Layman’s Guide to WordPress Security

by Woei Yu, August 24, 2015

Let’s make something clear. Security is never about perfectly secure systems. Such a thing is not only highly impractical but it’s impossible to achieve.

What security can do is to provide risk reduction, not risk elimination.

It’s about employing all the appropriate techniques available to you and using a healthy amount of common sense to reduce your odds of making your blog a target and making it harder to breach your protections.

Beware the Apple

WormInAppleAlways get plugins or themes from reputable companies. Yes, WordPress is great blogging and website software. 30% of the websites in the Internet are built with WordPress and it still continues to grow in popularity. However, like anything, it’s not perfect.

We all have different needs and WordPress, out of the box, cannot satisfy all of them. That’s why plugins and themes exist. However these themes and plugins are written by people you’ve never met. And whom you’ve bestowed trust upon for the mere reason that they’ve created the software.

I’m always somewhat amused by clients who have no qualms about downloading and installing any old free themes and plugins, from who knows whom, but yet balks at giving administrator access to their site for enhancement and troubleshooting purposes.

Of course, I applaud them for the caution but shouldn’t that caution be extended to the themes and plugin developers as well?

One could make an argument that plugins and themes from are safe. But the sad truth, they are, at best, just marginally better because they do go through a review process!

However, publishing on is easy enough and often gives themes and plugins a veneer of respectability that they DON’T necessarily deserve.

WordPress does have many excellent themes and plugins but beware of the apple. Just because it looks good doesn’t mean you won’t find a worm squirming in the middle.

What you can do:

Do your proper due diligence. Only install reliable and reputable plugins or themes. That means getting them from people and companies that specialize in themes and plugins or you can also ask a trusted developer who has experience with WordPress.

Tune your Engines, Carefully

SoftwareUpdatesAlways update your software. I am two minds about this because as it may seem obvious that keeping all software up to date is vital to keeping your site secure, but you should never forget that WordPress is more than the core WordPress software. It’s WordPress plus a conglomeration of third party software that you have no control over.

Even worse than that, all the third party software, which doesn’t even know other software exists on your site, may not work cohesively and collaboratively with that other software to make your site be the way you want it to be.

Yes, the WordPress developers work hard to provide us with a reliable platform and we can say the same thing for many of the plugins or themes available.

But no update is foolproof.

So I always tell my clients if the blog is important to you, you do whatever it takes to make sure its “engine” runs smoothly.

What you can do:

Install a test or development blog that is (and remains) a clone of the live blog and disable all automatic updates in both blogs.

Disabling auto-updates is very controversial because there is a trade-off between making sure you have the latest security patches and the danger that updating WordPress, themes and plugins will break your site and need emergency fixes.

Both sides have good arguments, and I’m not really going to go into them here, but since I recommend disabling this is what you should do.

When there are any updates available, update the test/development blog first and test things. You should particularly test important things along with random other things.

What I do is have a test plan and process and I go through it methodically making sure everything tests out okay. Whenever new things are added to the site or I find out problems I wasn’t testing then I add it to the plan/process.

If nothing crashes and everything tests out properly, then update their live blog.

Change Your Name

Even today, most WordPress installation use “admin” as the site administrator’s username. Despite it being common and easy to remember it is just one more thing that makes things easier for hackers.

The grim truth is “admin” is the username that’s used most often by brute force attacks. I’ve seen automated ‘bots attacking site every ten seconds for weeks trying to log in using the “admin” username.

Unfortunately, far too many WordPress users still use ‘admin’ without knowing how it can provide yet another small vulnerability into their site.

But, WordPress developers recognized that problem and, for a while now, has given people the option to choose the administrator username.

Unfortunately, many people use the convenient and quick auto-installation provided by hosting companies via software like Fantastico and Scriptalicious and they don’t always give you that option and will use “admin” as the username by default.

I did a search on how to change the username and was bewildered by the number of results that details the various complicated ways (editing database, installing plugins to name just a few) to do this seemingly simple thing. But it really isn’t difficult, just follow the simple steps below.

What you can do:

  1. Login as an administrator and click on “Add New User” on the Users page
  2. Fill out the form and choose “administrator” in the “Role” drop down menu at the bottom of the form. Obviously, make sure that the “display name” is different from the username you just created. If the actual username and display name are the same, hackers can potentially identify the admin username.
  3. Enter a very strong password. Make sure the “Strength Indicator” box reads at least “strong” when creating your password.
  4. Click the “Add New User” button when you are done. You have now wordpress_delete_admincreated a new user.
  5. Now logout and then log back in using your new WordPress admin username.
  6. Go back to “Users” page and select “All Users”.
  7. Locate the username “admin”, tick the box on the row and select “delete” from the drop-down menu.
  8. You will be taken to a page that will ask, “What should be done with posts owned by this user?” If you have posts published under this “admin” user, simply check the “attribute all posts to:” button and select your newly created username. This will transfer all posts created under the admin username to the new one you just created.

Put a Lock on the Door

From a simple closed door to a team of hungry Dobermans and, my favorite, a battery of sweeping lasers; there are endless ways to secure your house.

The same principal applies to WordPress. The question you ask yourself is how much you willing to spend and how far you want to go.

But you should at least make an effort.

Just because WordPress has a user name and password screen doesn’t means that you are safe. In fact, with the right software, it takes minutes to hack into your site. And they don’t even have to be there to cackle maniacally.

And if you have been safe so far, that is because one, hackers don’t know your blog exist; two, they just don’t think it is worth the effort; or last (and the most horrifying scenario) your blog is already hacked and you just don’t know.

So just take an extra day to secure your site.

What you can do:

There are so many things you can do that –literally a book can be written about it – but here are some of the simple things you can do to make it harder for people to hack into your site:

  • Create a long (at least 14 characters but the longer the better) and complex (user numbers and special characters) password for all your users, database and ftp accounts.
  • You are as secure as the host your blog resides, so invest in a good WordPress host like SiteGround or WPEngine
  • If you have sensitive information sent across the Internet (not all blogs do), install a security certificate and use SSL for your site.
  • Install reliable and reputable security plugins like iThemes, WordFence, Sucuri, and others.
  • Use a cloud computing security service like CloudFlare or Sucuri

Take Aways

This article was written for the layman with zero programming knowledge.

However, some of the actions do require some technical knowledge but by reading this article, you are already 1 step ahead of your fellow bloggers, so kudos to you.

You don’t have to do everything on this list (although it certainly wouldn’t hurt). Even if you just remove the “admin” username and start using stronger passwords, your site will be just a little bit safer.

And if you need any technical help, I may be available for hire so just shoot me a comment below and I’ll contact you.

No Comments

Leave a Reply

Your email address will not be published Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">


Let me know what you think

Follow by Email


Enjoy this article? Please spread the word :)