Like anything securing your wordpress site can completely take over your life, however for most people the reality is that a couple of quick, simple and free steps will eliminate the majority of attacks on your site. As anyone who has experienced a successful attack, it can be extremely frustrating and time consuming to clean up an infected site so it’s worth taking a little time to put some simple security precautions in place.
As mentioned this is not a complete list, if you search online you’ll literally find hundreds more security steps you can take but in reality most attacks are based on the ‘low hanging fruit’ concept. If your site is more secure than most then they’ll move onto the next target, in reality many of the hackers have limited technical ability.
So what can you do to secure your site?
First step – is never use the default admin user account. Go into your wordpress user settings and create a new administrator account with a new username, also make sure it is completely unrelated to your site. So stay away from generic ‘admin’ type names or those with your site name in the username. Many attacks will involve brute forcing the default username – so if it doesn’t exist you’ll already be more secure than the majority of default instalation websites. Choose a longish, obscure administrator name and you’ll go a long way to securing your site.
Second Step – passwords. Yeah, sure it’s obvious but it’s surprising how many people neglect this step – make it longish, include non standard characters like hashes or symbols and throw in a number or too that you can remember easily. The most common attacks on wordpress sites are trying to brute force the admin account, which means just trying huge combinations of usernames and passwords to ‘guess’ the right ones. The first two steps should make this substantially more difficult.
Third Step – Keep your wordpress installation up to date. That goes the same for any themes and plugins, if security risks are found the updates will hopefully close them. If you run old versions of software you’re probably running with a built in security hole.
Fourth step – you should try and minimise the number of plugins you install on your wordpress site simply because each one introduces a potential security risk. However there is one free wordpress plugin that is definitely worth using for security purposes. Although there is a paid version too, the free version of Wordfence is pretty good. You can use it to scan your wordpress installation to check for malware or infected files, plus it can automatically monitor and block logins. It works great against brute force attacks because after several failed logins it will automatically block the IP address, this means that the attacked would have to keep rotating their IP address to keep the attack going which requires a huge investment in VPNs and proxies to break the average login credentials. Download Wordfence and run it on all your sites.
That’s it, not I’m not suggesting this is the complete checklist for securing wordpress but for someone who has run 40 or so sites now for a decade, these simple steps will protect you against the majority of attacks. If you find a site does get targeted or under constant attack there are many more steps you can take but this is a great starting point.