Having a secure WordPress site does not need to be a challenge. Hardening a website means adding security layers to reduce the risks of attacks and hacks.
6 ways to Harden WordPress Security
You can harden your WordPress site by following these six simple steps:
1 – Keep WordPress updated
It is important to keep up with the latest WordPress updates. No matter if it is a security or a maintenance release, make sure your WordPress site is running on the latest version. You can check out releases on the official WordPress site.
2 – Clean up your WordPress plugins
Step one – Less is more. Take a look at your WordPress plugin inventory and make sure you only keep what you actually use on your website. Remember that plugin you installed a while ago and never really used? Get rid of it! This means fully deleting the plugin from the WordPress installation and not simply deactivating it through the wp-admin interface.
Step two – Now that you have only what you need, make sure all of your plugins are updated. If there is a WordPress plugin that has not received any update from its developer for more than six months, think about deleting it and looking for another plugin. Some developers stop paying attention to their plugins. When hackers get ahold of them, those bad actors will use a vulnerable plugin to hack websites.
Step three – Make sure all the plugins you have installed on your WordPress website are on the WordPress official plugin repository. Some plugins get kicked out of the official repository for having security issues.
Once you have only updated and useful plugins in your website, it is going to be harder for malicious users to use a vulnerable plugin as the door to get into your WordPress installation.
3 – Not everybody needs to be a WordPress admin
If more than one person works on your website, you need to ensure that everybody has a user role that makes sense according to the tasks that they perform. This is a form of access control and is paramount to securing an asset.
Within WordPress itself, we can use the existing role-based access control system by assigning specific roles to our registered users. There are six user roles in WordPress. Each user role has its set of capabilities, including:
A – Super Admin: someone who has access to the site network admin features
B – Administrator: someone who has access to the site admin features
C – Editor: someone who can publish and make changes to all posts
D – Author: someone who can publish and make changes to their own posts
E – Contributor: someone who can write and make changes to their own posts without being able to publish them
F – Subscriber: someone who only has access to their profile
When you create a new user in WordPress, think about the tasks this user is going to perform and which role will better fit them. For example, if you have a new writer joining your business, they might need an author or editor role.
If you already have more users in your WordPress installation, it is highly advisable to audit their existing roles and make sure they only have access to what is necessary for their specific role.
4 – Use two-factor authentication (2FA)
There are many plugins that can offer you 2FA for a WordPress installation. The most common one is the Google Authenticator plugin.
After you download and activate the plugin in WordPress, It is very simple to use. All you need is to have the Google Authenticator app in your smartphone and scan a QR code.
Alternatively, if you are a user of our web application firewall, you can configure this without the need of a plugin, by using the protected pages feature in your web application firewall settings.
Multi-factor authentication adds a layer of security to your website front door.
5 – Update all your WordPress passwords
Yes, no matter how difficult you believe your password is, hackers work around the clock to find ways to crack even the hardest passwords.
Our malware researcher Luke Leal shows how quick it is for a hacker to crack a password in this short video:
We offer some quick tips for you:
- Never use predictable passwords, such as your birthday or the name of your spouse.
- Add as many characters as possible.
- Use a password manager, such as LastPass, to generate and keep your passwords in a safe vault.
- Never reuse a password.
Having said that, the best practice is for you to change all of your passwords right now with the help of a password manager. This way, you only need to remember one password — the master LastPass password, for example — and still follow all password best practices.
6 – Get behind a WordPress firewall
Even following all of the WordPress security best practices, a website can still be hacked. However, if you have an active website firewall filtering out all the traffic that your website receives, the chances of being affected by a WordPress hack are really minimal.
Sucuri offers a Web Application Firewall that is easy to install and will make your website run faster without you needing to worry much about website security. All you need to do is point your DNS A record to our secure servers and we will take care of your website. And if you need help during this process, our firewall analysts can do it for you.
Conclusion
Today, we covered six basic hardening techniques for WordPress that will not take much of your time to implement, but will make a great difference on your website security going forward.
The year is only starting, a great time to focus more on your big projects and less on being hacked. Sucuri has a DIY WordPress security guide, a free WordPress auditing and hardening plugin, as well as a complete WordPress security plan for you — peace of mind for 2020.
Alycia Mitchell
Art Martori
John Castro
Rodrigo Escobar
Denis Sinegubko
Rianna MacLeod
Juliana Lewis
Sucuri Malware Research Team