Skip to content

4 Tips for Basic WordPress Security

Website security is a complex and scary subject, but there are a handful of simple things you can do to help keep your WordPress site safe from attackers. Just remember these five things: don’t be Neville, think of a better name, plug on in, stay up-to-date, and watch the X-Files.

Confused? That’s OK. It’ll make sense by the end.

1. Don’t keep your passwords lying around
In today’s connected world, there are just too many passwords to keep track of. Not only that, the passwords we have are getting more complex as security concerns become a larger issue for regular users. What to do? Let’s start with what not to do. Don’t be Neville Longbottom. Yes, I just made a Harry Potter reference. If you write your passwords down or save them someplace that isn’t secure, the mean kids from Slytherin will be able to get through the portrait door and access the Gryffindor common room, and nobody wants that. It’s a mess.

So, what can you do to manage your growing list of passwords? You can use tools like Apple’s Keychain and apps like 1Password to store and organize your passwords in an encrypted format. Plus, if you’re crafty you can configure it to manage your passwords across multiple devices.

2. Don’t Call Your WordPress Admin “Admin”
Just like “password” is a comically awful password, “admin” is not an ideal choice for your WordPress admin user name.  It would be better to use something more obscure so evil doers not only have to guess your password, they have to guess your login name as well. Conclusion: “Admin” is a bad admin name. So, change it.

You might be thinking “but I already set up the site and it’s live; I can’t change the admin now!” Ah, but you can! And it’s easier than you might think. As the “admin” admin, start a new admin user (storing the login information somewhere safe), then log back in as the new user and delete the original admin named “admin.” During that process you can assign posts credited to the original admin to the new one. In five minutes you’ve made your site much more secure. To be safe, though, back up your database before doing this.

3. Use a WordPress Security Plugin – or Two
iThemes Security – At its core, this plugin helps you work through a comprehensive checklist of best practices WordPress security. iThemes can help with everything from checking file permissions to disabling vulnerable protocols, but the neatest feature is that it allows you to obfuscate the admin login, changing it from the traditional /wp-admin to whatever you want. It makes a brute-force login attack that much harder for the bad guys. A little security-through-obscurity never hurt anyone. Just be sure to keep your real admin login URL someplace safe.

WordFence Security – This plugin focuses on activity on your site including suspicious traffic and file changes. This can result in a lot of email bothersome notifications, but the extra layer of security is definitely worth it. Fun fact: the WordFence team recently took down a Russian botnet and detailed the experience on their blog. Exciting stuff.

4. Update, Update, Update
Staying up to date isn’t always about this season’s must-have outfit. Security experts say that for a majority of cases when a WordPress site has been hit, it comes down to out-of-date code. WordPress core and plugin updates come out a few times a week, so if you’re not checking for updates regularly, your site can get out of date very quickly. Not all of these updates are security related, but it’s a good policy to update as soon as you can. iThemes Security can notify you when updates are available.

5. Trust No One
I can hear the X-Files theme music now… but rather than a wide-reaching government conspiracy to hide evidence of UFOs, this is about user input. Trust no one’s form fills or URL variables. If you’re writing server-side code for your website, you should never take the user’s word for it. It’s smarter to just assume that the input is coming from an attacker and go from there.

The good news is that PHP has several great methods for sanitizing input, and WordPress has its own function for cleaning and validating $_POST and $_GET variables: sanitize_text_field($input)

Here’s my favorite trick. If the input is supposed to be a number, simply multiply the variable by 1. If it’s a string (maybe a string with evil stuff) it’ll simply resolve to zero: $this_id=$_GET[‘my_id_number’]*1;

There’s no such thing as perfect security, but these 5 tips will at least get you started down the right road. Keep your ear to the ground. Just as we’re always learning new techniques to make things safer, there are folks out there working just as hard to unleash chaos. Keep your eyes open for new security best practices and read WordFence’s newsletter for industry news.

-Mark Arenz

Scroll To Top