WordPress is one of the most widely-used platforms on the planet. It’s used by individual bloggers, solo artists, small companies, and even enterprise-level businesses. With this outstanding platform, you can share ideas, sell products, allow users to subscribe to goods and services, and even use them for internal documentation and policies. There’s very little WordPress can’t do.
But out of the box, WordPress isn’t the most secure platform available. And leaving your deployment open for hacks can lead to serious problems for your business or brand. You don’t want bad actors gaining access to your WordPress platform and posting content that includes hate speech, racist epithets, derogatory language, or holding your site for ransom.
To prevent that, you need to protect WordPress from ne’er do wells.
But how? What can you do to prevent those who would do your site harm from gaining access?
Fortunately, there are plenty of steps you can take. Let’s dive in and get WordPress more secure.
Use strong passwords
This is absolutely the first thing you must do. From your WordPress admin down to your users, everyone should be using strong/unique passwords. If your site doesn’t allow user registration and login, you will only have to concern yourself with those who are administrators for the site. If, however, you do allow user registration, you will want to make use of a third-party addon like miniOrange Password Policy Manager | Password Manager.
With this extension, you can control things like auto password expiration, one-click password reset, strong password on login and user creation, weak password detection, role-based password management, strong password for inactive users, random password generator, inactive user lock, and password history management. This password policy manager should be considered a must-have for any site that allows users to register and log in. Just keep in mind that some of those features are premium only, so be sure to check the plugin’s details.
Keep WordPress updated
This should go without saying, but unfortunately, it needs to be repeated often. The WordPress developers release frequent updates that add new features, but also include bug and security patches. If you don’t keep up on these updates there’s a good chance your version of WordPress will include vulnerabilities that hackers can use against you.
In some cases, you can set WordPress to automatically update to the next version as it arrives, but you might find that out-of-date plugins will prevent this from happening. Because of that, you need to also make sure you always keep every installed plugin up to date.
Don’t fall behind on this. You should do a weekly (or daily) check for updates and apply them as soon as possible.
WP 2FA – Two-factor Authentication for WordPress
Speaking of locking down logins, you should seriously consider adding 2 Factor Authentication (2FA) into the mix. By adding this layer of security, hackers will have a bit more trouble logging in with user credentials. The one caveat to using 2FA with WordPress (especially if you have user registration and login) is that this depends on your users’ understanding of how the technology works.
This, however, is simple to explain: 2FA works by requiring end users to enter a 6-digit pin after they’ve successfully authenticated with your username/password. Those pins are retrieved from an authentication app (such as Google Authenticator or Authy) and are associated with their account.
The best way to add 2FA into the mix is with the WP 2FA – Two-factor Authentication for WordPress addon. With this extension, you can enforce 2FA policies (even with grace periods) to help protect your WordPress site from brute force login attacks.
This plugin is free to install and use.
Stop Spammers | Block Spam Users, Comments, and Emails
Spam is a problem not just for email, but for comment sections on WordPress sites as well. Without protection against spammers, those comment sections will be inundated with spam ranging in all forms (from simple products to less-than-desirable content). If you don’t prevent spam, you’ll find yourself having to hire someone to take care of the problem daily.
Instead, install the Stop Spammers | Block Spam Users, Comments, and Emails addon and be done with it. This addon doesn’t just prevent spam from infesting your comments, but also email, site registration, and even spambots. With the Stop Spammers addon, you can run a diagnostic test, view activity, block suspicious behavior, block specific words, connect third-party spam defense services, blacklist countries/IPs/emails/usernames, and use a members-only mode.
There is a free version of the plugin, as well as a premium edition that adds server-level firewall protection, themed registration, brute force login protection, notification control, export to Excel, default settings restore, Contact Form 7 protection, and a built-in contact form.
Wordfence Security – Firewall & Malware Scan
If you’re looking for more of a one-stop-shop security addon, Wordfence Security – Firewall & Malware Scan might be exactly what you’re looking for. This tool includes 4 different levels of security.
Firewall:
- Web application firewall
- Real-time firewall rule and signature updates (premium version)
- Real-time IP blocklist (premium version)
- Endpoint protection
- Integrated malware scanner
- Protection from brute force attacks
Security Scanner:
- Core file, theme, and plugin scanner
- Real-time malware signature update (premium version)
- File repair
- Known security vulnerability check
- File content, post, and comment check for malicious URLs
- Site IP block check (premium version)
Login security:
- 2FA
- CAPTCHA
- Login blocking
Security tools:
- Live traffic monitor.
- Advance rule-based attack blocking.
- Country blocking
You’ll also find a handy dashboard that gives you easy access to reports and even the means to monitor multiple WordPress sites from one location.
Conclusion
If you use WordPress, it’s in your and your company’s best interest to be mindful of security. This will mean keeping the platform up to date, requiring strong passwords, and adding a few extra extensions to keep everything locked down. But don’t think that once you take care of these things your site will be impervious. Hackers are always looking for newer and better ways to infiltrate sites. Because of that, you should always keep abreast of new technologies to help keep your WordPress sites safe.
If you enjoyed this, be sure to check out our other web development articles.