After giving advice online to someone else earlier today about WordPress security, I thought it might be helpful to write a post offering basic tips for how to secure a self-hosted WordPress install. While more advanced/”geeky” users will probably already know this (or want to find more thorough instructions elsewhere online), I hope the list below covers the basics.
Use a secure password
Yes, a secure password is highly important. It’s best to create a password at least 12 characters long (though I prefer at least 16 characters). The password should have a mix of letters, upper- and lower-case, numbers, and punctuation. And, of course, don’t use the same password from elsewhere online.
Some have suggested using passphrases (like in this xkcd strip). While I’ve not tried this, some suggest it’s an easier way to remember passwords.
I’d recommend as well a password manager, to avoid the reasons for weak and reused passwords. There’s frankly too many sites the average person uses for them to create unique, hard-to-crack lengthy passwords for all of them. While Facebook/Google+ logins for some sites helps cut down on the number of passwords to remember, a password manager can still help. LastPass is a pretty excellent online password manager. If you prefer a local storage-based password manager, a good one is KeePass.
Keep everything updated
Promptly install all WordPress updates when indicated, including for any plugins, themes, etc. Make sure themes and plugins are only installed through WordPress’s archives for such (Plugins > Add New or Appearance > Themes > Install Themes tab). Do not install plugins/themes found from third-party websites, via Google searches, etc.
It might also help to uninstall any unused plugins or themes.
Remove “admin” user name
By default, WordPress installations use the “admin” as the administrative account user name. This, however, makes it an easy target for brute-force attempts by hackers to break into one’s WordPress site, as they can merely guess multiple password combinations with the user name part already assumed.
Thus, create a new administrative account user name (preferably not just your first name), then delete the “admin” name. To make sure the new user name isn’t displayed on your site, go to Users > Your Profile, scroll down to “Display name publicly as,” and select another option (your first name, full name, etc.).
Some might also opt to create a second user account without full account permissions (at the “editor” level) and just use that for writing posts. They’d then switch back to the administrator account as needed for maintenance issues.
There’s also various plugins that, along with the above tips, will help keep things secured or make up for WordPress’ default shortcomings. Some plugins offer a full host of security options, doing a wide range of functions. If such is considered overkill (or at the risk of conflicting with other plugins), there’s also various other plugins that do one particular function.
Here’s some WordPress plugins I’d recommend. I also have a more general list of suggested WordPress plugins available. All are available through WordPress’ plugin installer:
- Akismet: Akismet comes with WordPress installs by default, and does an excellent job of managing/preventing spam in blog comments (as well as trackbacks/pingbacks spam).
- Antispam Bee: An alternative to Akismet is Antispam Bee, a plugin that performs similar functions, but is completely free. Akismet is only free for personal sites; commercial sites are required to pay a fee for Akismet usage.
- iThemes Security: An all-purpose security plugin, iThemes Security covers a wide range of security issues, including replicating some of the functions of plugins I list below.
- WordFence: Another security plugin, this one performs functions similar to iThemes Security. Thus, WordFence isn’t needed if iThemes is already installed. Either one will block brute force login attempts, provide suggestions to improve security, and more.
- BackWPup: A plugin that automatically creates backups of one’s WordPress site, since of course, backing up is important. BackWPup will even email backups (if below a certain file size).
For more security tips, here’s WordPress’ own article on the subject: http://codex.wordpress.org/Hardening_WordPress