WordPress is used by more than 25% of the top 10 million websites. As of this post, WordPress 4.3 has been downloaded 28,642,109 — and growing by the second!
If you are using WordPress, you are in good company alongside The New York Times, Wall Street Journal’s Speakeasy, Ford, New York University Library, CNN, Harvard Law School, Ben & Jerry, People Magazine, NASA, General Electronic (GE), Gigaom, CNN Political Tracker, Time Magazine, NFL, Honda, Nikon Pressroom, Lexus, TED, Pepsi, National Geographic, Forbes, Her Royal Majesty (Paris-based literary arts magazine), United Nations University, Foursquare, CBS New York, and of course, millions more!
With millions of large profile users, and the common knowledge that the vast majority of users do not keep their sites updated, it’s not surprising that hackers continuously mount attacks on WordPress sites – all day, every day. Unfortunately, there’s no way to ABSOLUTELY protect and secure your website from being hacked.
WordPress core developers work hard to keep the platform as safe as possible, however, you also need to be proactive and do all that you can on your end to keep your site from being compromised.
The Top 5 ways to help harden your WordPress Security:
1. Who you host your site with matters. Ideally, you do not want to host your WordPress site on a shared server. Granted, your monthly hosting fees will cost more on a dedicated server, but if you’re running a large / important business site, the extra few dollars spent each month is well worth the cost of admission. Hackers will target every site on a server and there are often hundreds (or thousands) of sites on a shared server. This is not to say that you should stay away from shared hosting; It’s how the vast majority of people start out. However, getting “cheap hosting” does come with its drawbacks. (Note: I do NOT recommend you use GoDaddy for your hosting – even if it was free hosting.)
2. ALWAYS make sure your installation has the latest updates: the core WordPress files, your theme, and your plugins. Use only the plugins that you absolutely need and delete the ones that you’re not using. It may come as a surprise that inactive plugins and themes can still be used to compromise a site. And choose your plugins wisely! Be sure to only install plugins offered through your admin panel or under the plugin directory. Vet your plugin source and never install plugins that are not being properly maintained and updated.
Also: NEVER use “admin” as your username. If it’s still in your users list, get rid of it, and choose passwords that are difficult to crack.
3. Protecting your site using .htaccess. Editing .htaccess file is a serious business and you should not make any modifications to this file unless you have at least basic coding knowledge. Ways to use .htaccess to protect your WordPress site include, but are not limited to:
- Protecting your admin area by limiting access to your site to selected IP addresses, such as your own IP address and the IP address of the person(s) maintaining your site.
- Protect your wp-config.php file by adding this code to your .htaccess file:
- <files wp-config.php>
- order allow, deny
- deny from all
- WordPress.org has a long list of security measures you can take to help protect your website.
4. Delete unused plugins and themes. There’s no good reason to leave unused plugins and themes in your WordPress installation. From a security standpoint, they should be removed. Other good reasons to remove them are: Reduces confusion when other people work on your site, and reduces the size of you backups.
5. Run regular scans to check for exploits. To monitor your site, I strongly recommend you install the Wordfence plugin. Wordfence will block any IP address that tries to flood or spam your website. You can also limit the number of login attempts and monitor all live traffic (though using the Live Traffic feature tends to slow down your site).