5 things you should do to secure your WordPress website
WordPress is one of the most versatile web development platforms out there and currently accounts of over a quarter of all sites on the internet and that percentage is growing all the time. It started life as a platform for blogging, but because of its open source nature WordPress rapidly evolved to be able to fulfill many other functions. These days it forms the basis for a vast array of different websites, from creative portfolios, to ecommerce stores, to static sites.
More and more people are using it, and professionals the world over, from the amateur developers, to the giant digital creative agencies offer it as a platform to create sites on. Even this site uses a heavily customised version of WordPress to present a mix of static pages and articles such as this one.
With so many people utilising WordPress in one form or another it is worth taking a bit of time to understand some of the things that can make your site vulnerable to attack and learn a few basic things that will help make your WordPress website more secure.
These are all relatively simple to implement, and with a little know-how can be done at no cost to you.
Lets get started with the first, and arguably the most important thing you can do to help improve security on your website
Use HTTPS instead of HTTP
Using a secure server is a no brainer when it comes to WordPress. Installing an up to date TLS or SSL certificate on your site allows it to use encrypted communication when sending or receiving data from another machine. This essentially means that man-in-the-middle attacks become almost impossible as it is no longer feasible to intercept information such as usernames, or indeed any other form of information.
As if that wasn’t enough having your site on a secure server will potentially increase your ranking within Google’s search results. At present it is only categorised as a “tie-breaker” in terms of search engine optimisation, but everyone involved in SEO is of the opinion that it is only a matter of time until that changes and it becomes more important.
There are a lot of ways to implement this, from paying thousands of pounds to professional development companies to install one for you, to generating a free certificate and installing it yourself. But WordPress being WordPress you can rest assured that there are plugins to help you do exactly that.
Up to date
Because of the open source nature of WordPress the code is available to anyone who wishes to see it. Whilst this does mean that anyone intent on exploiting vulnerabilities is able to see the full code for the entire platform, it also means that a vast army of coders have the chance to identify and patch any such vulnerabilities before they become an issue. When updated software becomes available the reasons for that update are made public. This means that any vulnerabilities in the old version are common knowledge.
If you continue to use old versions of the platform or plugins then you are leaving your site open to attacks from people attempting to exploit these old vulnerabilities. The best way to avoid this is simply to make sure your version of WordPress and all your plugins are updated as quickly as possible when new versions become available. To make this easy for you WordPress includes a small alert in the top of the admin control panel to let you know new updates are available. And installing them is as simple as clicking on a link. It is even possible to change the settings so that updates are automatically carried out as soon as they become available. This is well worth considering if you want to make your site as secure as you can.
Change Default Username
When you install WordPress for the first time the default admin username is… you guessed it… “Admin”. If an attacker is trying to force access to your site knowing the username of the admin account takes them halfway there. Thankfully it is simplicity itself to change this username to something that more accurately reflects you and your site.
Not only does this look better when posting on your site, but it dramatically improves your security at the same time.
If you’ve already got WordPress up and running with the default username then don’t despair, it isn’t too late to do something about it. Inside the “User” section you access from the left hand menu you are able to set a display name that is different from the actual username. This at least does not make it obvious to anyone who happens to look what the admin username is, and indeed if you have more than one user, which one of you is the admin.
Whenever the opportunity is there for a user to input data and send it to your server there is also a risk of malicious code being included. This code may be designed to act on the machines of other site users (cross site scripting) or MySQL commands designed to work directly on the database of your site itself (MySQL injection).
Either way it becomes possible for attackers to affect the behaviour of your site by sending code to your server. The simplest way to make this harder is to remove the option completely. By disabling comments you take away the most vulnerable method of XSS and Injection attacks.
Remove the Version Number
In the same way that keeping your WordPress site up to date is vital to keeping it secure, hiding the version number also works to make it harder for anyone who is intent on attacking your site. Because vulnerabilities come to light quickly, and are fixed just as quickly, knowing which version of WordPress you are running is extremely important to anyone looking to hack your site.
Removing the version number from the footer where it is often displayed is only half the battle however. It is often displayed as a meta-description within the source code of your site which can be viewed by anyone able to right click with their mouse. Remove it from the header code, and make sure you remember that if you use a staging server to remove it there too otherwise you will only put it right back in front of everyone when you push the next update.
If you want any help or advice with any of these, or other aspects of WordPress security then feel free to give us a call on 01252 560565.