10 tips to make your WordPress website more secure

European Cyber Security Month

Now we’re coming to the end of our security month 2018 and we thought it would be the perfect time to give you some tips to secure your WordPress website. Stay tuned for part 2 of this series where we have some more advanced tips.
1. Disable login using your email

Email addresses may be much harder to guess than usernames, but they can also be found on many other services on the web. If you share the same passwords across services (especially with the same addresses), you are left particularly vulnerable to password dump attacks.

Have you checked out to see if your accounts have been breached recently? Click here to find out.


2. Use secure passwords

A password manager can be good for securing passwords – they will generate long, random and as such very secure passwords for you to use on your different online accounts. The increased strength of each password and the diversification of passwords across services will prove vitally important not just for your website, but your online security as a whole.

At CREATIVEFOLKS, we use LastPass to keep all of our passwords randomly generated, unique, and securely stored. There are many other trustworthy alternatives such as Dashlane and 1Password. It’s worth doing your research to find the right service for you.


3. Use SSL to encrypt your website’s traffic

Implementing SSL (look for https:// in the URL) is a smart move to help secure your website, as it ensures any data transferred between the website and your clients computers is encrypted making it much more difficult for malitious actors to collect your information in transit.

CREATIVEFOLKS uses SSL certificates on every site as standard. Not only does it increase your site’s security, but it also generates brand trust for your customers. You can read more about SSL in my previous blog.

4. Be careful who you assign permissions to

WordPress supports giving users different unique permissions when it comes to controlling the content of the website, or how the website runs. Make sure to take advantage of these by giving your users each the correct account permissions.

You should check regularly on who has access, and what permissions they have. In doing so, you should ensure that only those who still require access to the site, or access to specific permissions have them. Website administrators often forget to remove permissions from accounts held by people who are either no longer part of the business, or who simply no longer need their accounts.


5. Don’t use usernames like ‘root’ or ‘admin’

This may seem like an obvious one, but using common usernames like admin or root increases your likelihood of being successfully attacked by bots and scripts to attempting potentially thousands of password combinations in order to gain access to your website. Thankfully this is one of the easiest vulnerabilities to avoid. Simply ensure you’re not using such easy-to-guess usernames.

6. Backup Regularly

Regardless of how many security precautions you take, there’s always a chance your website can be compromised. Therefore it is important to backup your website on a regular basis. Ideally you should keep your backups stored separately from the website’s own files so they cannot be tampered with if the website itself is compramised.

At CREATIVEFOLKS, we backup all of our websites once a day. This is to ensure we can roll-back any changes in case anything happens. This has many other benefits including the ability to roll back any changes we may make and later wish to revert.

7. Update Regularly

WordPress and its repository of plugins and themes is updated regularly. Vulnerabilities are discovered all the time, luckily most developers release new versions of their products which patch these security vulnerabilities within a timely manner. The best way to ensure you are minimising your potential attack vectors is to update as regularly as possible.

Most attacks rely on the fact that website administrators do not update regularly. Since WordPress 3.7 automatic updates of WordPress itself have been made enabled by default. You can bring this useful feature to another level by setting it to update plugins and themes automatically too, in your WordPress configuration file.

You can read more about this here.

This can come with it’s own risks so please ensure you’re checking your website regularly and keeping your backups up to date. This will allow you to revert any automatic changes should they go wrong or a plugin incompatability affects your website.

8. Use a strong database password

You can take all the precautions in the world to prevent unauthorised access to your WordPress dashboard, but if your database password is insecure, you make it easy for potential attackers to bypass all of your security and gain administrator level access from your Database. This will give them access to all your website’s data too.

It is important to use a strong, unique password for your database. If possible you should also restrict access to the website server’s IP address to prevent third party access. By doing so, this you may inadvertently prevent your own access to the database, so make sure you have configured yourself a secure user first.

9. Monitor core WordPress files

Monitoring your core WordPress files is a crucial part of keeping your WordPress website secure. You should use this as an early warning system to notify you that something may have been breached.

Nearly all WordPress security plugins including iThemes Security and Securi Security offer this.

A second, but less secure option would be to replace all of your WordPress core files every few days which would automatically nullify any modifications.

10. Use 2FA

2-Factor Authentication is a great tool in protecting your website. With 2FA, when a user correctly enters each their username and password, they will be required to enter an additional authentication code sent to their phone in order to login to the website. In the real world, this ensures that the user is actually present when they attempt to log in, preventing the possibility of someone else logging in with a “saved password” on their PC.

There are a number of 2FA security plugins available from the WordPress Repository.

If you would like to chat web stuff with a member of the CREATIVEFOLKS team then please get in touch.
Staff headshot

Produced by Cameron Stephen

Cameron Stephen is a full-stack web developer who specialises in LAMP/LEMP development, confidently working with PHP, HTML5 and CSS within a Linux environment. He prefers to work using the Symfony MVC framework with Doctrine as an ORM; Git as his version control system of choice and Composer as the dependency manager - but is also fully capable in WordPress-based web development, developing bespoke websites that are fully responsive, are well optimised and bug-free.