The best time to make sure your website is secure is when you first install it. Here is an explanation as to why it must be done, as well as list of best practices for securing your new WordPress website.
Note: This article does not cover ways to maintain the security of your site, but simply how to ensure that it is secure from the get-go.
Make sure to read this article if you want to learn how to create SEO-friendly WordPress blog posts.
Why secure your WordPress website?
Unfortunately, all WordPress websites are targets for malicious activity. This is because it is the most popular content management system in the world (similar to how Windows computers are more likely to get hacked than other types because they are the most popular operating system).
Even if your website is small, doesn’t contain sensitive information or even get a lot of traffic, it is still a target for malicious activity. Hackers can manipulate your site for their benefit and at the expense of your precious time, money, and reputation.
Various hacker tactics include:
- Holding your website for ransom
- Stealing user information
- Installing malicious software
- Distributing malware to your users
- Creating links on your site to their nefarious site(s)
Often this kind of activity is executed by bots that don’t discriminate between one WordPress site or another, but are simply looking for any WordPress site that has one or more vulnerabilities.
How to secure your new WordPress install
Without further ado, here is my list of key steps to take in order to ensure your new site is secure:
- Always use strong passwords for all accounts related to your site, including domain registrar, hosting, and FTP/SFTP access, and require them of your users (security plugins can help with this, listed below).
- Always use a dedicated server or virtual private server instead of shared hosting. Shared hosting shares a server with other websites which can infect your website if they are hacked.
- Set up a daily backup system. I prefer the UpdraftPlus Premium plugin that saves your backups to Dropbox.
- Never keep the “admin” user or user with ID of 1 in your site. If your one-click install created this user, delete it after creating a new administrator account.
- Always use plugins that are up to date, maintained regularly by their development team, and in the WordPress plugin repository. A plugin that is not available in the repository is not officially approved by WordPress.org.
- Always properly use an SSL certificate.
- Change content directory “wp-content” to something unique to shield from hackers using the plugin iThemes Security.
- Change your default database prefix from wp_ to something custom and difficult to guess using the plugin iThemes Security. This should be done before there is any content on your new site.
- Stop brute force attacks locally and network-wide using the plugin iThemes Security.
- Hide your login and admin page so people that aren’t supposed to find it can’t using the plugin iThemes Security.
- Automatically block users snooping around for pages to exploit using the plugin iThemes Security.
- Make sure your site directories and files have the correct permissions using the plugin iThemes Security.
- Disable directory browsing using the plugin iThemes Security.
- Monitor the site for unexpected file changes using the plugin iThemes Security.
- Enable a Web Application Firewall, like Sucuri’s premium WAF or Wordfence‘s free WAF.
- Activate two-factor authentication (2fa) for all WordPress user accounts using the plugin Wordfence.
- Disable XML-RPC in the Firewall Options in plugin Anti-Malware Security and Brute-Force Firewall.
- Log out idle users automatically using the plugin Inactive Logout.
- Disable file editing by placing the following code in your wp-config.php file:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
- Disable PHP file execution in uploads folder by creating a .htaccess file to place in /uploads directory that includes this code:
deny from all
Free Security Plugins
If you haven’t already by this point, make sure to install my personal favorite (and free!) WordPress security plugins, which were referenced above:
- Anti-Malware Security and Brute-Force Firewall
- Inactive Logout
- iThemes Security (formerly Better WP Security)
- Sucuri Security – Auditing, Malware Scanner and Security Hardening
- Wordfence Security – Firewall & Malware Scan
After your website is set up using the guidelines discussed in this article, you will need to regularly maintain it so it is secure. I will publish an article outlining the necessary steps to do that in the near future.
Please contact me if you need assistance securing your WordPress website. I’d be happy to offer you a complimentary security audit and provide you with a quote.