WordPress Website Security

In what seems like it should be viral marketing for the next James Bond movie, we’ve seen Heartbleed and Zero Day. The past couple of months have had some severe reminders that website security in general – and WordPress website security specifically for more than 19% of websites – is more important than ever.

Earlier this week, the US Government issued an alert about a newly discovered vulnerability in Internet Explorer. They’re calling it “Zero Day.” Taking what seems like the “nuclear option” they went as far as to ask all Americans to stop using Internet Explorer immediately. It took nearly five days for Microsoft to issue a fix (available here: https://windowsupdate.microsoft.com/).

At the beginning of April, “Heartbleed” was national news. A security protocol called OpenSSL had been compromised. It affected some of the web’s most popular sites, like Yahoo!, Pinterest, Reddit, Imgur, Tumblr, GitHub, and many many more. The damage has been done, so the only fix is to change all of your passwords. Every single one of them. Personally, it took me a couple of hours just to find every site where I’ve got an account.

Just a few months ago, WordPress websites were specifically targeted and forced to participate in a mass DDoS attack that involved 162,000 WordPress sites around the world.

It’s almost certain that there will be more vulnerabilities exposed in the future, so what can you, as a WordPress user, do to protect your site? In only ten minutes, you can take a few basic precautions to help protect yourself. While you won’t be completely protected, at least you won’t be considered “low-hanging fruit.”

1) Get Serious About Your Passwords
This is the simplest and probably also the most ignored step that you can take to protect yourself. Many people sacrifice security for convenience when creating a password and make themselves an easy target. Instead of using a password that’s easy to remember, use a complex password and a tool like LastPass to securely store your passwords for quick reference. I should note that LastPass was hit by Heartbleed, but their additional encryption protected their customers’ passwords from exposure. Now they have a tool (https://lastpass.com/heartbleed/) specifically for checking whether a site is vulnerable to Heartbleed.

2) Change Your Name
Delete the “Admin” Username. After you complete the initial installation and configuration of WordPress, it is encouraged that you create new accounts and give them administrator roles. Then, remove the “Admin” user account, which also has user id “1.” This is how most brute force attacks on WordPress sites begin. They go after “admin” usernames since almost every WordPress site uses that for their Super Administrator role. Once someone has access to that account, they can take over your website. 

3) Update So Frequently It’s Annoying
When a software update is published, it is accompanied by a list of changes and problems they have fixed, like security flaws. Since those security flaws are now published, they are more likely to be exploited by those seeking to do harm. It is encouraged that you update your WordPress core, themes, and plugins as soon as you notice updates are available. But, always be sure to backup your site before just in case something goes wrong during the update process.

If you’re looking for additional security, here are some popular, reliable plugins with positive reviews and widely available technical support from the WordPress community:

If you are looking for an enthusiastic expert to partner with you on your WordPress website and keep it in tip top shape, check out our WordPress maintenance and SEO package.

Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.