6 Ways to Improve Your WordPress Security

January 13, 2016

WordPress is the most powerful and most widely used content management system (CMS) in the world today. It currently has roughly 67% of the market share for all CMSs and is used to power nearly 20% of all websites on the internet.

That’s billions of sites using WordPress, so it definitely pays to keep your website secure, and it’s even more important if you have an eCommerce site. My name’s Seb, and I’m a WordPress developer here at Fhoke, so I deal with WordPress and website security every day. Part of my responsibilities includes ensuring all our client sites are kept up to date, perform well, and, most importantly, are secure.

It’s hard knowing where to start regarding security, especially if you’re not that involved in the tech industry. So over the next few months, I’ll be putting together a five-part series of articles around WordPress security. In my first instalment, I’ll take you through some basic tips you can use right now to help keep your WordPress site safe. If you’re an existing client and you’re reading this, we’ve got you covered but feel free to call, we love a chat, and we’d be happy to answer any of your questions.

Don’t Use Plugins with Low Ratings


There are a huge number of plugins available from the WordPress plugins directory. However there’s a small problem, most of them are free. “So why is that a problem?” you might be asking. Well, not everything that comes free will have the same level of care and attention that a good, paid for product gets. The passion the WordPress development community shows in everything it does is fantastic, but sometimes a few bad apples get through.

We’re not suggesting all free plugins will be of poor quality; after all, we use many for our own client sites. The best tip we can offer before you even download one is to take your time to look at the reviews and be dubious about newer plugins that are yet to be rated. It definitely pays to be cautious in the long run rather than losing your entire site because you didn’t want to spend five minutes looking at what others had to say.

Don’t Use Admin as Your Username


The default username for WordPress is “admin”, which is an easy target for hackers trying to gain access. If you take into account that around 20% of all websites on the internet (that’s billions!) are hosted on WordPress, it’s not hard to imagine people will be trying to hack the one account that the majority of sites will have.

We make sure to do this on all our website builds and something you should always do when setting up a new WordPress site. However, some plugins can help you do this after your site is already set up.

One of those plugins is Username Changer, and it does exactly what it says on the box.

Use Secure Hosting


Hosting is something that plays a huge role in the security of your website. In fact, a study found that 40% of hacked WordPress sites were down to the hosting company, not WordPress itself.

It doesn’t have to cost you an arm and a leg either, as you can get a very good web hosting at reasonable prices. Investing in your hosting should always be a top priority, no matter what.

When it comes to finding a good host, try to stick with reputable, well-known companies as they have a higher level of expectation around their services. We like to suggest Flywheel and can say without a doubt their support team is always around and more than happy to help with any questions you might have.

Avoid Using Free Themes


You can download free themes from most places these days, but don’t be sucked in by every offer. Please make sure you look into the site you’re getting it from and make sure they are reputable. Free themes can come back and bite you in the ass if you don’t.

Firstly, free themes tend to be slapped together quickly and generally lack the good, well-tested code you need for a CMS powered site. This can lead to security issues, styles not looking right or just generally not working properly and breaking your site.

Lastly, these “free” themes can, on occasion, be free versions of paid themes and are usually a way for hackers to gain access to your site. The idea is that they get a paid theme, inject malicious code into it and give it away for free. The problem here is that people who don’t understand code will grab these free themes as they’re not willing to pay for them. You’re essentially uploading a backdoor so the hacker can access your server.

Use a Strong Password


We’ve lost count at the number of times we’ve been asked to look into the security or functionality of a WordPress site, only to be told the password is barely more secure than “123”. If you’re getting serious about security, updating your password, and especially the passwords of others who have access to your site, are where you should start.

A good password will usually contain a mixture of numbers, letters and symbols. This makes it much harder for anyone trying to guess your password and eventually leads to them giving up. Whereas if your password is easy, like the “123” example above, then a few tries, and they’ll be logged in to your account.

Rubbish at remembering strange passwords? We definitely recommend you look at 1Password. It’s perfect for storing all your site logins and website hosting details. We use it here at Fhoke, and it’s an invaluable tool for our day-to-day work.

Delete Unused Themes and Plugins


When you first install WordPress, it comes with a bunch of pre-made themes and plugins for you to use right off the bat. This is great when you first set up your site, but it can be an issue on some web hosts when there are another 5 or 6 pre-made themes/plugins.

If you don’t keep on top of those themes and plugins, it can lead to security holes. This isn’t such a problem when you’re only using one or two and don’t activate the others, but if your site gets hacked and one of those themes or plugins is infected, it’s going to stay infected without you knowing.

If you are hacked, you can clean up the ones you’re using, and your site will be fine, but you’ll likely forget those 10 or more pre-added themes and those 1 or 2 pre-added plugins that are just sitting there. Fast-forward six months when you switch themes or activate a different plugin, and your entire site can be completely broken, or worse.

While it’s not an immediate security problem by keeping pre-added themes and plugins on your server, it can cause big problems in the long run. In the end, it’s all about minimising risk to prevent problems before they happen.

What Next?

After implementing the above tips and techniques, your site should be in a much better place than before. There’s more to it than that, though; you can secure your files from being searched by hackers, disable file editing, hide your WordPress version number and more, which we’ll be covering in future articles in this series.

If you’d like help with anything from this article or advice on going further with your security, please don’t hesitate to get in touch with us!