“Security isn’t a dirty word Blackadder. Crevice is a dirty word, but security isn’t” – General Melchet, Blackadder Goes Forth
Why should you care about security?
If you rely on your blog for income, either as a full time blogger, earning a bit of extra income on the side, or are looking to start building an income from you blog, then security isn’t something that can be ignored. Imagine the scenario where your website is hacked and ransomware is installed on your site, you could lose revenue, potentially become blacklisted by Google and lose trust with your audience.
So I have pulled together a list of 11 quick things you can do today improve the security of your WordPress blog.
Before we get started: I always recommend that if you’re going to make ANY changes to your site you should take a backup and be familiar with the process for restoring – should something go wrong. Let’s look at this further in my first tip:
Backups
This is just plain good practice!
I always recommend that if you’re going to make ANY changes to your site you should take a backup and be familiar with the process for restoring should something go wrong. Not all sites, hosts and combinations are made the same so being in control of this yourself is a must for me. I recommend using a backup plugin like UpdraftPlus for this. You can read all of our other recommended plugins here.
Also I always keep at least one backup of our site away from our server (in case something happens to the server itself). I have my daily backups scheduled to upload automatically to Dropbox. Which is really simple to set-up using UpdraftPlus .
This way if anything does happen to your site you can get back to your previous backup, also you can make changes to your site safe in the knowledge that you can rollback if needed.
Your PC/Mac
All good protection starts at home, so the PC/Mac you are using to create content on your site should be protected. That means having good firewall and antivirus software in place, making sure there are regular scans setup and you are keeping your operating system updated to close any security holes.
I would also, when editing your site on public Wifi hotspots (cafe’s, hotels, etc…), use a VPN – such as NordVPN (this is the one we use). A VPN (Virtual private network) encrypts all of the information from your laptop to the internet, stopping people from hijacking your connection.
Keeping WordPress and plugins up-to-date
The guys over at WordPress are continually developing updates. Some of the updates include fixes for security holes or potential areas that someone could exploit. So keeping your WordPress installation up-to-date is an essential part of the process. I have written a guide on how we keep our wordpress installations up-to-date.
Also, plugins can have security holes, so make sure you are using trusted plugins that are regularly maintained then keep them up-to-date too. Remember to always take a backup before updating (I cant stress this enough).
Use good usernames
Don’t use the default ‘admin’ username, and better still, once you have set yourself up with another admin account delete or rename the default ‘admin’ user.
I would also suggest not to use a simple name like your first name or email address or anything that can be easily found or guessed.
Use strong passwords
I know it sounds simple but having a stronger password can reduce the likelihood of someone getting onto into your account.
If you struggle to remember all of your passwords then why not use a password management system like Keeper. That way you you can access all of your passwords on any device. Keeper also suggests strong passwords so that you don’t end up using the cat’s name.
Wordfence can also help here by enforcing strong passwords for admin accounts, more on Wordfence as you keep reading….
Implement a firewall
Having a firewall is an essential component in blocking attacks.
Wordfence is the solution we use for this. There is a free version that gives you a firewall and a malware scanner that checks core files, themes and plugins for malware, bad URLs, backdoors, malicious redirects and code injections.
On the whole, Wordfence is a really good package for this. Securi is another popular choice for this but I haven’t used it so can’t comment much about it.
Reduce login attempts
WordPress allows users to enter passwords as many times as they want. A malicious person or bot may try to exploit this by trying multiple combinations of username and password until your website dies or until they get in.
To help mitigate this you can limit the number of failed login attempts.
If you are using Wordfence then you can do this within the settings (see below)
If you are not using Wordfence then you can use a plugin for this, Limit Login Attempts is a popular choice with over a million installs and it appears to be regularly updated (although I can’t vouch for it personally as we use Wordfence for this).
Implement 2-factor authentication
Having 2-factor authentication (2FA) means that you need to have a 2nd step of authentication before logging in into your WordPress admin console. This means that to login you need the Username, Password (which we have discussed securing above) AND an additional authentication of your mobile phone before gaining access to your WP-Admin page.
There are a few out there such as Google Authenticator and Authy. If you are using Wordfence for your firewall you can set-up 2FA within that plugin without the need for an extra plugin.
That being said we use DUO for our 2FA. It has a free service, is easy to set-up and sends a push notification to your device (usually mobile phone) at logon for you to approve so that you can log in.
Disable file editing and directory browsing
OK so this is technically 2 things but for the same reason, you want to limit malicious editing of the site and the site structure.
Having file editing enabled (the WordPress default) allows you to edit the code of the theme from the web browser. In the wrong hands this could be catastrophic to your site. WP Beginner have a great article on how to disable it: http://www.wpbeginner.com/wordpress-security/#disablefileedits
Directory browsing can be used by people to view your files and folder structure, copy images, and other information. This is why it is recommended that you turn off directory browsing. Again WP Beginner have a great article on how to disable it: http://www.wpbeginner.com/wp-tutorials/disable-directory-browsing-wordpress/.
Use a content delivery network (CDN)
A CDN, gives you an additional level of a cloud firewall and can help protect you against denial of service (DoS) attacks, malicious bots, and data breaches.
If you have a global audience then using a CDN is not only going to help with security but it can dramatically reduce the load on your host and deliver your content to your users around the globe a lot quicker (i.e faster page speed loading for the reader).
We use Cloudflare because it’s one of the industry leaders in CDN technology and its free with unlimited bandwidth.
And if you use WPRocket for your caching (read more about it in our top plugins post) then it’s easy to set-up too.
Disable XML-RPC.
Securi reported that a number of brute force attacks and denial of service (DoS) attacks were exploiting XML-RPC in WordPress, so disabling it closes down that potential threat.
You can either do that through a plugin or add a small piece of code to your htaccess file. There is a great article here how to do this on WP Beginner. < You can also read a bit more about what XML-RPC is in this post too.
Because having XML-RPC enabled is a potential back door for 2 factor authentication there is a option to disable it, a nice little check box, within the DUO plugin that we use for 2FA.
In summary
Security is an ever evolving area that you need to have a focus on. Wordfence is a great starting point and you can implement 4 out of my 11 tips by using Wordfence, which is part of the reason we also use the paid version of Wordfence.
It’s possible that even if you do all of this (and more) then this doesn’t completely remove the risk of you being hacked or your site going down. But it does make it harder and less likely for your site to be attacked.
“So its maximum security, is that clear Blackadder?”
What else would you recommend to your fellow bloggers to implement to secure their site even further?
And I make no apologies for the Blackadder references 🙂
Other helpful resources:
How we moved our site to HTTPS/SSL
Our Favourite WordPress Plugins < Updated for 2019
https://www.keycdn.com/blog/wordpress-security/
http://www.wpbeginner.com/wordpress-security/
https://yoast.com/wordpress-security/
https://www.siteground.com/tutorials/wordpress/security/
www.blackadderquotes.com < Its one of my favourite EVER TV Shows 🙂
