people do not realize this as a risk of shared servers. Emphasis on the SHARED. This is why we put strict limits on our shared servers at Synthesis in terms of number of sites and what sites we’ll allow. It’s simply a must, and it is definitely a factor people need to consider when thinking about their hosting.

  11. Heh, I was about to say LastPass, but J.Delancy beat me to it. Anyway, thanks for this post. I’m fairly confident about my “skills” in protecting my own computer from unwanted entities, but protecting a WordPress website seems to be another matter.

    • Earl, WordPress definitely has some unique challenges when it comes to security. It’s just a matter of knowledge and follow through. This is also why so many serious WordPress users are shifting to WordPress-focused managed hosting, because that way you know that your site is being taken care of by people who really understand WordPress’ security issues and are proactive about them.

  12. Thank you so much for this article. I especially appreciate the numbers you shared – about failed log-in attempts. We see those on our site but weren’t sure if that was typical or not or we were being singled out.

    I sent the article to my IT guy (my son) to be sure we’re doing everything right.

  13. Thanks for writing about this, also. Just maybe a question and/or concern for #2.

    Although I haven’t seen any issues in the past few months, there have been few times where updating WordPress to the latest version caused problems. In those few times, WordPress eventually came out with “emergency” patches for those updated versions.

    I guess you still recommend upgrading right away, or wait for a while before? How long or short, if ever?

    And re: vetting plugins. Another “tip” for other readers is to actively delete those no longer used as well: makes them less things to worry about.

    Again, thanks for writing about this. Cheers.

    • Dave, it is usually okay to upgrade right away, but you’re right, occasionally it can have a hiccup. I would say if you have any trepidation wait until you get the go ahead from us at Synthesis and the folks at StudioPress (or whoever else you follow that are top of these updates and will test them on their sites immediately).

      And great tip on plugins! I concur.

  14. I’d like to suggest using Google’s Two-Factor Authentication. There’s a WordPress plugin for using two-factor authentication, so setting it up is trivial.

    It is particularly good for securing blogs with multiple writers where you can’t always enforce good passwords.

    The main drawback is that everyone needs to download the Google Authenticator app which means all writers need to have smartphones. But if you’re blogging, you probably have a smartphone too.

    • Damon, I hadn’t heard of this before. It sounds intriguing. Thanks for sharing.

      And I issue this challenge…to anyone: find a blogger who does NOT have a smartphone. Can such a person actually exist in this day and age? Surely not… πŸ˜‰

  15. Great advice – these things can be the difference between generating business on your website or losing it due to downtime. Love the tip on passwords – it’s tough to keep up with a lot of the, but at least if one account gets hacked, you’re not completely vulnerable.

    • Kristi, exactly! One of the *true* costs of using WordPress, or doing anything online, is the potential cost of downtime and the price to fix/clean up whatever caused it. Being proactive and preventative can help keep those costs down.

  16. Thanks Sonia for such a great inspiring advice about securing our WordPress website. I really think it isn’t health to wait till your password account is hacked to make necessary changes. We ought to renew them at least every time and use tricks that you believe nobody would install unwanted plugins! It is not that easy but we have to find our own ways to protect our documents. Really amazing and helpful information; look forward to seeing your next!

  17. The part about updating is VERY important! A friend of mine was hacked recently and when I sorted it out (he hosts with my web-hosting site so I was able to go in) I discovered he was using 2.5 still when the latest update was 3.2! :O

    • Dean, great point. The recent 3.4.2 release has some security fixes that are pretty important. The community and core devs have done a fantastic job of making upgrades easy and not breaking things. No reason not to keep up. If you are modifying core or your theme falls apart on upgrade, now is time to go mainstream. If not, the hacker’s will sure “upgrade” your site for you. Their upgrades, however, aren’t the code you want! πŸ™‚

  18. I do #1 and might have done #3. The other 8 I don’t understand or don’t know how to do or both. Perhaps the answer is in your title – a WordPress Website. Is that different from a WordPress blog, which is what I have?

    • Good question Don. WordPress has evolved so much from its beginnings that whatever the qualifier – website, blog, etc, – it’s still all WordPress. Because WordPress is really a content management system. It is used to build websites – all the way from complicated ecommerce websites to simple blogs. They are all WordPress and all will share similar security strengths and potential weaknesses. So there really is no difference between a WordPress “website” or a “blog” in this sense. If you run WordPress, all of the above tips are worth keeping in mind to keep your site safe.

  19. Thanks for the article. We all need to be more proactive about our personal account security. One thing I am glad you mentioned is taking advantage of the 2FA (2-Factor Authentication). Although it’s been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication for banking wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering my sites enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.

  20. Jerod, thanks for the article. I am shooting it around the office to make sure we are all updated. Other than the first three, number eight really resonated with me. As soon as I read it I pictured the 5 to 8 unused plugins just sitting in our blog. Again thanks for the article, it is very easy to fall into a false sense of security.

    • Indeed it is. And it’s something to be constantly vigilant about. As closely as I try to monitor this stuff myself, I just realized the other day that a blog I setup but haven’t used in a while had a few inactive plugins on it. Got them out of there immediately. No sense leaving any potential holes, even if the possibility is remote, especially when no value is being provided.

  21. An incredibly useful post from the guy who answers my emails whenever I need help…..Thank you Jerod.
    Synthesis actually helps me sleep at night. The support and peace of mind is worth the monthly cost alone.

    • That’s why we are often referred to as the “Ambien of Managed Hosting Providers.” Okay, so that’s not really true at all, but we certainly do take pride in helping our clients sleep at night. That’s what we’re here for!

  22. Hi Jerod,

    I’ve had a couple of WordPress installations hacked and it’s not fun at all !!!

    … really annoying.

    I thought I already had a secure WP configuration by now but there’s always something more to learn.

    Thanks.
    /Daniel @ForgetMeNutz

    • No, it is absolutely no fun. Glad you were able to find some additional info to make your WP sites even more secure. Indeed, with security, there is always learning to be done because the landscape constantly changes.

  23. Being a website/blog developer myself, I want to take all of these steps, wrap them up in a pretty box promptly beat them over the head of several of my customers who still think that using the login “admin” and the password “changeme” is safe enough πŸ™

    I’ve changed my thinking about my customers (and my own) WordPress installations as a two fold process. The first being the initial install and then, before any themes or plugins, get that puppy secured. I’m also backing up my sites regularly to 2 alternate sites as a CYA measure in case one gets hacked or jacked.

    In regards to password management programs, I’m using DataVault Password Manager (http://www.ascendo-inc.com/DataVault.html.) The database is secured by a master password and can be synced to my iPhone. If I’m ever at a customer’s site and they lost the sticky note that had their password on it, I can securely access DataVault and retrieve it.

    P.S. The animated graphic brought the phrase “Don’t let your site get hiJACKed” to mind.

  24. Useful tips, there’s nothing worse then logging on one day and finding out someones destroyed a blog with months of your hard to work. Now I always backup.

    • Luis,
      I use Backup Buddy on all my sites and it has worked seamlessly for me and my clients. It has a malware scan built in that is powered by Sucuri. As a WordPress developer, Backup Buddy is especially awesome at migrating a site from a test site to the end host or in the case of a total restore of your site. (The only thing I wonder about is that it doesn’t encourage you to put in those Secret keys in the config file during the process so I am less inclined to do that than during a fresh install of WordPress.)

      I’d be happy to hear if there are any other recommendations for backup software.

  25. You forgot a HUGE one!

    Automated WordPress hacks take advantage of being able to run code against the /wp-admin/ directory. So protect that directory. Use a .htaccess to require that they authenticate to Apache before they even get a chance to try to talk to WordPress. Chances are, their scripts aren’t written to even be able to handle the case that they need to authenticate twice.

    • (The reason to do this, is that good passwords don’t mean squat diddly doo when the problem is an actual WordPress vulnerability, nothing to do with having logged in legitimately. The way there are new WordPress vulnerabilities released weekly means you simply can’t trust any of the “security” WordPress has put in place.)

  26. You cannot take this post seriously enough if you run WordPress websites and especially if you make your living from them. I learned the hard way from hackers who exploited an inactive plugin and gained access to our FTP directory. Once inside, they setup a bank phishing scam (posting a fake Wells Fargo login page on our server and site), spam relay that sent 3.2 TB of data in 4 days, changed Google AdSense accounts so that our clicks were registered to their account and they got the money and defaced one of the sites completely.

    Since then, we’ve implemented the steps above and more.

    Here’s an example of what a brute force attack looks like that was thankfully prevented by Limit Login Attempts:

    http://cloud.vincentpolisi.com/Sparrow-20121027-115915.jpg

    As you can see, they are automated and relentless.

    Do not wait until it is too late to implement these steps.

    DO IT NOW!

    It cost me over $2k to eradicate the numerous issues, rebuild the server that had to be nuked, scan each file in every directory manually prior to migration, obtain the requisite software and code and pay for data transmitted via the spam relays, not to mention the lost revenue from AdSense.

  27. Great List. My thought is to be sure to modify the Admin to another name and then make sure it shows up as a different name when you make comments or write articles.

    Rick

  28. Great data on wordpress security problems and suggesting ways in which to handle them furthermore , several new things to be think about if we want to guard our WordPress blog from hackers.

  29. Good tips, but I think that you always can find a guy with the right skills and enough time to break into anything. I also think that is a good idea to make things difficult for that guy, if he is trying to break into your system. Thank you for the tips. πŸ™‚

  30. A great reminder of the importance of security. I’m beginning to get resistance from a few clients on the security of WordPress. It helps to see some well penned and thought out articles to refer them to and work from.

  31. I really appreciate this article, it’s given me some great ideas, and also prodded me into not putting off my change of Passwords on my To Do List any longer.

    I went to your link to PCMag and then to their How Secure is Your Password link. I typed in my best passwords – 6 thousand years to hack them but….now I’ve added them to that site’s database, and they are probably linked to my IP number as well.

    Do I now have to think up some new ones that I didn’t check with the How Secure is Your Password software?

    I feel as it I’ve been half way around the world, only to end up where I started! But now I’m much better informed, thanks to you.:) Thank you.

  32. Great List. My thought is to be sure to modify the Admin to another name and then make sure it shows up as a different name when you make comments or write articles.

    rahul

  33. I just experienced my website being hacked for the first time. Not pleasant. As someone who isn’t technical in the least, it isn’t easy to know where your site might be weak so I found these tips very useful. I have had some expert help in sorting it all out and putting in new measure to tighten security up. I think the big learning is to ensure that procedures are checked and actioned regularly just like any other area of my business.

    • Bad luck All. Did you find out how and where the hacker broke in? I’m sure there are others here that would like to know.

      And glad you were able to sort it out.

      • I’m afraid I don’t know Carol. But after the mess had been put right by my technical support we did start on a clean up and I realised I had old themes and plugins that had been there an age. Suffice to say all cleaned up and secure now and new procedures in place. A real eye opener and a steep learning curve for a non technical person.

  34. Thank you guys for these great tips, especially the plugin “Limit Login Attempts”. I am running a blog for almost 6 years, but haven’t heard about this kind of threat yet. After installing the plugin I have seen 60 login attempts. That resulted in 15 blocked IPs so far. And it all happened in less than 24 hours!

    If you have a blog then this (or similar) plugi is a no-brainer. My password was only 8 characters long. Sooner or later one of these login attempts would have been successful. I don’t want to imagine what they would do to my website…

  35. I just started using wordpress over another CMS and these were great tips. I have had sites hacked in the past and it is a nightmare.

  36. Thanks, really nice tips. love to read this. So far from all that i know, WordPress is the best choice of CMS on building website/blog. so easy to use, comes with complete features.

  37. Thanks! As a new person to blogging, but not to the web development it’s great to see a summary of the issues we need to be aware of, and some solutions to go with it. This will save us all not only from hackers, but time as well.

    Keep up the great work

  38. Hey Jerod, Thanks for a great article. You know it is so easy to just neglect important things like updating plugins, theme, etc. I know personally I see the little icon to update yet I don’t. I’ve had problems in the past updating without having a backup and so when I think about doing it I feel overwhelmed and don’t bother.

    But the past few weeks have had me freaking out a little with this botnet scare. 90,000 IPs grabbed…wow? In the past few days I have been reading tons of articles trying to find a solution that is fast and tech friendly. Unfortunately, I’m a real non-techie and need simply solutions.

    I came across this article and wanted to share. Here’s the link http://www.securescanpro.com/wordpress-tops-headline-news-in-the-past-week/. I think this company is trying to address this immediate concern, but is also looking at the long term. Who knows what’s to come next and that scares me as well. I’m gonna try this option for myself and maybe it is something that can help others as well. Thanks

  39. Cristina, thanks for sharing the link. One caution I have on changing user names is BACKUP your database before you do it. If posts are re-assigned properly, they’ll all go into “draft” mode and you can get yourself in a pickle very quickly.

    The brute force issue has been brewing for some time. Though there are several ways to approach, we’ve seen some really reactionary policies implemented across hosts and sites that are a) creating lots of false positives and b) not really working out for the writers that make the site work. We are pretty proud of the smart approach we took at Synthesis over a year ago as we’ve really eliminated false positives and let the writers do their thing. I also encourage site owners to consider two-factor. Personally, I like physical authentication and have a YubiKey on my key chain. Krebs covers some good digital alternatives in this really well written article on the WP brute force situation. http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/ .

  40. Hey Jerod, loved all the 10 steps. It’s really frustrating feeling when a rookie hacker hones his skills with our WordPress blog.

    Yep, one must clean their WordPress blog like they clean their kitchen. Loved that point.

    Well, there are a lot of useful WordPress security plugins as well that can help to secure a WordPress blog.

  41. Never knew my WordPress website was not secure, i have not done 3 of the things enlisted in this post never cared about malware, had a very insecure password (changed it, thanks to you).

  42. Do you still recommend Synthesis for website hosting? I noticed that Yoast also recommended them as well. I’m about to give them a try since my old shared server with Hostgator had some issues with the other sites hosted on the same IP πŸ™

    • >>>Do you still recommend Synthesis for website hosting?

      Them is us. πŸ˜‰ Synthesis is a division of Copyblogger Media, so we still recommend it (and host our own sites with it).

  43. I recently had a few sites of mine hacked, so these tips are great advice. I am using wordfence as well and that is great for stopping hackers try to get in also.

    I have invested in an Australian hosting company too, and their security is impeccable.

  44. Hey Jerod,
    All the steps you mentioned are required for protecting a blog from various attacks. The first step to protect a blog would be strong passwords – a combination of symbols, capital letter and numbers are the best thing to make it almost impossible to hack.
    There are many plugins as well that can help bloggers in protecting their blogs but if you know how to do it manually there is no need of any security plugins.

  45. Great tips, but, IMO, security actually starts at home, i.e., the local machine, 127.0.0.1, whatever you wish to call it. So I would add:
    * Make certain your PC is clear of malware. If the PC has a bug on it that phones home your login credentials to its command-&-control server, consider your website toast.

    * Make certain your network is secure. If you use wireless, change the default username & password for your router, (tip #1) choose the highest level of wireless encryption your devices will support (WPA 2 is best). Since WEP has been broken long ago, & WPA has also been cracked, if there are devices on the network that don’t support WPA 2, consider replacing them. Put antimalware software on mobile devices that access the network, &, if not using wireless, turn it off at the router.

    * Closely related to #2, logging onto your website from an unsecured wireless connection at the airport, your hotel, or the nearest internet cafe is always a bad idea. & lastly, use secure FTP rather than FTP when transferring files to & from the website.

    In summary, both charity & security begin at home.

  46. I have done all points you have written in this article. But one point which is Monitor changes made to files is not understandable by me. So can you explain this topic for me. And please don’t say to install plugin as i am already using 10 plugins and I do not want to install more plugin.
    Thanks regards

This article's comments are closed.