WordPress Security: 5 Ways to Keep Your WordPress Site Safe

With something like 65 million active sites, WordPress has proven to be one of the most popular website platforms. Originally developed as a blogging platform, it has evolved into much more. Now WordPress is used as a CMS (Content Management System) for e-commerce sites, small business sites and more.


Wordpress SecurityAside from its flexibility, ease of use, and general all around coolness, when a security issue is discovered WordPress is patched very quickly.

But the bad guys are always trying to get in the door, and if you are not careful your site can be compromised.

I've been managing WordPress sites since 2006, and in that time I've learned a few things about keeping them safe. So here are 5 ways to secure your WordPress site:

1. Secure Your WordPress Administrator Account

It used to be that during installation WordPress created a user with administrator privileges named "admin." In an update about 3 years ago that was modified. Now we have the option to change the "admin" username during installation, but of course many people stick with the default.

There are millions of WordPress sites that have been around since before the option to change the "admin" account name, so there are literally millions of WordPress sites out there with an "admin" administrator account.

That leaves only a password to keep those sites safe from disaster. And there are many weak passwords out there.

The bad guys know this, and they are working hard to exploit it. Recently Cloudflare reported that a large scale brute force attack was underway in an attempt to exploit the default "admin" user on WordPress sites. A network of compromised home PC's was running a program attempting to log into WordPress sites with the username "admin" and trying thousands of passwords.

Once a site is compromised, it can be used to spread more malware, or the server could be used to launch more attacks.

So, when you install WordPress be sure to change the default username, and do not use your author name, that's way too easy to figure out. In a perfect world everyone would use a string of random characters, like a secure password, but of course this is not a perfect world, and many users would complain loud and hard about that requirement. But at least use a combination of letters, numbers and special characters in your username.

Once a WordPress account is created you can change just about anything, but not the username. If you are in this position there are a couple things you can do:

Change the Admin username in the database using phpMyadmin

OK, you can change the username in the database, but this is more advanced and I really don't recommend you try unless you know exactly what you are doing. So if you have the skills to do it, great, but I'm not going to explain it here. Just be sure you take a backup of your database first, because if you mess it up there is no return.

Create a New Admin Account and Delete the Default

Log in with your "admin" account, go to the Users section of the Dashboard, and create a new account with administrator privileges. WordPress will not allow you to use the same email address on more than one account, so you can either change the email on the default "admin" account first, or use another address for the new account. You can change it to the email you want once you delete the default account.

Be sure to use a good username and password. I can't tell you how many times I've found people using things like the names of their children or a pets name for a password! Passwords should be a mix of upper and lower case letters, numbers and special characters.

Wordpress Security DogWhatever you do, don't use your birthday, or your kids names, or the name of a pet, unless it's something like thu#YhaAe45&!:

"Here thu#YhaAe45&!, here boy!" Yeah, right.

I do understand the argument that you won't remember such a crazy password, but there are ways to work it out. You can use one of the many programs out there to create and store a secure password. I use a password manager called LastPass, which stores my literally hundreds of passwords. My wife uses the first letter of each word of a line from one of her favorite songs, mixing upper and lower case letters of course, plus a number and a special character.

Once you have created the new user, log out of the default account, login as the new user, and delete the "admin" account.

When you delete the default "admin" account you will have the option to assign ownership of the posts belonging to that account to another user, so nothing will be lost. Your unsecure "admin" user will be gone and your site will be much safer.

2. Secure Your WordPress Login Page

I run a plugin that notifies me of failed login attempts via email (discussed later in this post), so I discovered that recent brute force attack when my inbox was filled with hundreds of emails informing me of failed attempts to log in to this very site, all with the username "admin" or "administrator."

I deleted the "admin" user long ago, but just to be sure that there was no chance they would figure out a way to log in to the site, I installed the Stealth Login Page plugin (http://WordPress.org/plugins/stealth-login-page/):

Without locking down access via IP address or file permissions, this plugin creates a secret, customizable, login URL string. Those attempting to gain access to your login form will be automatically redirected to a customizable URL.

So I am now redirecting those bots to Google. The moment I turned on the redirect those emails stopped. And it only took 2 minutes to set up.

3. Turn Off the File Editor

WordPress allows administrators to edit theme or plugin files from the Dashboard. There is a pretty good chance that this is exactly what an attacker will do if they should happen to crack your password and log in. Fortunately it is easy fix it so files can't be edited from the WordPress Dashboard.

All you have to do is add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Then when the theme or plugin editor is accessed WordPress will return a page that says "You do not have sufficient permissions to access this page."

For newbies: You can access the wp-config.php file from through your hosting account interface (usually cPanel), or via ftp.

4. Monitor Your WordPress Site with Wordfence

Wordfence (http://WordPress.org/plugins/wordfence/) is:

a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups.

Wordfence runs a regular automated security scan and sends me an email if it finds anything I need to know. It informs me when updates are available, and it monitors login attempts.

Wordfence sent the emails informing me that someone was trying to get into this site with the "admin" username.

It allows you to block ip addresses, certain browsers, even certain browsers from a range of ip addresses. The premium version allows you to block countries.

Wordfence monitors traffic and much more. I have it on every WordPress site for which I am responsible.

5. Protect Your Site with Bulletproof Security

The Bulletproof Security plugin (http://WordPress.org/plugins/bulletproof-security/ protects your WordPress site from various code injection attacks through a system of secure htaccess files. This will prevent an attacker from using features like your site contact form to execute code on the server.

Technical knowledge is not required to use this plugin, just install and activate the Bulletproof Security, go to BPS Security > htaccess core > Security Modes and follow the directions.

Bulletproof Security also has a login security feature. It allows you to limit the number of login attempts, and shuts down the user account when that limit is reached for a configurable period of time. And it will notify you when an unsuccessful attempt to log in has been made.

Update 1/19/13: The Bulletproof Security plugin now has a login security feature. It allows you to block a user after a configurable number of failed login attempts. I still prefer to use Wordfence for this. If you should happen to accidentally lock yourself out, Wordfence gives you the option to enter your email to receive a link to use to unlock your account. Bulletproof Security gives you no way other than deleting or renaming the plugin on the server.

Have Fun but Play Safe

So just like your mom used to say when you left the house, have a good time with your WordPress site, but always be sure your hard work is safe from those many dangers online.

Of course there are other things you could do, and maybe some of you have your own favorite methods and plugins you use to keep your site safe. Leave a comment and let me know what they are.

Marc Greenwald

Marc serves as our all-around technical guru, and he loves nothing more than to dive into any issue involving Linux. Originally from Cleveland, Ohio, he now enjoys breathing the clean air of Olympia, Washington. He is also an accomplished guitarist—you can occasionally find him playing the blues at a local club.

Submit a Comment

Your email address will not be published. Required fields are marked *

Stay Informed about Marketing Trends

CLICK ABOVE
to Get OUR Newsletter!

OUR RECENT POSTS