WordPress is by far the most popular website Content Management System (CMS) that exists. It is also one of the most popular website software systems. According to Torque, as of late 2016, WordPress powers almost 26% of the entire internet, and almost 60% of websites using a CMS. WordPress sites are translated into virtually every major language, use a combined library of over 47,000 plugins, and receive over 22 billion page views per month. With usage statistics like these, it’s obvious that WordPress is a target for hackers and online criminals. Website administrators running WordPress need to keep their site as secure as possible.
This blog post provides some information for beginners that want to “harden” – that is, securely configure – WordPress sites. Over time, we plan to publish more advanced guidance for hardening WordPress. As with most security-related topics, we feel that a little bit always goes a long way; even though some of these hardening tips might be basic, they are proven to instantly and drastically reduce the risk of website compromise.
As a standard practice, we recommend making a backup of your website content and database before making any changes. If this is the first time you are making configuration changes to WordPress, this is especially important.
1 – Use Strong Passwords
As with any system, it’s important to use strong passwords for all of your users, and to change them regularly. You can improve the strength of your password by:
- Ensuring that it is more than 10 characters long
- Using a mix of uppercase and lowercase letters, numbers and special characters
- Not re-using the same password over and over again.
We recommend using password generators, which will create a one-time randomized password for you. You can also use the secure password generators that are built-in to many password management systems, such as LastPass.
2 – Backup Your Site Regularly
The benefits of backing up your site go far beyond security. Regular backups protect you against accidental catastrophic changes to your site, unplanned outages, undiagnosable errors, and much more. Backups ensure that you can always restore your website to a working state no matter what happens to it.
Your hosting provider should be creating system backups of their own, but they don’t cover everything, and a hosting provider rarely will pull from their backup to help you without charging a large amount of money. We recommend that you take the initiative to create your own backups of the WordPress database (which stores settings, pages, posts, comments, etc.) and files (which stores media, attachments, themes, plugins, and other enhancements).
There are many reputable backup plugins available through the WordPress plugins site. If you don’t yet have a backup, you should create one right now. Speaking of plugins…
3 – Be Careful with Plugins
It can be tempting to download and install many plugins when you first create your WordPress site. After all, plugins make WordPress such a valuable platform. However, too many plugins can be a bad thing. They can slow down your site, affect WordPress or other plugins in unintended ways, and – surprise – present significant security vulnerabilities. Since the risks are significant, we recommend that you ask yourself the following before installing any plugin:
- Do you absolutely need this plugin in order to operate your website?
- Can a plugin that I already have (and trust) do the same job?
- Is this plugin well-rated and well-reviewed?
- Is this plugin updated frequently? (if the plugin hasn’t been updated in a few years, there’s a good chance it will never be updated)
In addition, never use a plugin from any website other than the WordPress plugins site. These plugins are registered with WordPress and have some level of oversight by the community. Using alternate plugin sites – especially those serving up pirated versions of premium WordPress plugins – is a recipe for trouble. These sites often include malware that could potentially provide an attacker with access to your website or computer.
4 – Use Automatic Updates
WordPress and its themes/plugins are updated frequently, usually to improve or fix key performance issues or security vulnerabilities. Therefore, it’s important to make sure that you update your WordPress core software, themes and plugins as soon as possible when new updates are released. WordPress makes it very easy to keep everything up to date starting with version 3.7.
If you use custom plugins or themes, be careful when enabling automatic updates. If an update creates a compatibility issue with a plugin or theme, it can potentially break your site. On the other hand, auto-updates are well worth the risk if you don’t regularly maintain your site, and you can always restore your site from backup if something happens.
To enable automatic updates to WordPress, insert the following code into your wp-config.php file:
# Enable WordPress core updates define( 'WP_AUTO_UPDATE_CORE', true ); # Enable WordPress plugin updates add_filter( 'auto_update_plugin', '__return_true' ); # Enable WordPress theme updates add_filter( 'auto_update_theme', '__return_true' );
5 – Block Guest User Registrations
Unless you’re running a website that requires users to register for an account, there is no reason to invite visitors to register for a guest account on your site. Guest accounts provide users with access above and beyond that of a normal site visitor, and sites with guest accounts require additional configuration in order to make sure that your website is protected. If you don’t absolutely need it, we recommend avoiding this can of worms altogether.
To turn guest registration off, log in to your WordPress control panel, go to Settings and General. Under the Membership heading, make sure that the “Anyone can register” option is unchecked.
6 – Use a Reputable Web Hosting Provider
You absolutely should harden your WordPress site as much as you can, but it’s all for nothing if the underlying hosting and server infrastructure you run on is not secure. In 2015, WP White Security published a report stating that almost half of WordPress sites compromised were caused by a security vulnerability on the web server. We recommend using a web hosting provider that provides an isolated environment either through containers, virtual machines, or another mechanism. Ensure that your web host uses up-to-date web server, PHP and database software, regular malware scanning, and a strong firewall. Make sure that they have a good and accessible customer service team, too – you’ll want to be able to communicate with them quickly in the event of a problem.
Put these tips to use right away!
As mentioned above, hardening your website with only the basic steps above will go a long way. We recommend immediately making changes to your website in order to better guarantee its safety and security. If you need help hardening your WordPress website or have questions along the way, 7 River Systems can help you. Contact us today and we’ll immediately get to work for you.