WordPress Security Checklist
for your website
WordPress Security Checklist – We are often asked what basic things can you do to protect a WordPress website from hackers and malicious code, so we have created a basic checklist that everyone can implement. Please note that you cannot guarantee that your website will not be hacked but these items if implemented will make it harder for the hackers than those that don’t implement the checklist.
Simple tasks that can be done by any WordPress user to enhance WordPress Security
Let’s get started!
Do not use ‘admin’ as your username
Probably the single most important item on our checklist is to ensure your username is not ‘admin’. Admin is the default username when creating a WordPress installation. This means that the hackers already know that the username is ‘admin’. Well you have given them a head start. Change it now!
To change your username create a new administrator user. Make the username an odd one and a strong password, then delete the old unwanted username and assign that user’s posts to the new user.
It’s just amazing how many WordPress websites we have managed where their WordPress security had passwords such as ‘12345678’ and can you believe it ‘password’!
With a username of ‘admin’ and password of ‘password’ it takes a hacker literally seconds to get in and wreck your site.
Go to your backend dashboard>users> then select your username and scroll down to password and in the latest WordPress installation you can generate a strong password. We know what you are thinking, how will I remember that! Well if you are a regular web user you will no doubt have many passwords to remember and here are a few free applications to help you.
Limit login attempts
Brute Force attacks are when the automated hacker bot makes multiple attempts to access your site through the login process. If you set your login attempts at a low figure (after all you should know your password) this will lock them out and they will most likely move on. No technical knowledge needed here there are many plugins like Limit Login Attempts to help you out.
Double layer of authentication (optional)
Using a double layer of authentication is smart move and easy to do.
This can be done in many ways but can need some technical help, however there is a very cool plugin called Clef that does it all for you and for the first 10,000 logins it’s free so that would normally be enough for the average user. Try it and let us know what you think.
WordPress Core Files
Easy to do, as everytime you login to backend of WordPress and there is a WordPress update it tells you to update to the latest version, Do it everytime you see this. When a new WordPress update occurs WordPress provides a log of security bugs that have been fixed. This can be a simple guide for hackers to use to hack into old installations, so ensure you are always using the latest WordPress update.
You will also be warned about plugins that need updating. This again is an easy route for hackers so keep these updated at all costs.
Note: Always update WordPress and plugins manually and after you have updated each one check your site. Using yet another plugin to automatically update WordPress and plugins can cause your site to go down if your theme conflicts with the updates.
Backup your website
This is another area we are amazed at when we are commisioned to manage WordPress Security on people’s website. They do not have a backup. Imagine being hacked and is for some reason not recoverable! Your server host may not have a backup of your site and if they do, can you rely on them to restore it straight away. WordPress does not backup your website by default. So in reality most WordPress website are not backed up.
It’s a simple job simply install one of many plugins like BackupBuddy and and you are done.
Remove unused WordPress Themes
So you have finally found a theme you like after trying a few out. Do you have a whole bunch of different themes stored in Appearances on your dashboard?
If so remove all of them apart from the active theme. This is again another backdoor used by hackers that can easily be closed.
You have most likely been testing, developing and messing around with things on your server. For example you may have a subdirectory with another WordPress installation that you used to devlop or test a website. This would be open to abuse, for example.
Go through your root directory and make sure you dont have any folders or sub domains setup that you no longer use. Especially other WordPress installs.Let’s close a few more entry points. Go to your file manager on your server and tidy up a bit.
Your hosting company
Where you host your WordPress is important. Does your hosting company specialise in WordPress hosting? If not move your website to one that does. Hosting WordPress websites needs some specialist knowledge from a server security POV and this is out of the realms of your ability if you are reading this.
An example of a specialist WordPress hosting company is WPEngine but there are others.
Remove malware form your computer
Finally or maybe it should be step 1 make sure your computer is free from viruses and malware including your browser.There is no point in logging into your WordPress website if your computer is infected.
You may like to read our article Removing malware from your computer in 5 steps.
We hope that these 10 items will have helped you harden up your WordPress website. Remember, there is not a 100% protection against hackers however if you have used the checklist above and checked off each item it was likely that before you completed the checklist you had one of the easiest websites to hack on the web.
The above items are basic, there are so many more processes and items that should be employed but lie outside of the realms of the general user.
If you think we have missed something in our top 10 that is easily implemented by a newbie or general user then shout out below.
If you think this is all too much for you and you would like your WordPress managed and monitored by us 24/7 365 days a year, then we would of course be delighted to help you and at £99 per year our WordPress Security Pro service is amazing value for peace of mind.
If you think this checklist is useful then please share it with other WordPress Users they will thank you.