A Guide To WordPress Security For WordPress Beginners

If you create a new website today, it is more likely to be a WordPress site than any other content management system or platform. WordPress is so popular because it is easy to use; because it includes everything a person with no development experience needs to build a site, plus tens of thousands of plugins to add extra features; because creating a professional-looking WordPress site involves little more than installing and configuring a theme, of which there are also many thousands to choose from; and because it is secure.

Some readers may pause at the last of these reasons for WordPress’s popularity. Aren’t we always hearing about WordPress security vulnerabilities and WordPress sites that have fallen to hackers? Perhaps, but it has little to do with how secure WordPress is and a lot to do with how a small proportion of WordPress’s tens of millions of users configure and manage (or fail to manage) it. If you put tens of millions of sites based on any CMS on the web, and then fail to update them for a couple of years, there will be problems.

WordPress is secure if it is configured and managed correctly — something that isn’t all that hard to get right. In this article, we’re going to explore some of the simple tasks that new WordPress site owners should do to ensure that their site is safe on the web for years to come.

Choose Passwords With Care:

Most people choose passwords that are easy to remember and that they have used before. Both are bad habits that cause security vulnerabilities that lead to WordPress sites being hacked. The ideal password is so long and complicated that only a world memory champion could remember it. It is also unique, and that is only possible if it is long and complicated.

Short, simple passwords are easy to guess. Every year, the media publishes a list of the 25 most popular passwords. It invariably includes old favorites such as “123456”, “password,” and “I love you”. If someone wants to break into a WordPress site, they will try these passwords first.

Criminals aren’t limited to a small number of popular passwords, though. The least sophisticated try brute force attacks. They use a bot — a piece of software programmed for the task — to guess every possible combination of letters and numbers until they find one that works. Short and simple passwords like “doggy” or even “d0ggy” can be guessed in a matter of seconds using this technique.

Most attackers don’t guess randomly. Over many years, hundreds of password databases have been stolen from online services. Hackers have lists of tens of thousands of passwords. However clever you think the password you have chosen is, there’s a strong chance it’s in an attacker’s dictionary, and if it is, it will take a few minutes to breach your WordPress site.

The only way to be sure that an attacker can’t guess your password with a brute force or dictionary attack is to choose one that is so long and complex that it would take too much time to guess. Dashlane, developers of a password management tool, provide a site that demonstrates how long it takes modern techniques to guess a password. The site shows estimates for password cracking, not brute force attacks, but they illustrate how ineffective short passwords are.

“Dog” takes about 400 nanoseconds to guess, that’s 400-thousand millionths of a second, less time than it takes a human to type a single letter. “Govikings” takes two minutes, assuming it isn’t in a password dictionary. A password like “B>6pQw5&J{)e+b8pp”, which I created with this secure password generator, would take a modern system 41 trillion years to guess. The most successful website is unlikely to be around that far in the future.

In summary, use a password generator to create long and random passwords for your WordPress site, especially for accounts with administrator privileges, and store them in a password manager like Dashlane or LastPass.

Use Two-Factor Authentication:

Two-factor authentication is a technique for reinforcing the login system. Instead of entering just a username and password, two-factor authentication asks users to provide another piece of information that only they could know. Typically, it’s a one-time code generated by a TFA authentication service and sent to the user’s mobile device via a message or an application.

Even if an attacker can guess the username and password, it’s unlikely that they have access to the user’s mobile device. TFA makes it impossible for an attacker to breach to WordPress by targeting its authentication mechanisms. They’ll be forced to try more sophisticated techniques, which I’ll discuss in a moment.

To add two-factor authentication to your WordPress site, you will need to register with a TFA provider and install a plugin. Several TFA services can be integrated with WordPress via a plugin, including Google Authenticator and Duo.

Install A Web Application Firewall:

With a decent password and two-factor authentication, the easy route into your WordPress site has been closed. If an attacker wants to get in, they’ll have to find a software vulnerability to exploit.

Software vulnerabilities arise when developers make mistakes. Because WordPress is a web application, users interact with it by sending web requests. If a developer creates a security vulnerability, an attacker may be able to send a request that causes WordPress to carry out an action that it shouldn’t, perhaps saving a file that contains malicious code to the disk or executing a database query that returns information useful to the attacker.

There are two ways to prevent attackers from exploiting vulnerabilities. The first is to make sure, as much as is possible, that there are no vulnerabilities. The second is to stop requests that might exploit vulnerabilities from reaching WordPress.

The best way to fix software vulnerabilities is to update your WordPress site, its plugins, and its theme. When vulnerabilities are discovered, developers fix them by patching the software and releasing an update. When you update your WordPress site, those fixes are applied to its code. That’s why it’s so important to update your WordPress site often. The vast majority of hacked WordPress sites are compromised because of old software vulnerabilities. To keep your site safe, update it whenever WordPress asks to be updated.

To stop malicious requests reaching your site in the first place, install a web application firewall (WAF). A WAF is a firewall designed to stop malicious requests at the application level. Traditional firewalls, which your WordPress host should provide, can’t tell the difference between a genuine request and a malicious request at the application level. A WAF, in contrast, is programmed to recognize patterns in requests that might be malicious, dropping the request before it reaches WordPress.

ModSecurity is one of the most widely used web application firewalls, and the best WordPress hosting providers will have installed it for you. There are also WordPress-specific WAFs that you can install yourself. The best known are developed by Sucuri and WordFence, both of which provide WordPress plugins.

If you follow the guidance in this article, nearly every attack against your site will be ineffective. Most WordPress sites that are hacked are the victim of random automated attacks focusing on one of the areas we have covered. It’s impossible to guarantee that any site on the web is immune, but these simple security precautions will repel all but the most sophisticated and targeted attacks.