We’re often asked what kinds of security measures we prefer with respect to WordPress installations, so we thought we’d share some of our ideas and resources for approaching security issues on the WordPress CMS.
Whether you’re new to WordPress or a seasoned admin, it’s important to remember that there’s all kinds of traffic from across the globe that will try to access admin portions of your site and server. That’s obviously not something you want to see happen. Jeff Chandler over at WP Tavern wrote an excellent short piece the other day about the latest distributed attack against WordPress sites, which has some great advice we continue to follow at GovDesign.
There are several things you can do to help harden your installation against unwanted intrusion attempts and other lax security policies. First, utilize strong passwords. Attacks target all systems, and the first line of defense is a strong password. We also recommend not using admin, administrator or other common user names for the administrative users.
Second, take a look at your installed plugins and find a good security suite that includes the ability to address issues with .htaccess files on your server. These plugins work to secure not just core WordPress files themselves, but also let you harden some security on your server from your WordPress dashboard.
We’ve been big proponents of Limit Login Attempts – it’s an excellent plugin dedicated to flagging and stopping repeated access attempts. If someone tries to log in with your username, Limit Logins will flag the IP and block it from your site after too many attempts. You can also permaban IPs if they try and fail to log in too many times. This is especially useful if you’re getting a lot of traffic from unexpected places. The downside to this plugin is that it hasn’t been updated in some time, and there are new plugins that do the same thing as part of larger suites. If you need a targeted solution, Limit Logins may be for you, but there are newer and more robust plugins out there, like Login Security Solution.
Better WP Security is a good example of a robust security suite. It includes the same IP logging and blacklisting capabilities of Limit Logins, but also prompts admins to address a host of common and potential vulnerabilities. We routinely install Better WP Security and make full use of its prevention/protection features as well as its backup features.
Subscription services can also play an important role in your security solution, but the bigger factors here are how exposed your site is, how much traffic you’re getting, and balancing your traffic loads against your security risk. Some WordPress specific services, like Wordfence and BruteProtect, filter known bot traffic and help to prevent attacks from getting to your site in the first place. Other services, like Cloudflare, can be a good option for some users even though they’re not WordPress specific solutions.
In general, it’s important to remember that your web security is a combination of prevention measures you can take to prevent attacks from coming your way (or handling them when they do come your way), and personal practices that prevent vulnerabilities from cropping up. Making sure you and your users use strong passwords, practice regular password rotation, and avoid duplicating passwords across sites can also go a long way towards keeping your website secure, whether you’re on WordPress or not.