WordPress Security Best Practices

Is your website protected against malwares and brute force attacks?

Most website owners underestimate the threat of cyber attacks. They do so at their peril. Cyber attacks can be costly, time consuming, and stressful. Google penalizes websites that are infected with malware by lowering their search rankings and sometimes blocking infected sites from organic and paid Google searches. In 2013 alone, more than 30,000 websites were hacked each day — almost 11 million websites in one year. Fortunately, a few easy steps can help prevent most cyber attacks.

‘Brute force attack’, the most common cyber attack, uses a trial-and-error method to obtain information such as usernames and passwords. The hackers use automated software to generate a large number of consecutive guesses until they find the successful combination to bypass security.

These tips were crafted for WordPress websites, the platform used to create more than 25% of websites on the Internet.

Use a Unique Username

Do not use ‘admin’, ‘guest’, ‘info’… or any other generic term as usernames when setting up a website. The majority of the automated brute force attacks use common usernames with different password combinations in order to gain access.

WordPress does not let you change usernames once they have been created, however you can create a new user with a unique username and then delete the user ‘admin,’ ‘info’, etc.

To create a new user account, login to your WordPress website, click ‘Users’ on the left side menu and create a ‘New User’ with Administrator privileges. After that, delete the ‘admin’ user.

Don’t worry if you have used the ‘admin’ account to create posts and pages. WordPress asks, “What should be done with content owned by this user?” and gives you the option to delete all content or assign it to a new user, e.g. the one you have just created.

Assign User Roles and Capabilities

Each user may be assigned roles which enables the site owner to control who can do what within a website. A site owner can assign tasks such as publishing and editing posts, moderating comments, managing plugins, managing themes, managing other users, etc.

Managing roles is an important step in reducing security risk.

Use Strategic Passwords

Brute force attacks often try to login to your website using a series of common passwords combinations. More sophisticated attacks use keywords from your website, such as company name and address. A complex and unique password can dramatically reduce the likelihood of a successful attack.

As a matter of policy, site owner should require all users to create strong passwords.

Limit Login Attempts

Limiting the number of login attempts can help thwart attacks. Security plugins like those listed below make it easy to control the number of invalid login attempts.

These plugins can also identify and block the IP addresses of users with an excessive amount of “page not found errors” (404 errors). High numbers of 404 errors from the same user is often caused by automated malwares trying to find a backdoor to a website.

Login attempts WordPress

Create a Unique Login URL

This is an excellent way to prevent fake login attempts altogether.

By default, WordPress creates a standard URL for the login form page (website.com/wp-login). Brute force attacks use this standard address to find and attack the login form. By changing the default address you can prevent hackers from finding the login page in the first place.

Example: change website.com/wp-login to website.com/vancouver_access

Install WordPress Updates

Another easy way to keep your website protected is to ensure WordPress and all plugins are up to date. Most updates include security fixes or enhancements.

Be sure to backup your website before making any changes.

Installing WordPress Updates

Recommended Plugins

  • iThemes Security: iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site.
  • Sucuri Security: The Sucuri Security WordPress Security plugin is free to all WordPress users. It is a security suite meant to complement your existing security best practices.
  • Wordfence Security: The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware.

Keeping your website secure and protected can save you time and money.

We’d love to hear how you keep your site safe. Please drop us a line or be in touch if we can help.