WordPress is the world’s most popular software for building web sites and for publishing on the internet. This fact makes it the number one target for hackers. Every self-hosted WordPress admin, even if only running a simple blog, should take security seriously because an unsecured WordPress site can be taken over by hackers pretty quickly. Francesca Marano gave a talk at Wordcamp Singapore where she presented the basic security settings for WordPress sites.
We monitor our sites, and have noticed that a frequent attack target for hackers is the WordPress login. Specifically, they are trying to login as the admin. The first steps to protect a site is:
- Use long passwords for WordPress logins.
- Passwords must be unique.
- Never share your password with anyone, not even with your mother.
- Advise users about password managers apps, like Password Safe. 1Password and other password managers that are cloud services are useful as well, but the risk is that they can be hacked – it has happened.
Another common avenue for hackers to sneak into a WordPress system is via plugins that have vulnerable code.
- Update WordPress core software whenever a new version is released.
- Update plugins and themes.
- Ensure that your WordPress database and other data customized for your site is regularly backed up. Many web hosting companies provide this service.
Other tips for better security:
- Install two-factor-authentication (2FA) for WordPress logins. Here is an article that explains what 2FA is and how to activate it. It requires a plugin for WordPress, and an app for every phone whose owner wants to login to WordPress.
- In WordPress Settings – General Settings – Membership, turn off Anyone can register.
- Don’t answer quiz or questions on the internet that request your personal information, like your pet’s name, mother’s maiden name, your high school, or similar. Someone may be fishing your password recovery tips.
View Francesca Marano’s beginner-friendly talk at Wordcamp Singapore 2019 below:
Video by WordPress.tv.
For detailed technical tips for securing a WordPress site, the developers of the software provide plenty of information.