WordPress Security: Best Tips

Improving WordPress security is up to you

WordPress Security experts know two things well:

  • Security is like an onion, with many layers.
  • Total security is never achieved.

Keep reading because in addition to understanding these two facts, you will fulfill your goal of improving security on your website. Look closely because some of the security recommendations are a must for your WordPress project.

WordPress security

Achieving total web security is not possible. Too many factors are involved, including humans or the fact that new software vulnerabilities are discovered and exploited every day. However, we must fight to have as much security as possible. As responsible for a website it is essential that you dedicate enough efforts to increase security. WordPress is the most used CMS (Content Management System) in the world. Because of this, many attackers with bad intentions have specialized in WordPress Security. They know their weaknesses and the default settings that allow exploiting security flaws, WordPress vulnerabilities or non-robust configurations. Even if you are not an expert in WordPress, following our safety recommendations you can successfully stop them.

More than 30% of the world’s websites use WordPress. Source: BuiltWith Trends

Below, we show you a total of 7 essential tips to protect WordPress, specifically to make WordPress access in 2019 more secure. Do not forget to start them as soon as possible, so that later there are no scares with attacks or security problems on your website.

  • Security Updates
  • Using HTTPS
  • Security Updates
  • Robust password policy
  • Limit registrations and access
  • Change management address
  • Double authentication factor

WordPress Security Tip 1: Security Updates – MUST

This is the fundamental recommendation in WordPress security. Updates, especially those related to security vulnerabilities, are the best weapon against any web attack. This principle also applies when we are focused on secure access to our website. Keep in mind that it is not always a good idea to change the main version, such as a newly released WordPress 5.0. However, it is very good practice to update any security patches that normally come in the form of changes in the minor version (WordPress 5.1.1 -> WordPress5.2.2).

Security failures and vulnerabilities of any computer system in use are continuously detected. On websites like CVE Details you can find interesting statistics of security vulnerabilities in WordPress. CMS updates include protection patches for all security holes detected.

Make sure your version of WordPress is well updated. For this the best formula is to go to Desktop -> Updates to verify that you have everything up to date.

Of course, take advantage and check that you also have all your updated plugins. Both plugins and obsolete themes are usually a way to leave the door open to the attacker. Try to use updated and installed plugins and themes from reliable sources such as wordpress.org. In addition, it limits its installation and eliminates those that are not necessary.

WordPress Security Tip 2: HTTPS – MUST

The fact that Google Chrome, the most used web browser in the world, marks unsafe websites that use the HTTP protocol, is more than significant. Currently, any professional website is required to serve its content through the HTTPS (Hypertext Transfer Protocol Secure) protocol. Simplifying a lot, HTTPS means that communication between the client – user from your browser – and the web server is done through an encrypted channel. In this way an attacker who was listening to traffic, could not extract information as sensitive as the user’s password. It is an essential security measure to protect WordPress or any website.

Since 2016, the initiative of Let’s Encrypt has definitely promoted the use of the HTTPS protocol, allowing free X.509 certificates. Currently, almost all WordPress hosting providers include it in their services at no additional cost. Ask on your WordPress hosting and do not hesitate to use it. Of course, it will also help a good web positioning.

WordPress Security Tip 3: default administrator

The administrator user is the teacher who has the keys to your WordPress website. That is why it is important to protect it to the fullest. When installing WordPress, it is recommended to use a username other than admin, which is the most common and the one used by default in older versions of WordPress. In our example we have established adm-insurance as the administrator username.

best hosting; certificado ssl; comprar dominio; cpanel hosting; email hosting; hosting; marketing; search engine optimization; vps; vps administrado; vps hosting; web hosting; web site; wps windows

If in your case you already have the admin user created, it also has a solution. You can modify it by accessing the database, usually through phpMyAdmin. Or you can even create a new user with administrator permissions and delete / deactivate the admin account.

Hide user login

But this is not so. It is important to limit the clues about users. If an attacker wishes to know the login of a user to enter the administration, he could access an address similar to this:http://www.wordpress-security.com/?author=1

best hosting; certificado ssl; comprar dominio; cpanel hosting; email hosting; hosting; marketing; search engine optimization; vps; vps administrado; vps hosting; web hosting; web site; wps windows

To avoid this go to Users -> All users and click on Edit under the administrator user.

In the Name section you can specify the alias that you want to show publicly. Set an alias (example: administrator-wp-secure) and select it conveniently.

best hosting; certificado ssl; comprar dominio; cpanel hosting; email hosting; hosting; marketing; search engine optimization; vps; vps administrado; vps hosting; web hosting; web site; wps windows

If someone now tries to guess the login of the administrator user, they will get an alias that will not be used to access WordPress administration.

You can make a similar change for other users registered on your website. Unfortunately, although this reduces the chances of attacks, there are other more advanced ways to get users from a site. We summarize how you can avoid them:

Limit user enumeration through author URL

If in Settings -> Permanent links you have established that the URL of the pages will be based on the name of the entry, the address on the author page will change automatically. For example from http://www.wordpress-seguro.com/?author=1 to http://www.wordpress-seguro.com/author/adm-seguro/. This is common to favor SEO positioning.

To solve it, it can be done by varying forms. For example, adding the following in the .htaccess file:

# Put at the end of the .htaccess to redirect requests like
www.wordpress-security.com/?author=1 a la home page
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

It can also be arranged with a specific WordPress plugin or by adding the following code in functions.php, to redirect all user page requests to the main page of your website.

function redirect_to_home_if_author_parameter() {
   $is_author_set = get_query_var( 'author', '' );
   if ( $is_author_set != '' && !is_admin()) {
      wp_redirect( home_url(), 301 );
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );

Limit user enumeration through the WordPress API

With the latest versions of WordPress, it is also possible to obtain the list of users by accessing an address like this:https://www.wordpress-seguro.com/wp-json/wp/v2/users.

We would get a JSON response with all user data. To block it, the most agile thing would be to directly disable the WordPress API if you don’t use it on your website, using a WordPress security plugin such as Disable JSON API.

WordPress Security Tip 4: robust password policy

Attackers often use brute force attacks in which a program, knowing one or more user accounts, tries to access the system by testing a very long list of possible passwords (usually from password dictionaries). So you have to forget to use a password that is 123456 or one that is the same as the user login.

Some requirements for a robust password policy would be the following, taken from the Internet Security Office:

  • More than 9 or 10 characters / digits / symbols. Many attackers know that, by the usual security policies in companies, a minimum of 8 is established and a large part of the users are limited to using said minimum length.
  • The password must include lowercase, uppercase (preferably not just the first letter), numbers and symbols (*,?, $, #, Etc.).
  • Do not use regular words (web), proper names, places, dates of birth, etc.
  • The same passwords should not be used as in other websites.

WordPress Security Tip 5: limit sign-ups and access attempts

First of all you have to disable the self-registration of new users, unless it is a desirable functionality on your website. This will greatly limit who achieves additional permissions on your website, adding an additional security layer. In the General WordPress Settings there is a box to prevent anyone from registering as a member.

best hosting; certificado ssl; comprar dominio; cpanel hosting; email hosting; hosting; marketing; search engine optimization; vps; vps administrado; vps hosting; web hosting; web site; wps windows

Other measures in this line would be to use plugins to limit the maximum number of access attempts or to demand the use of Google reCaptcha every time you enter the WordPress administration zone.

WordPress Security Tip 6: change the administration URL – MUST

The access address to the administration part in WordPress is the natural door through which an intruder with bad intentions will try to enter. So it is better that no external person can know where that door is. This is a measure of the so-called security by concealment and is like one more layer of the onion: although you already have other security measures in operation, hiding the login page in WordPress makes your site more resistant to attacks.

By default, WordPress enables entry at the following addresses:


www.wordpress-security.com /wp-login.php

To prevent attackers from doing brute force attacks, it is recommended to use a WordPress security plugin that modifies the address. The change could also be made by editing PHP files, but in this case there could be problems with future WordPress updates.

From among all the available URL change security plugins (iThemes Security, Custom Login URL, etc.), we have selected the WPS Hide Login plugin. It is lightweight, updated and has been validated with the latest versions of WordPress.

Once installed and activated, a section for WPS Hide Login will be enabled on the Settings -> General page. In it we can specify what the new access address will be. By default, this address will be changed to http://www.wordpress-security.com/?login, obviously with your domain.

In addition, you can define a page to which unregistered users who attempt to access the default login page (wp-login.php or wp-admin) will be redirected.

In the access URL it is recommended to use a difficult route to guess for possible attackers, such as http://www.wordpress-seguro.com/?admn-77. Of course, don’t forget to keep it in a safe place. If the WPS Hide Login plugin is deactivated, the administration access URL will be the default WordPress.

WordPress Security Tip 7: double authentication

Finally, putting the icing on secure access in WordPress, you can enable a double authentication system, shortening 2FA. Through this system any user who wants to access, in addition to presenting their login and password, must be identified by a second means, such as their mobile.

The most common way to establish this double authentication system in WordPress is through a plugin. Although there are many available, we show you one of the most common: Google Authenticator by Henrik Schack. After installing and activating it, you must go to Users -> My Profile and generate a new QR code for your website.


Leave a Reply

Your email address will not be published. Required fields are marked *