I am often asked which plugins I use to keep WordPress secure. There are a few plugins that add extra layers of security to your WordPress website, however the question they should be asking is ‘What should I do to keep my WordPress site secure”. If you’re not doing the basics then no security plugin is going to help, so here’s where to start…
Don’t use the ‘admin’ username
This is quite a common one and used to be the default when setting up your WordPress site. WordPress now gives you the option to set this during the installation process. It doesn’t matter so much what you pick, however with ‘admin’ being the most common, it’s the one that hackers look for when trying to gain access to your website. If you current have ‘admin’ as your username then here are the steps to follow to change this.
- Set up another user as an ‘Administrator’.
- Delete the ‘admin’ user.
- Important – attribute all the posts to the new user you created in step one.
Change the standard ‘wp_’ table prefix
Another configuration during installation is changing the ‘wp_’ table prefix. Again with this common prefix it increases the chances of SQL injection (inserting rogue data) by hackers. Not to worry though, there is a plugin that you can temporarily enable to change this, aptly named Change Table Prefix.
It’s important that anyone who has a high level of access (Administrator, Editor) to your website has a strong password. WordPress generates strong default passwords, but these are often changed by users. This is where the Minimum Password Strength plugin is useful to prevent your users from having weak passwords.
This advice also stretches to your FTP and database passwords. Test how strong your passwords are, and if they’re weak, change them immediately.
Lockdown your Login Form
Prevent users (or hackers) from having any more than 5 attempts at a time at logging into your site. If they enter the login details incorrectly more than 5 times then they will be locked out for a certain period of time. Limit Login Attempts will do the trick for this.
Keep WordPress up to date
Last, but certainly not least. As I said at the start – if you’re worrying about which security plugin to use and your version of WordPress is not up to date then it’s a pointless exercise. Updating your WordPress website is quick and easy so there really aren’t any excuses. If you are running an older version of WordPress (older than 3.3) then you might run into compatibility issues (with Themes & Plugins) so you might need to employe a developer to guide you through the process – it’ll be worth it though as you’ll also get all of WordPress’ new features.
If you have lots of WordPress sites to maintain, then it may be worth signing up to a service such as WP Remote, where you can oversee and update all of your sites and their plugins.
It’s also worth keeping your site ‘clean’ by:
- Removing unused themes
- Removing unused plugins
- Removing unused users (especially those with ‘administrator’ privileges)
- Backup your site so if you are hacked you can restore your site back to a pre-hacked state.
All of the above is simple advice to follow and will play a large part in keeping your site secure. It’s certainly worth being pro-active in this respect as if you get hacked the cleaning up process isn’t so nice, plus has potential time and cost implications.