A guide to WordPress Security

Part 1 of 3: Securing WordPress from the dashboard

Part 2 Part 3

WordPress is a huge success story with over 76 million sites and growing at 50,000 new sites a day. WordPress powers 25% of the global websites. See global real-time usage at WordPress site.

Just like Windows, success brings attention and especially from hackers and bad guys. If you manage a WordPress-based website you need to understand and pay attention to security as you are at risk. Every year hundreds of thousands of WordPress are hacked. Many reports show unnerving stats: 2013, 117,000 WordPress sites were hacked. Forbes claims 30,000 sites a day are hacked. These are large numbers. On the sites we manage we witness countess attempts to break in to the WordPress CMS. (Content Management System)

It gets worse the vast majority off all WordPress sites were vulnerable to malicious attack, most of which are easily preventable.

Does this mean you should dump WordPress as a web site environment? No, not really. The same threats, in similar percentages, appear across other CMS and blogging platforms, as well as static html sites. Unfortunately, it’s just part of doing business on the web.

The good news is that there’s a good deal you can do to secure your WordPress site. And there’s a lot of it that you can do yourself.

And because WordPress is such a popular platform (by a huge margin) there’s a large, active community of volunteers and commercial interests constantly working to help keep malicious threats against your site at bay.

Essentially, you’ve got your own private army ready to help you out: you just have to ask.

This article started as a simple how-to. But, as you can imagine, security is a serious and complex matter. We decided to split it up into three approaches. Part 1 deals with things you can do, on your own, from the WordPress dashboard. These are easy, common sense and frequently mis-used and abused. If you don’t read anything else, read this first part — and implement the suggestions.

Part 2 is more technical, but if you really want to secure your site, you need to understand the technical aspects of WordPress hosting. It deals primarily with editing some of WordPress’s files to limit access and permissions that could otherwise let hackers in. Part 3 (to be published soon) deals with plugins and other third-party services. Plugins are one of the easier ways to implement a whole raft of security measures in one swoop, but they’re not without the occasional problem of their own making.

First things first Don’t procrastinate

Seriously. The following steps will take you, maybe, an hour and a half — and that’s if you’re an absolute novice. Fixing a site following an infection will take days. Can you afford for your site to be down for days? Can you afford the cost of someone disinfecting your site? Securing your site now will save you a lot of time, money and headaches.

(Not motivated enough yet? Sites get hacked and without basic security they are easy targets to Brute Force. We know of one site that was under attack and the log showed they were getting 180,000 login attempts per second. If your site has any of the symptoms below — weak passwords, admin usernames, outdated themes and plugins — your site will get hacked. It’s really just a matter of time.)

HOW STRONG IS YOUR PASSWORD?

Here’s some figures for you to ponder:

A Brute Force attack is a pretty unsophisticated hack that simply tries to cycle through every possible combination of a given string of characters.

The vast majority of people use 6-character passwords, primarily lowercase letters. If that’s the kind of password you use, a hacker could brute-force your password in just 1716 seconds, or around 28 minutes, by cycling 180,000 possible combinations every second.

Adding just one character to your password — i.e. making it a 7-character password rather than six — increases the time it takes to brute-force your password to about 12-and-a-half hours. That’s a lot better, but shows that your password can still be cracked with enough time and bloody-mindedness.

Let’s crank up your password to a 13-character password, using a mix of upper and lowercase letters, numerals and extended characters from a standard keyboard. Using such a combination, it would take 6.9E16 hours (that’s 69 followed by 15 zeros), or 78,810,300,736,618 years (near enough to 79 trillion years) to brute-force your password. That’s more than 1000 times the Earth has been in existence.

Be realistic

Like burglars, if a hacker wants to get into your site, they will get in. That’s life on the Internet.

But, again like burglars in the ‘real’ world, most hackers are opportunistic and if you put up a decent fight, 99% of them will move on to a site that’s less of a challenge. For the most part these guys aren’t into crossword puzzles: they’re into the cyber equivalent of Snap. Fast, frantic, slapdash, and without a lot of thinking.

Your aim, then, is to deter these would-be hackers and make life difficult for them in the hope that they’ll give up and move on.

Most attacks on WordPress sites are done by what hardcore geeks dismissively refer to as scriptkiddies.  They grab code wholesale from a hackers’ community site, add nothing themselves, don’t really know what they’re doing, and have no idea of the consequences for the business they target.

Thankfully, they’re easily bored and bit of resistance will see them move along.

A balanced act

It may be possible to lock out every security threat that comes rumbling through the WordPress tollgates, but it would more-than-likely mean that your site would cease to function. Or at least cease to be usable.

Securing your WordPress site is a balancing act, weighing usability against security. You can get good security and good usability: just don’t expect to get 100% of both. It’s not realistic.

And nothing beats …

A backup.

If your site does get infected with something malicious, the best comeback is to identify when the infection started and roll back your site to the day or week before it started.

Your web host should be backing up your hosting environment as a matter of course, though they may charge to recover it. (If you host is not doing backups, get a new host.)

But you should also have a backup schedule in place. If you site is not especially large or media-heavy, there’s really no reason why you can’t do a backup every day and keep those backups for a month or more using a free storage account like Dropbox, Amazon S3 or Google Drive.

We’ll be doing a post on backups for WordPress in the coming weeks, so if you’re in the dark about backups, stay tuned.

Let’s get started

There’s a lot you can do yourself to secure your WordPress site. The simplest methods for the novice are those things you can do from the WordPress dashboard itself: keeping things up-to-date, tidy, secure.

There are also several things you can do to various files within your WordPress folder on your hosting environment. At first glance, this might seem stuff for the propeller heads, but it’s really not that hard.

And then there are methods offered by third parties, such as plugins or software-as-a-service (SaaS).

A good WordPress security system will use all of the above. So let’s get stuck in.

Via the WordPress dashboard

Use strong passwords

Most of what follows is in no particular order, but I have deliberately put this item first because it’s the most easily implemented and the most often breached by hackers.

If you don’t do anything else, do this.

According to research, there is an extraordinary number of WordPress users who use passwords such as ‘abcd1234′ or ‘admin’ or ‘qwerty’ or ‘root’ or, simply ‘password’. You may laugh or roll your eyes, but there’s a known stock of about three dozen common passwords and variations that hackers can try to gain access to your site. And they work frequently enough to make it worthwhile.

The answer is for you (and all users of your site) to use strong passwords. A strong password has at least 13 characters and features a random mix of upper and lower case letters, numerals and extended characters (extended characters are the characters, or glyphs, you get when you press the Shift or Option key in combination with a letter or number on you keyboard e.g. !, @, #, $,% and so on).

Better yet, use a password generator or a password recipe. If you’re concerned about losing your password, record it in a notebook, on your phone, or even stick it to your computer. Obviously sticking passwords to your computer is not the usual advice, but in this instance it’s a calculated risk: better to have a strong password that you can use, than to implement a simplistic password because it’s easier to remember. Remember, the goal here is to lock out hackers, not prevent burglars: the two are rarely the same.

Ideally, use a password manager such as 1Password, KeePass or our recommended and well loved LastPass.

Don’t procrastinate. Change your password now.

Update themes and plugins

Vulnerabilities in themes and plugins account for a whopping 68% of all malicious attacks. Most conscientious theme and plugin developers keep their products up-to-date and fix any security holes as soon as they can. But you still have to do your part by updating the themes and plugins to the latest versions.

If the theme or plugin in question is available from the WordPress public repository, then it can probably be updated simply by pressing the Update link in Plugins > Installed Plugins > [Plugin name] Update. Themes available from the WordPress public repository can similarly be updated from Appearance > Themes > [Theme name] Update.

If you have premium plugins from a merchant service like Code Canyon or if you’ve purchased or downloaded it direct from the developer, then you may need to download it from the source and reinstall it manually.

You may find that a plugin or theme has been discontinued and is no longer being updated by its developer. If that’s the case, you really need to start thinking about a Plan B. In most cases, you’ll be able to find a plugin that does much the same thing as the one that is being discontinued and it’s just a matter of swapping the new plugin for the old one. A discontinued theme might be more of a challenge and may signal a time to think about a website revamp.

Keep the WordPress core up to date

The core of WordPress (current version is 4.4 as of December 2015) is also vulnerable to attack; thankfully, with such an active community of programmers, most threats are locked out and patched as soon as they appear. However, for those patches to have any effect, you must keep WordPress up to date.

You’ll be notified of available updates in the menu bar of the WordPress dashboard; simply choose Update and the core will automatically update itself.

You can also enable automatic updates via a small line of code in the wp-config file (see Part 2 in this security series). Be aware that themes and plugins can cease to function if they’re not kept in step with WordPress updates by their respective developers.

Ditch the ‘admin’ administrator

In older versions of WordPress, all installs required a root user or administrator called ‘admin’. Consequently, the admin username became a target of hackers. Since version 3.9, the admin username is no longer a default, but it is still widely used nonetheless.

Predictable user names are a gift to hackers: the default login requires a username and a password, and if you use something well known such as ‘admin’ then you’ve gifted the hacker half of the puzzle. Further, hacker bots are out and about looking specifically for ‘admin’ usernames for precisely this reason; use a different username and most of these bots will pass on by.

Keep things tidy

If you’re a bit of an experimenter, chances are you’ve got more than a few plugins installed that are not being used, may not even be activated. Same could be said of themes, images and other media such as audio or video clips. If they’re not being used, delete them. A lot of infections can sneak aboard with older plugins and themes — if you have themes or plugins lying around that are not be actively used, then chances are they’re not up-to-date and are thus more prone to security holes, get rid off them.