9 tips to better secure your WordPress website
Robert-Jan Budding, March 1, 2018
If you are an entrepreneur or marketer on the internet and you have your own website, chances are that you use WordPress — or WooCommerce, in case of a webshop. These are the most popular content management platforms on the internet.
If you kept up with the news recently, you will know that websites are constantly under attack. DDoS attacks, phishing, malware: criminals use all kinds of techniques to inflict harm on organisations. Although most hosting providers already take extensive measures to keep your websites secure, there is still plenty you can do yourself. The internet contains hundreds of articles with tips and tricks to help you get started.
If you have a WordPress website, this article is for you. It contains 9 useful tips that are specifically designed to help you improve the security of your WordPress website.
Tip 1: Keep the WordPress Core always up to date
It is extremely rare, but sometimes vulnerabilities are discovered within WordPress itself. You should therefore make sure that you always run the latest minor releases of WordPress core. You can do so via WordPress’ auto-update settings or by configuring your control panel accordingly.
Tip 2: Turn off pingbacks and trackbacks
Pingbacks and trackbacks are notifications from other sites that tell you they contain a link to your website. However, this is commonly used for spam purposes. In the wp-admin, go to Settings > Discussions and uncheck “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.”
Tip 3: Turn off XML-RPC
You can use XML-RPC to exchange data between the wp-admin and your website. If you do not use this option, it is advisable to turn off XML-RPC. It is a clear attack vector, because it facilitates rapid and easy login attempts. You can resolve this issue yourself via .htaccess (if you use Apache) by adding this code:
# Block WordPress xmlrpc.php requests??order deny,allow?deny from all?allow from 220.127.116.11?
If you have any doubts, your hosting provider can tell you more.
Tip 4: Block access to the WordPress API
Of course, you should only block access to your API if you do not use it. If you do use it, you can use IP whitelisting on the API. It is important to take this measure, because it is possible for malicious third parties to uncover important information, e.g. user names (via the author’s slug), via the API.
Tip 5: Turn off user registration
Many bots create WordPress user accounts for spamming purposes. If it is not necessary for the visitors of your website to create user accounts, turn off this option by unchecking “Anyone can register” in “Settings > General.”
Tip 6: Turn off file editing
If anyone should gain unauthorised access to your wp-admin, this intruder can do a lot of damage with the built-in file editor. Turn off this option by adding the following line to your wp-config:
Tip 7: Do not use “admin” as a username
During a so-called brute force attack, an attacker will attempt to guess both your username and your password. Given that “admin” is the standard username for any new WordPress installation, this often means that a potential attacker only has to guess the password to gain access to a website.
By first creating a new administrator user with a unique username and then deleting the user with the username “admin,” you can reduce the risk of a successful brute force attack.
Tip 8: Use different user accounts for site management and content publication
It is possible to discover a username via the API and via the URL of the author page. That is why it is advisable to use two accounts for people who both manage the website and publish content. Use an account with as few permissions as possible for content publication. Should an attacker manage to log in as that user, they will not be able to do much damage to your website.
Tip 9: Use unique salts and keys
Use unique, long values for salts and keys in the wp-config.php. This ensures that the data stored in cookies is encrypted even better. Use WordPress’ own salt and key generator to generate ready-to-use values which you can paste directly in your wp-config.php.
Bonus tip: Use a unique and strong password
You have probably heard this tip countless times already. Nevertheless, many passwords are still not strong enough.
Always use strong passwords!
One of the most common ways of attacking a website is attempting to discover a password through brute force. You should make sure your password is either a long string of random characters or a long passphrase.
A passphrase is a password that consists of several random words or names. This makes the phrase easier to remember. With the help of a password manager such as 1Password or LastPass, you can use a different password for every account, while still only having to remember a single password yourself.
You should also make sure that you never reuse your passwords. If you use the same password multiple times, your website might be hacked because your password was discovered during an attack on a different site.
Here you have it: 9 tips to improve your WordPress security. There are of course more ways to make the internet safer, but these tips are a good start. We have made a checklist with even more tips available to download. Do you have more tips? Let us know via the comments or social media!