4 Simple Steps to Achieve a Better WordPress Security

Over the past few years I’ve written several different pieces of content on WordPress Security. I’ve even touched on it in the Geek 2 English Podcast in the security episode. All that notwithstanding, I’m going to repeat myself here because I want as many WordPress site owners as possible to see the message and understand how to make their WordPress site secure.

WordPress is a complex system that has developed over time. As such there are a lot of nooks and crannies in the code where potential vulnerabilities can hide. To their credit, the WordPress core developers are very good at ferreting these out and patching them. Still, no software is bug-proof. It is because of this complexity that a lot of non-technical site owners still wonder what steps they can take to make their WordPress site secure.

Thankfully, there are 4 easy things that every site owner can do – usually without the help of a developer – to make their WordPress site more secure.

1. Change the Admin Username

This one is a no-brainer. If you are still using admin, administrator, or anything really easy to guess as your administrator’s username, STOP! Look, to compromise your site, an attacker needs 2 things, a user name and a password. If you use a default admin user name then you’ve given them half of what they need. Let’s make it a little harder, shall we?

To change the admin name, you can do it manually or you can install a plugin. Since plugins slow your site down and you only need it to do this one thing, let’s do it manually.

• Log in using your existing Admin account.
• Under “Users” click “Add New”.
• Create a new user account and make it an Admin. Make the user name anything you want EXCEPT for Admin, Administrator, or your name. (Yeah, attackers probably know that since your company’s Facebook account is linked off of the homepage.
• Log out of WordPress and log back in using your new Admin account.
• Click on Users to list the users, and under your original admin account, click “Delete” Make sure you select “Attribute content to” and select your new admin account, so you don’t lose any content.

There, now you have a new admin account with a name that isn’t “admin”. Your site is already a little more secure. Also, to upgrade the security level when it comes to your site login, make sure to enable 2-factor authentication on your WordPress.

2. Enforce Strong Passwords

Yes, everybody loves using their birthday as their password. You know who likes it most of all? Attackers. See, weak passwords are easy to guess.

If you post on social media: 

“ZOMG, My Little Pony II is my FAVOURITE MOVIE! Going to see it tomorrow for my birthday!”

You’ve given an attacker a critical piece of information. At this point they are going to start trying passwords and usernames related to the movie. Anything you’ve posted on Social Media gives attackers a little more information to work with. This isn’t necessarily a WordPress security issue, it’s a failing of humans.

HINT: l33tsp34k “Leet Speak” or replacing letters with numbers doesn’t fool attackers either. They figured that one out before you did.

So what works? Strong passwords. Long, random strings of letters and symbols are great. The problem with this is that, since they are hard to remember, we tend to write them down. If you lose the book you wrote them down in, then an attacker has the keys to the kingdom. (Book being physical OR electronic). If you are in the habit of doing that, I’d strongly advise you to check this article on securing passwords with Have I Been Pwned.

WordPress now has the functionality to generate strong passwords, but it doesn’t require them. There are plugins however that will enforce this for you. (I’m not in the habit of recommending any specific plugins but if you go to wordpress.org/plugins and enter Strong Passwords, you’ll find several to choose from.

Install one of these plugins.

IIf you have regular users as well as admin, authors, etc, you may want to only enforce strong passwords on your higher-level accounts to reduce the friction your users have in registering and logging into your site. 

Oh, if you are wondering how to deal with strong passwords without writing them down, invest in a password manager. Most modern ones work on both desktop and mobile and will sync your data across all your devices.

3. Enforce HTTPS

Honestly, this one you should already be doing. If you’ve been living under a rock though, a couple of years ago, Google came right out and said that if your site isn’t running https, they will rank your site lower than other sites running https. SEO aside though, https keeps all your traffic encrypted and away from prying eyes. If you are not running https, any user sitting in a coffee shop is broadcasting everything to anyone who cares to watch. (technically, “sniff the wifi”) 

If you are not using SiteGround then this involves working with your hosting provider to purchase and install a secure certificate. Then you need to tell WordPress to change it’s URL to https:.

If SiteGround is your hosting partner, all you need to do is use the SSL Manager to get a free “Let’s Encrypt” certificate. Once SiteGround’s control panel obtains and installs the certificate for you, all you need to do is click “Enforce HTTPS” and voila, your entire site is now encrypted.

4. Keep your plugins up to date

I don’t mean just the main ones, I mean every plugin you have installed on your site, every time there is an update.

These days, it’s really easy, you just click the auto update link on most of them and then forget it.  When I started working with WordPress, updating plugins required that you download a zip file, FTP it up to your server, unpack it, and move it into place. Then you crossed your fingers and prayed to your god that the update didn’t break anything. (many times it did anyhow)

Why is it important to keep your plugins updated?

The main reason is of course security. Good plugin authors address security issues when they are reported and release patches as soon as they can. If you have auto update turned on you don’t even have to do anything, you’ll get the new code. If you don’t then you do what every WordPress site owner has done for the past several years, as soon as you log in, notice that there are updates, go to Plugins, click on the update buttons, watch them all update, and then try and remember why you logged in in the first place. (Ok, maybe that last part is just me)

One more step

• Yes, it is really important that you keep WordPress up-to-date
• Yes, it is really important that you keep your themes up-to-date
• Yes, it is really important that you keep your plugins up-to-date

But there’s another step. A lot of time in the Open Source world, authors will get tired of supporting a package and abandon it. Sometimes they are nice and tell people of their plans and arrange for someone to take over. If they don’t then the code just sits there unupdated. You need to make sure that the plugins that you rely on are under active development. 

The easiest way to do this is to know who is behind the plugin. If there is a company or a team behind it, the chances of it becoming abandonware is much smaller than if there is a single programmer.

Look, if your WordPress site is just a collection of pictures you share with your mom (Don’t laugh, I actually have one JUST FOR that) then it may not be all important that you keep it up-to-date and only rely on actively developed plugins.

If, on the other hand, you can measure down-time in dollars, then yeah, it’s worth your time to make sure you are always on the latest and greatest version of everything and that the important plugins on your site are constantly being maintained.

These four easy tasks will help you keep your WordPress site a little more secure. The secret about website security is that it’s not one big thing you do, it’s about doing a lot of little things. Each layer of security you add to your site makes it a little harder for attackers to get in. You don’t have to have an absolutely secure site to be safe, you just have to create more work for the attacker than what is actually worth to break in. Attackers eventually get tired and move on to easier targets…those sites whose owners haven’t read this article.