What I’ll Cover
- What your hosting company should do for security
- Making secure passwords for any web site (and why what you’ve been doing probably isn’t good enough)
- Password Keepers
- Limiting Login Attempts, and Keeping your User Name hidden
- Why you should Always do Automatic Updates and what you risk if you don’t
- Block hacker files from executing, in the most common folders
- WordPress Security Plugins you Must use
Hosting Company Should Provide Security (but most Do Not)
There is a lot that your host should do, to make your hosting account and your WordPress sites secure. (And by far, most hosting companies are negligent.) You should ask the technical support people lots of tough questions about security, and talk to your technical friends, and other WordPress users, about security.
If your host isn’t giving good answers to security questions, and doesn’t improve Fast, then move to another host as soon as you can. (Though there are things that you have to do, there are far more that only your host should do.) Security is too important and too technical for most people to be able to do properly themselves, and it isn’t your job, it is your hosts’ job.
The best hosting companies have top-quality security hardware, and special software, to block hackers, and have someone putting about 20 hours a week into researching the global security discussion boards for the latest threats, and putting security rules in place to block them. You can’t do that yourself, unless you can put those 20-30 hours per week into learning and implementing it.
Ask the best anti-hacker security companies, and at your local WordPress Meetup or WordCamp, for hosts they are satisfied with for excellent technical support and excellent security. There are a few web hosting companies I recommend.
There are, however, many things that affect security that only you can do, and things that you can do if your host isn’t doing their job.
Use Password Keepers and Very Strong Passwords
The first of those is picking good passwords. Strong Passwords for WordPress and your Password Manager. This is essential. The ways we’ve been taught for decades, how to make passwords, as known to hackers, and using those rules makes passwords that are far to easy for hackers to guess.
The “substitute a 3 for the first e” type of rule makes passwords that are hard for you to remember and hard to type, but easy for computers to guess. I teach you how to make passwords that are easy to remember, easy to type, and very hard for computers to guess (for your password keeper software and the few passwords you type often), and how to use computer-generated passwords stored in your password keeper for all other passwords.
Using strong passwords is essential for Every site you log into. And each site should have a unique password, to reduce damage if a site’s data is stolen.
Limit Login Attempts
Given enough computers and time, hackers can guess any passwords that are not long strings of computer-generated random characters. So you should limit how many attempts they can make.
There are WordPress plugins that limit the number of attempts at logging in, usually by IP address, within a short amount of time. These plugins also limit attempts at guessing passwords for the same user name. Violations result in being completely locked out of WordPress for a long time (60 minute lock-out for 5 attempts might be a good setting).
Instead of being able to try the WordPress login form perhaps 100 to 1000 times every second, limit login attempts to 4 times every 5 minutes, and lock them out for an hour. (Hey, if you’re a lousy typist, with your long secure password, slow way down your third try and get it right!)
I have seen over 100,000 attempts in a single night, on a small site where I deliberately left this open for a week. (With a WordPress Administrator user name that is not obvious, and a very strong password, you can test this. But block bad guys every way you can.)
Suggested plugin: iThemes Security and/or WordFence are my overall favorite plugins for security. Some options you have to test if it works on your hosting account, or if it blocks something you need; and one of the options that will work on every WordPress site is the limit login attempts.
WordFence is a direct competitor with iThemes Security and also excellent (if I were starting newly, I’d probably pick WordFence, it’s the most popular among technical people at WordPress Meetups). I haven’t used it yet (simply because I know iThemes Security so well).
Sucuri WP Plugin also has limiting logins as an option, excellent. (Works well with either iThemes Security or WordFence.) Among other features, has single-click run Sucuri Site Check on the current site.
(Only use one plugin to limit logins, these plugins have this feature as an option.)
Do Not Use (: Limit Login Attempts plugin, only compatible up to WordPress version 3.3.2. Even though it “seems to run” it still doesn’t check as many things as the plugins I mentioned. Any software that old is likely to stop working as WordPress changes.
Periodically check for plugins that haven’t been updated in a long time. If they are actively being supported (check the support page for the plugin) and “keep working fine” that’s okay; but most often if a plugin isn’t being updated, the plugin author isn’t paying attention any more, and hackers can find holes that aren’t being filled.
If you have a smart phone or tablet, definitely look into “2-Factor Authentication”, where you type a password and a short 2nd password delivered to your other device. Clef Two-Factor Authentication and Google Authenticator are excellent.
Keep Your Administrator Login Name Secure
Password Crackers expect your login name to be the WordPress default, “admin”. Some will look at pages and posts on your site, find who the author is, and try that for the login name. They also know that many “one button install” programs will take your hosting account name or domain name and put that in as your WordPress login. Don’t Do It!
You should have one login for everyday editing pages (with Editor privileges), and a different login for administrative tasks such as updating and installing themes (with Administrator or Network Administrator privileges). I have the Profile, Admin Color Scheme set to Sunrise for the administrator user, so I can tell at a glance and remember to log out.
It is easy for anyone to find the name for each users, for example https://molten-salt-reactor.glerner.com/?author=1 shows the posts for the 1st author (?author=2, =3, etc.) The “display name” is shown on the top of the page. So, in the Profile screen, specify a Nickname, and for “Display name publicly as…”, select the nickname. Now the Author page, and themes that display the author of a page or post, aren’t giving away your login name.
To change the administrator login name, use iThemes Security, which has a single-button way to do this; or you can log in as administrator, and create another user with administrator permissions. Then log in with that new user, and delete the user with the default login name.
Block Logins at the Server Level
Loading WordPress 100,000 extra times in a night is work for your server, taking up page loads and bandwidth that your hosting account might charge extra for.
That many page loads at maximum speed slows your entire site down, for your actual visitors.
You can put a server password on the WordPress login page. Minimal work for the server, easy to implement. Ask your technical person to put it in your .htaccess file. This doesn’t need to be a secure password, as these are bots not people trying 100,000 times; a simple riddle will work. Prompt “say hello there” with user name hello and password there. This adds security simply through being an extra step that is used on few sites.
This double login is an extra step for you, but blocks a lot of nonsense. However, you wouldn’t want this for a membership site, where every member has to log in (unless of course you are teaching your members about security, right?)
I advise always doing WordPress theme and plugin updates quickly, at least every week. Then, after the theme and plugin updates, do any WordPress core updates.
There are sometimes problems with a WordPress or a plugin update. Extremely rarely, that could take your site down. Less rarely, an important feature of a plugin would not work, especially if the plugin was written with out-dated programming practices.
If there are important security fixes, WordPress will release the fix as soon as it is ready and passes their testing, but before all plugin authors have had several days to make sure their plugin works with the “pre-release” version of the security update.
If you have someone on staff whose job includes doing all updates promptly after they are released but after testing on your important site (every day, no vacations, someone does this), you can keep doing WordPress and plugin and theme updates that way.
For everyone else, keep automatic updates on. Even if there is a problem with a plugin, getting the update for the plugin in a few days (or replacing the plugin) is much less work than removing a hack from your site; much less damage to your reputation; much less inconvenience for your customers.
Security first, then “backwards compatibility”.
To minimize the chance of problems, I recommend updating your plugins and themes, and then update WordPress. Many of those plugin and theme updates will be to correct any problems with the new version of WordPress.
Hackers love sites where updates were “forgotten about”, and still haven’t been done months or years after they were released. That means you have to update all of those “temporary” or “test” installations you have in your hosting account, too…
Prevent Execution of PHP in WP-Content/Uploads
Many hackers target plugins that have an “upload file” feature. (For example, upload images for a slider; or upload settings from the same plugin on another site, to make this site have the same settings.) Very useful in the plugin, but many plugin authors can’t check their work for security holes nearly as well as the hackers can. Once uploaded as a PHP file, or renamed to be one, the hackers know what location the plugin puts uploaded files in, and can execute it directly by the URL (bypassing loading WordPress, and any security in WordPress).
This requires edits to your main .htaccess file and/or a .htaccess file in the wp-content/uploads folder. Most security plugins that have this feature will tell you what to paste in, if your .htaccess file is write protected (a very good idea). Keep your .htaccess files with permission 444, except 644 for the few minutes you are making a change.
Sucuri WP Plugin has many WordPress “hardening” features, including blocking execution of files in vulnerable folders.
Block Access to Critical Files
Your .htaccess file, wp-config.php, and your site backups are files that should never be able to be accessed from the browser.
Sucuri plugin (among others) blocks .htaccess and wp-config.php.
Your backup software should create a .htaccess file in the backups folder (if you save it on the server, for example to FTP it to your computer; many backup programs will save the backup on other sites, e.g. DropBox or Amazon S3).
FTP and XMLRPC Security
Disable “anonymous FTP”. There was a use for it in 1980, not today. But many hosts have it enabled. Turn It Off.
FTP doesn’t have a “limit logins” feature. Use the longest random password your host allows. If the host only allows 8 characters, throw a “lousy security tantrum”.
XMLRPC attacks are fairly new. You can log in and post via XMLRPC. It reports back if your login was successful. Until 2014, this article says, none of the login limit plugins were checking this. Make sure yours does, if you truly need XMLRPC (I don’t). Of course, also make sure you have your password for XMLRPC is very strong (it is probably the same as your administrator password, but you can assign which users can use XMLRPC).
WordPress Security Plugins
iThemes Security is excellent.
WordFence also excellent. You must install and configure either iThemes Security or WordFence or both.
Block Bad Queries Pro (or free version, which has the same security rules but less nice user interface). If you don’t have the technical skill to edit .htaccess to paste in the suggested text, and don’t have a friend who does, this plugin is absolutely simple. It takes the hacker-phrases most often used, and blocks them. If you have .htaccess skills, or if you want to understand what Block Bad Queries does, read Building the 5G Blacklist and the 6G Blacklist is coming out soon.
No conflicts with iThemes Security or Sucuri (5G Blacklist and iThemes and Sucuri do their security before WordPress loads, and if you have several of these loaded, the first one with a block for a specific “baddie” stops it completely).
Get clean with Sucuri — this company is the expert at removing malware from WordPress sites, and has a firewall to block getting malware. They also have a free Sucuri Security Plugin – Auditing, Malware Scanner and Security Hardening. Also, frequently run their free quick scan of your site.
Please leave questions and comments. I’ll update this post as I can; I’ll also do some step-by-step instructions for pieces of this puzzle.