Is Your WordPress Site Secure?

Five things you can do right now to secure your WordPress site

#1 – Adding a Security Plugin

Security plugin’s such as WordFence and Sucuri do a pretty good job at blocking a number of scripted attacks. Plus these plugins scan your site for malware periodically so if something gets through you get notified. It won’t stop a sophisticated attack, but they are a good start to thwarting some intruders.

Do not rely on these tools to do everything and don’t expect them to fix any found problems. These are monitoring tools that look for patterns or things that are out of place. However, installing and activating one of these plugins is the simplest way to get started with security.

#2 – Securing the login screen

The most popular place for hackers to gain access is the same place you gain access, through the login screen. If they can crack your credentials and log into the site they will have all the powers of the site you have. Effectively they will just look like you, logging in to make some changes or to check your site statistics. However they will have other priorities like installing a backdoor and injecting malware into your code.

A simple way to harden the login is to limit the number of bad attempts the site will allow. There are several plugins that you can install that will accomplish this. We usually have it set to give the user three or five attempts before locking them out of the site. Most of these will block the user for a period of time and then lift the restriction. That way if you lock yourself out, you can just wait and get back in later.

Another way to harden the login is to move it. There are plugins that will allow you to choose another path for the site admin. So instead of http://mysite.com/wp-admin the login could be changed to something different like http://mysite.com/I-like-to-login-login or anything you can imagine. When the bot that looks at your site tries to access the wp-admin it will return an error and hopefully they will move on to another target thinking the site isn’t a WordPress install.

#3 – Setup automatic WordPress updates

Over time security holes are found in software and updates fix those holes. If you don’t update your software then those holes remain in your site. The older your version of WordPress the more vulnerable you are to hacking. So you want to keep the software up to date by either having the site automatically update or click on the update link as soon as it shows up in your admin. This goes for your theme and plugins as well.

#4 – Change admin usernames

Your website credentials are comprised of two elements, your username and your password. Why do you want to give hackers ½ of your credentials and making their job 50% easier? If you are using Admin or Administrator as your username you need to setup another admin user and use it instead. Then delete the other account or diminish it’s authority. That way an attack using Admin as a username will never work on your site. When we create a site we never use those usernames, we make something unique for the client.

#5 – Force users to use hardened passwords

I know, I know you are sick of hearing about creating better passwords. Passwords are a pain already, making them a random string of jumbled letters, numbers and symbols just makes it worse. But there is a simple way that you can make a really hard to guess password that is easy to remember. Use and phrase a symbol and a number. When you put them together just make sure they are over 12 characters in length.

Here is an example. Let’s say I’m building a site for a pizza shop. So I pick the phrase ‘enjoy a slice’. Then I pick a number like the last for digits of the phone number. Then I select a random symbol like the &. Mix them together, throw in a capital letter and you get something like Enjoya&9447slice which is pretty hard for a computer to guess. But if you use it a couple of times if will be easy to remember since the phrase and number have something to do with your business.

Source: [https://criticalsyntax.com](https://criticalsyntax.com)

2 Comments

seamew says:
May 11, 2024 at 11:20 am
It would help if you, as a WP security expert, shared some tips for securing a site…
berserc says:
May 11, 2024 at 12:00 pm
Five things you can do right now to secure your WordPress site
#1 – Adding a Security Plugin
Security plugin’s such as WordFence and Sucuri do a pretty good job at blocking a number of scripted attacks. Plus these plugins scan your site for malware periodically so if something gets through you get notified. It won’t stop a sophisticated attack, but they are a good start to thwarting some intruders.
Do not rely on these tools to do everything and don’t expect them to fix any found problems. These are monitoring tools that look for patterns or things that are out of place. However, installing and activating one of these plugins is the simplest way to get started with security.
#2 – Securing the login screen
The most popular place for hackers to gain access is the same place you gain access, through the login screen. If they can crack your credentials and log into the site they will have all the powers of the site you have. Effectively they will just look like you, logging in to make some changes or to check your site statistics. However they will have other priorities like installing a backdoor and injecting malware into your code.
A simple way to harden the login is to limit the number of bad attempts the site will allow. There are several plugins that you can install that will accomplish this. We usually have it set to give the user three or five attempts before locking them out of the site. Most of these will block the user for a period of time and then lift the restriction. That way if you lock yourself out, you can just wait and get back in later.
Another way to harden the login is to move it. There are plugins that will allow you to choose another path for the site admin. So instead of http://mysite.com/wp-admin the login could be changed to something different like http://mysite.com/I-like-to-login-login or anything you can imagine. When the bot that looks at your site tries to access the wp-admin it will return an error and hopefully they will move on to another target thinking the site isn’t a WordPress install.
#3 – Setup automatic WordPress updates
Over time security holes are found in software and updates fix those holes. If you don’t update your software then those holes remain in your site. The older your version of WordPress the more vulnerable you are to hacking. So you want to keep the software up to date by either having the site automatically update or click on the update link as soon as it shows up in your admin. This goes for your theme and plugins as well.
#4 – Change admin usernames
Your website credentials are comprised of two elements, your username and your password. Why do you want to give hackers ½ of your credentials and making their job 50% easier? If you are using Admin or Administrator as your username you need to setup another admin user and use it instead. Then delete the other account or diminish it’s authority. That way an attack using Admin as a username will never work on your site. When we create a site we never use those usernames, we make something unique for the client.
#5 – Force users to use hardened passwords
I know, I know you are sick of hearing about creating better passwords. Passwords are a pain already, making them a random string of jumbled letters, numbers and symbols just makes it worse. But there is a simple way that you can make a really hard to guess password that is easy to remember. Use and phrase a symbol and a number. When you put them together just make sure they are over 12 characters in length.
Here is an example. Let’s say I’m building a site for a pizza shop. So I pick the phrase ‘enjoy a slice’. Then I pick a number like the last for digits of the phone number. Then I select a random symbol like the &. Mix them together, throw in a capital letter and you get something like Enjoya&9447slice which is pretty hard for a computer to guess. But if you use it a couple of times if will be easy to remember since the phrase and number have something to do with your business.
Source: [https://criticalsyntax.com](https://criticalsyntax.com)

Plugin doesn’t work for me

Has Wordpress plateaued?