WordPress is a complex system that has developed over time. As such, there are a lot of nooks and crannies in the code where potential vulnerabilities can hide. To their credit, the WordPress core developers are very good at ferreting these out and patching them. Still, no software is bug-proof.
Because no software is bug-proof, it is incumbent upon us, the site owners, to do all that we can to make our WordPress secure. Thankfully, there are three easy things that every site owner can do – usually without the help of a developer – to make their site more secure.
1. Change the Admin Username
This one is a no-brainer. If you are still using admin, administrator, or anything really easy to guess as your administrator’s username, STOP! Look, to compromise your site, an attacker needs two things, a username, and a password. If you use a default admin username, then you’ve given them half of what they need. Let’s make it a little harder, shall we?
To change the admin name, you can do it manually, or you can install a plugin. Since plugins slow your site down and you only need it to do this one thing, let’s do it manually.
- Log in using your existing Admin account.
- Under “Users” click “Add New”.
- Create a new user account and make it an Admin. Make the user name anything you want EXCEPT for Admin, Administrator, or your name. (Yeah, attackers probably know that since your company’s Facebook account is linked off of the homepage.
- Log out of WordPress and log back in using your new Admin account.
- Click on Users to list the users, and under your original admin account, click “Delete” Make sure you select “Attribute content to” and select your new admin account, so you don’t lose any content.
There, now you have a new admin account with a name that isn’t “admin”. Your site is already a little more secure. Also, to upgrade the security level when it comes to your site login, make sure to enable 2-factor authentication on your WordPress.
2. Enforce Strong Passwords
Yes, everybody loves using their birthday as their password. You know who likes it most of all? Attackers. See, weak passwords are easy to guess.
“ZOMG, My Little Pony II is my FAVORITE MOVIE! Going to see it tomorrow for my birthday!”
Anything you’ve posted on Social Media gives attackers a little more information to work with. HINT: l33tsp34k (Leet Speak) or replacing letters with numbers doesn’t’ fool attackers either. They figured that one out before you did.
So what works? Strong passwords. Long, random strings of letters and symbols are great. The problem with this is that we tend to write them down since they are hard to remember. If you lose the book you wrote them down in, an attacker has the keys to the kingdom. (Book being physical OR electronic). Other times we generate strong passwords but we keep using them over and over, so sooner or later they end up leaking online. If you are in the habit of doing that, I’d strongly advise you to check this article on securing passwords with Have I Been Pwned.
WordPress now has the functionality to generate strong passwords, but it doesn’t require them. There are plugins, however, that will enforce this for you. I’m not in the habit of recommending WordPress security plugins, but if you go to wordpress.org/plugins and enter Strong Passwords, you’ll find several to choose from.
Install one of these plugins.
If you have regular users as well as admin, authors, etc., you may want to only enforce strong passwords on your higher-level accounts to reduce the friction your users have in registering and logging into your site.
Oh, if you are wondering how to deal with strong passwords without writing them down, invest in a password manager. Most modern ones work on both desktop and mobile and will sync your data across all your devices.
3. Enforce HTTPS
Honestly, this one you should already be doing. If you’ve been living under a rock, though, a couple of years ago, Google came right out and said that if your site isn’t running https, they will rank your site lower than other sites running https. SEO aside, though, https keeps all your traffic encrypted and away from prying eyes, and it’s an essential part of any WordPress security strategy. If you are not running HTTPS, any user sitting in a coffee shop is broadcasting everything to anyone who cares to watch. (technically, “sniff the wifi”)
If you do not use SiteGround, this involves working with your hosting provider to purchase and install a secure certificate. Then you need to tell WordPress to change its URL to HTTPS.
If SiteGround is your hosting partner, all you need to do is use the SSL Manager to get a free “Let’s Encrypt” certificate. Once SiteGround’s control panel obtains and installs the certificate for you, all you need to do is click “Enforce HTTPS” and voila, your entire site is now encrypted.
These three easy tasks will help you keep your site a little more secure. The secret about website security is that it’s not one big thing you do, it’s about doing many little things. Each layer of security you add to your site makes it a little harder for attackers to get in. You don’t have to have an absolutely secure WordPress to be safe, you just have to create more work for the attacker than it is worth breaking in. Attackers eventually get tired and move on to easier targets… those sites whose owners haven’t read this article.