WordPress is arguably the most popular CMS (Content Management System) in the world, with over sixty-percent market share. That’s more than all other CMS platforms combined! WordPress powers something like thirty-five percent of all active websites online today which. With something like 1.4 Billion websites online, that means close to Five Hundred Million websites are running on WordPress!
That’s a massive number of potential targets for hackers to try and exploit and weaknesses in the WordPress core or any of the millions of plugins available for the platform.
There is an unfortunately popular belief that WordPress isn’t a secure platform. While there is an element of truth in that given the nature of the platform’s basic installations, there are some steps you can take to make your install is secured against opportunistic hackers looking to exploit anything you’ve left open.
First of all, please, please, please, don’t use Admin as a username. That’s asking for trouble and is one of the vulnerabilities WordPress nay-sayers usually point to when citing the security issue. If you are using “Admin,” well, sorry, but you’re asking for trouble.
While your birthday might be an easy password for you to remember, it’s also an easy password for a hacker to crack. Use something complex and made up of a combination of upper and lower-case letters, numbers, and special characters.
All WordPress login credentials have what is called a nicename. This isn’t to be confused with the User Nickname. The Nickname is set in the User dialogue and can be pretty much anything you want it to be. You change that in the User Settings, as shown in the image below.
That changes the display name of your Authors, for example. However, you can still see the actual username if you hover on the Author Name in a post, so even if you set a Nickname, hackers can still see the real login username for that particular author.
That happens because WordPress uses something called a “nicename.” You can’t change it inside your WordPress admin panel. You can install a plugin that does it, but the fix is so simple that adding an extra plugin just for that is not something I’d recommend.
The “nicename” is set in the databases on your install, so to change it, you have to go to your hosting, PhpMyAdmin, and find the User database. You’ll see the Nicename for each user you have, so all you need to do is change it to something else, usually the same name you used for the user nickname. Simple, and no need for any extra plugins just for that.
Some plugins and themes can be expensive. There’s no getting around that. Unfortunately, that has given rise to sites that sell premium plugins and themes under the GLP license for a fraction of the full product’s cost. While that might seem like a low-cost way to get these premium plugins and themes, you could end up paying a far higher price than the cost.
For a start, while these plugins do fall under the GPL license, the updates don’t. For that, you have to rely on these sites releasing updates and installing these manually or installing a management plugin that takes care of the updates. That’s really not something I’d recommend doing. If you want a premium plugin, buy it. If the price is too high, get something else, but steer clear of nulled plugins. In the long-run, the cost simply isn’t worth the trouble.
Simple steps go a long way with regards to WordPress security. Keep your plugins and themes up to date and delete any you don’t use. Apart from slowing your site down, outdated plugins and themes are some of the key culprits when it comes to hacks. Stay up to date and get rid of any plugin bloat. Your site speed will thank you for it as well!
Hardening WordPress against attacks is a significant part of the platform ecosystem, and there are some excellent services and plugins available that do fantastic jobs of securing your WordPress sites.
Probably the most widespread is Wordfence. For a start, Wordfence adds 2FA (Two Factor Authentication) to all your logins. That makes user-level hacks exponentially more difficult as potential hackers have to get your login credentials and access to the mobile device you use for 2FA.
Wordfence comes with a Web Application Firewall (WAF) to identify and block any malicious traffic. The integrated malware scanner stops any requests that include malicious code or content. Wordfence hardens your WordPress site against brute force attacks through rules for limiting login attempts, making sure you are using strong passwords, and other security measures.
You can limit access to your login panel through blocking rules with the country and IP settings. With the IP setting, only whitelisted IPs can log in. If you have a static IP, this is a great security measure. The integrated WordPress Security Scanner checks your install for any malware and any changes to files you might not have made. Wordfence runs a central database of bad IPs (IPs known to be used by hackers) and automatically blocks these from accessing your sites.
Site security is a vast topic, and sometimes, things are best left to the experts to deal with. Wordfence has something like one hundred and fifty million downloads, so they know what they’re doing when it comes to hardening WordPress. If you value your sites’ security, then this is undoubtedly an option you should keep an eye on!