The Ultimate WordPress Security Checklist
The topic of online security is sometimes hard to approach without sounding like a doomsayer crying that no one’s safe and everyone’s out to get you. While it might be true that the vast majority of people who use the internet are just going about their day and doing perfectly legal things online, there’s still plenty of people who are using it to do bad things. Some of them will try to hack into your website, too.
If you have a WordPress website, you have a responsibility to keep it reasonably safe. The more data you have on your visitors – especially if they shop at your website – the bigger your responsibility is. You have to learn about all kinds of attacks – brute force, cross-site scripting, backdoors, DDoS, and good-old phishing – and then find effective ways to protect your website, yourself as its owner, and the people who use it.
We’re here to help with the last part – finding effective ways to protect your website. We’ll share with you the ultimate WordPress security checklist, a list of the most important steps you can take to secure your website.
The list includes:
The very first thing you should always do is make sure that the hosting provider you use has decent security measures. Security is, after all, one of the things you should check when choosing a hosting provider. The things you should look for include:
-
A firewall and DDoS protection
-
Options for IP banning and geolocation-based blocking
-
Preference for encrypted connections
-
Regular backups
-
Regular software updates
On your part, you should understand that different hosting packages come with different levels of security, with VPS and dedicated hosting being the two more secure options.
There are many steps you can take to make sure that your passwords and login procedure are not your website’s weak spot. Starting with passwords, you can:
-
Make sure that anyone using the website creates strong passwords
-
Encourage the use of good password managers
-
Encourage good password-keeping and security practices
With passwords, you’re working against human nature to keep all the passwords short and simple, and to stop people from sharing them. When securing the login procedure, you’ll want to:
-
Change the default login URL
-
Enable two-factor authentication
-
Set up Captcha for the login page
-
Set a limit to login attempts
Following these steps will go a long way in making your website more secure, even if it makes logging in more tedious. Find a middle ground between convenience and security while making the website as secure as possible.
Even if your website host offers free backups of your website, you should still make sure to set up your backups. It’s better to have redundancies in place than risk losing your data. Plus, backing up gives you some leeway to perform certain security measures knowing there’s a way to fix things if something goes wrong.
There are plenty of ways you can back up your website. For example, you can perform a manual backup. You can also use a plugin like UpdraftPlus, or one of many other backup plugins for WordPress. You can perform targeted backups and manually backup files or even the database.
WordPress just keeps getting better with every update. Still, many people decide to renege on regular updates, often thinking that an update might cause some trouble. In truth – it could. Using an old version of WordPress, however, might do even more damage.
Out-of-date WordPress is a security concern. There are several ways to update WordPress, and you might as well choose one of them and just get it over with. Just make sure to backup your website first, just in case.
Plugins might be one of the best things about WordPress, right there with themes. For all the good they can do, it’s also easy for them to turn into potential security concerns. That’s the reason you should always follow the best security practices regarding plugins, which include:
-
Try to limit the number of plugins you have installed at any time
-
Make sure your plugins are updated
-
Remove any plugins you don’t want to use anymore or that are terribly out of date
-
Find alternatives for plugins that are old or unsupported by their developer
These practices shouldn’t be hard to follow, and they’ll keep you reasonably safe from any plugin-related security issues. You might also keep your ear to the ground regarding plugin vulnerabilities, just in case.
WordPress themes might not pose as many potential risks as plugins, but that doesn’t mean that nothing bad can come from them. Anything that you install on your website is a possible risk. For themes, you want to make sure that you:
-
Only install themes from verified, trusted theme developers
-
Steer clear from nulled themes
-
Make sure your theme is always up-to-date
-
Uninstall any themes you don’t plan to use
It might seem like this list is pushing you towards premium themes. However, it’s much more important to stick with good developers. For example, you can try out our Qi Theme and get many of the advantages of a premium theme – for free.
Just like your computer needs an antivirus, antimalware, or any similar kind of security app, your WordPress website needs a security plugin. These plugins can have a tremendous impact on your website’s security, so you better make sure you pick a good one.
What to look for in a security plugin? Activity auditing, monitoring file integrity and blacklists, and general security hardening are just the start. You should also look for a plugin that comes with a firewall, tracking traffic trends, and spam filters. Keep in mind that you might not find all the features in one plugin and that you might need to opt for a paid version of a plugin to get the most protection.
If you have a security plugin that’s capable of scanning your website, you should make sure that you do the scanning. Scanning your website can be a part of your regular website maintenance.
Keep in mind that you can expand your toolbelt with online security scanners. These tools are specifically designed to poke and prod your website’s security and look for vulnerabilities.
Any eCommerce website or any other website where people leave their information – even if it’s just an email address – should ensure an encrypted connection between itself and the browser. With WordPress, doing this is as easy as adding an SSL certificate.
Granted, moving to HTTPS is something that would require a bit of work. Then again, there might be SSL plugins that could help you out – whatever way you do it is okay, as long as you end up with a website that encrypts information it exchanges with its visitors.
Even though SSH is easily confused with SSL, the two aren’t the same. They both, however, improve your website’s safety. SSL allows people to access your website securely using browsers, and SSH does the same for accessing your website via FTP.
When choosing your hosting provider, you should make sure to pick one that supports SFTP – that’s short for Secure File Transfer Protocol. That “S” makes a lot of difference, so better make sure you can use it.
More often than not, security and safety come down to the people who have access to your website. All the software and apps in the world can’t save you from malice, bad faith, or just plain laziness. One way to counter that is to practice user management. You can, for example:
-
Log the activity of your users, at the very least monitor their login dates
-
Limit user permissions
-
Delete the default admin account and replace it with another one with the same permissions
-
Avoid obvious usernames like admin or user
-
Set up automatic logging out for idle users
There are plenty of user management plugins that can help you with some if not all of the items on this user management list.
Managing users and roles is one thing. Making sure that some parts of your website can’t be accessed, or that some functions can’t be performed, is a completely different thing. Managing access is something you should be doing when fighting against brute force attacks, for example. You should:
-
Password-protect the folder /wp-admin
-
Disable PHP file execution in /wp-includes, /wp-content/uploads, /wp-content
-
Disable directory indexing and browsing
-
Change the database prefix
-
Disable theme and plugin editors
-
Protect the wp-config.php file
There are a couple of things you’ll need to manage access. Most notably, you’ll need a way to find the .htaccess file, but you might also want to make a couple of new ones. You’ll also want to understand at least the basics of database management. Learning how to edit the wp-config file wouldn’t hurt, either.
WordPress has plenty of files that you don’t need, don’t use regularly, or are simply too risky to leave running in the background. These files and functionalities are best disabled or blocked. They include:
-
The xmlrpc.php file, which you should disable via a plugin or .htaccess
-
The RestAPI, which you should disable if not using or ensure only authenticated users can access
-
Licence.txt, wp-config-sample.php, and readme.html, which can be prevented from third-party access with .htaccess
After you’ve disabled or blocked these files or functions, your website will have fewer attack points for hackers to try and exploit.
Let’s Wrap It Up!
For website owners or administrators, security is one of the few things they should never skimp on. The possible consequences of taking security threats lightly can be devastating for the owners and users alike.
If you have a WordPress website, this checklist should help you cover a lot of issues that WordPress website owners face. Keep in mind, however, that there’s no such thing as a definitive list of security issues. While following this checklist is something you should do, it won’t save you from having to keep an eye out for possible threats in the future.