WordPress Security – it’s something we’re all afraid of and never want to talk about. 33% of the world’s websites run on WordPress, which makes it a massive target for attackers. We’re going to discuss a few steps to harden your WordPress installation.

Disable the Plugin and Theme Editor

WordPress Plugin Editor

All too often, people use the included theme and plugin editor to make on-the-fly changes to their websites. While it is convenient, it’s not a good practice. Using the built-in editor means no version control, website breaking changes, or losing data from a page refresh.

But let’s take a look at the security aspect. Attackers usually attempt to brute force your admin page, to gain initial access. Let’s say they’re successful and now have access to your admin panel. Typically what the attacker will do, is use the Plugin & Theme Editor to distribute malicious code everywhere they can fit it. This ensures they have access when they want to come back, and makes it a nightmare for you to fix.

How can you prevent it? You can make a change to your wp-config.php that disables the Plugin and Theme Editor:

define( 'DISALLOW_FILE_EDIT', true );

Add this line of code to the bottom of your wp-config.php file to enable the change.

More information on WordPress.org

2 Factor Authentication

MiniOrange 2 Factor Authentication

There is one change that every login provider should make, implement 2 Factor Authentication (2fa). Each time you login to your WordPress website, you won’t be able to access your website until you enter the code that is sent via text message, a smartphone application, email or even a phone call. Unfortunately, there is no native solution for 2 Factor Authentication so here’s one I suggest:

Google Authenticator by Mini Orange

This plugin allows you to set up two-factor authentication in multiple mediums (such as Google Authenticator, Authy, SMS, Email, and more!)

One downside to Google Authenticator by Mini Orange is that there is a free and premium version. The free version allows you to set up 2FA for one user, however, the paid version allows you to set up for all users.

Install WordFence – Seriously, just do it.

WordFence Security Plugin

WordFence is a web application firewall which proactively identifies and blocks malicious traffic. It also implements things like brute force protection, gives traffic analytics and gives you an easy to understand dashboard. WordFence also allows you to build IP blacklists based on IP Range, Hostname, User Agent and Referrer.

Why is a web application firewall important? Just like on your machine, you have a firewall which allows or disallows traffic to your network. A web application firewall allows you to control who can visit your website based on IP address, geolocation or referral.

There are also some premium features, which are always good but optional. The premium version gives you access to their Threat Defense Feed to automatically blacklist attackers who have attempted to intrude on others WordPress installation. Also, it enables 2 Factor Authentication and allows you to block traffic from countries you define

WordFence Security – Firewall & Malware Scan by WordFence

Force SSLSSL

SSL (Secure Socket Layer) provides a layer of encryption from the client to the server side, to ensure the communications haven’t been tampered with in transit. What does this mean? The weird guy in Starbucks isn’t going to be spying on your traffic. Also, search engines tend to rank websites without SSL lower, which could impact traffic to your website.

In 2019, there’s no excuse for not setting up SSL. Most domain name registrars have partnered with SSL companies to easily provide an SSL certificate with minimal work on your part.

Let’s Encrypt

Let’s Encrypt is a certificate authority that gives you free SSL certificates to help build a more secure world wide web.

But Scott, how do I force SSL? Easy! It’s a config change in wp-config.php. Add the below line to the bottom of the file and all traffic submitted from the client side and server side of your WordPress installation will be forced to use SSL.

define( 'FORCE_SSL_ADMIN', true );

More information on WordPress.org

I hope this article helps you build a stronger WordPress installation, and feel more comfortable when it comes to talking about security. Remember, security starts with the end user, the small steps below are good suggestions on any platform.

Small Steps

  1. Use a secure password and password manager, like LastPass or Dashlane
  2. Change the Admin username
  3. Take frequent backups
  4. Use a strong and secure password for your database
  5. Set appropriate file permissions
  6. Don’t use shared hosting

If you have any suggestions, comments, or concerns, please feel free to drop a comment below!