Author’s Note: Secure WordPress is the third chapter of my free ebook, “Create Your Business Website With WordPress.” Each day I will release a chapter from the book onto my site.
With the domain name, web hosting, and SSL certificate in hand, now it’s time to secure WordPress from bad actors like hackers. Unfortunately, it’s too easy for beginners to install WordPress using its default settings which can leave it vulnerable for a security breach. In this section I will explain how to avoid using the default settings, and the available options to secure the WordPress installation.
Security Starts At The Web Hosting Company
The first place everyone should start when it comes to protecting their website is securing their web hosting account. If hackers are able to get control over it, they can do all types of damage:
- Delete the website.
- Hold the website for ransom.
- Use the account to make additional purchases.
- Send spam mail.
- Use the server to attack other websites.
So how can users protect their web hosting account? Here are a few options:
- Use an original password.
- Enable Two-Factor Authentication (2FA)
- Keep the number of admins to a minimum.
An original password is one a person hasn’t used on any website. The reason reusing a password lowers security because hackers have access to password lists from previous security breaches. They try these credentials at other websites hoping to get access to the account there. Unfortunately, they are able to because too many people reuse the same username and password.
A great way to develop an original password is to use a password manager. I use 1Password, which not only saves and manages my passwords, but also generates an original password at the click of a button. While I highly recommend 1Password I understand that some people may not have the money to purchase it. In that case I suggest using Bitwarden as it’s free.
The web hosting company should have the ability to enable two-factor authentication (2FA) on the account. This adds another layer of protection because if a hacker happens to steal the user’s credentials, that hacker wouldn’t be able to log into the account because 2FA requires a code. And that code changes constantly. There are several types of 2FA methods like the following:
Let’s review the pros and cons of each 2FA method.
SMS text message is commonly used by many companies because it works on both dumb and smart phones. Plus, SMS doesn’t require a data plan, which helps individuals with limited income who may only have a text-and-talk cell phone plan. Unfortunately, SMS text message is a basic form of 2FA protection and SIM swapping can defeat it.
SIM swapping is when a fraudster contacts a mobile phone company pretending to be the customer. The criminal hopes to trick the phone representative into activating a SIM card the fraudster has. If that happens then the bad actor has access to the customer’s phone number, and all phone calls and texts come to the fraudster’s phone, including any 2FA SMS text messages.
With that information the bad actor can successfully log into the customer’s account on a particular website. A good way to protect against SIM swapping is to place a pin code on file with the mobile phone provider. If any major changes must happen to the account, the representative will need the pin code to proceed.
I recommend only using SMS text message as a 2FA method if there is no other option available.
A better option than using text messages is an authentication programs like Authy or Google Authenticator. Both are free apps for iOS or Android. Once a person enables and configures the app on their account, that person will have to provide the code displayed in the app to successfully log in. That code constantly changes, however. That way bad actors can’t look over someone’s shoulder and grab the code that way.
While I do use authentication programs myself, they are vulnerable to SIM swapping just like SMS text messages. Yet, I recommend people use them because Authy and Google Authenticator works well.
The best 2FA protection is a security key. Two popular brands are YubiKey and Titan Security Key. Usually large corporations invest in security keys because they offer the best protection. However, they aren’t that expensive that regular people or small business owners can’t afford them. The YubiKey starts at $25 and the Titan Security Key starts at $30. While some people say you can’t put price on security, it’s also true that money is finite. So it’s always best to choose the best return on investment. And a security key does just that.
The only downside to these, however, is that some web hosting companies may not offer the ability for their customers to register a security key to their account. It’s best to check before purchasing one.
The final security move to protect the web hosting account is to keep the number of admins to a minimum. Administrators have full access of the hosting account, which allows them make additional purchases to delete websites. That’s why bad actors seek to hack those account. Yet, when I provided web hosting technical support I would see business owners create admin accounts for their Web Developer all the time.
Instead of creating additional admin accounts business owners should create the least privileged account needed for a person to accomplish their task. To determine what role to give to that account I suggest also checking with technical support. Those representatives will help determine the proper role given the requirements, while helping to keep the web hosting account secure.
Lastly, never allow multiple people to use one account. This doesn’t allow for accountability, which can become an issue if there is a security breach in the future.
Security on the website’s WordPress installation requires additional steps outside of securing the web hosting account. Users should complete some of these steps while installing WordPress onto their website, while others can be done after installation. However, I suggest not to delay applying the additional security features. Here are the following actions to make:
- Avoid use of the default admin credentials.
- Install a Web Application Firewall (WAF) and enable 2FA.
- Change the default WordPress login website address.
- Enable admin account login email notifications.
This step to secure WordPress must be done while installing WordPress onto the website because that is the only opportunity to avoid using the default admin username.
Like many software applications, WordPress provides users with a default user name for easy login access. That default username is “admin.” While this improves the ease of use, it also creates a security issue because hackers already know many users choose the “admin” username.
Instead of using “admin” the user should delete it from the text box and type in a new username. Do not use one of the following:
These are well-known hackers too. So what username can an individual use instead? Here are some options I recommend:
- A combination of the person first and last name.
- The person’s nickname.
- A person’s name and title.
This step to secure WordPress can be done after installing WordPress, or during the installation process. The latter can be done by some Automated Installation scripts allowing plugins installation.
A Web Application Firewall (WAF) is software that protects a website from malicious traffic by filtering those requests. One I use and recommend is Wordfence. The plugin has a Free and a Premium version. The major difference between the two is the Premium version provides priority technical support and the latest malware protection updates. The Free version receives those updates after 30 days. Yet, that delay shouldn’t keep users from installing the plugin. However, if the website handles sensitive data I recommend purchasing Wordfence Premium.
Now Wordfence isn’t just a WAF. It provides a malware scanner and login brute force protection to name a couple of features. Finally, the plugin provides 2FA. And users should enable that feature immediately.
This step to secure WordPress should be done after installing WordPress. Just like the default “admin” username, the software has a default login website address: wp-login.php. One can also use the “/wp-admin/” address to login in.
The reason I suggest to not use these addresses because hackers know about them and will try to hack into the site via brute force. I use a plugin (Change wp-admin login) to change the login address to one only I know. The plugin also has the setting to choose what happens when a person access the default login website. I configured the setting to send the visitor to my website’s homepage.
This step to secure WordPress can be done after installing WordPress and Wordfence. There is a setting in the Wordfence plugin that allows for email notifications when certain users log into WordPress. By default it does so for the Admin role. The email notifications will contain the following information:
- The website’s name.
- Date and time of the login.
- The account’s username.
- IP address of the user.
- The user’s ISP hostname.
- The user’s location.
If any of the information in the email appears suspicious the owner can take action immediately. For added security one can enable a setting in Wordfence to receive email notifications whenever someone unsuccessfully logs in. If the site’s owners receives many notifications about unsuccessful logins in a short period of time that means a bad actor is currently attacking the site. From there the owner can take decisive action.