WordPress security: 6 ways to harden your WordPress installation

Crank it up
Archive Product Disclaimer

This content is outdated and currently under review for accuracy. For the latest up-to-date product information please visit godaddy.com

The last year has been a tough one for WordPress security, with the core platform, themes and plugins all being attacked and, in some instances, compromised. It’s simply a matter of popularity. If a hacker is going to deploy scripts or attempt to break into a site, their time is best spent working on the most popular.

Puzzle graphic to illustrate different elements of WordPress security

There are six major areas of focus as you look at keeping your WordPress site secure:

  1.     Where your domain is hosted and how secure your domain account is.
  2.     Where your site is hosted and how secure your hosting platform is.
  3.     What version of WordPress you’re operating.
  4.     How secure your theme is and whether any updates are necessary.
  5.     How secure your plugins are and whether updates are necessary.
  6.     How safe your user credentials are and how you’re monitoring access.

Also check out Keeping Your WordPress Site Secure and Securing and Protecting Your WordPress Site for more information.

Domain security

A simple way for hackers to take over your site is simply to acquire your domain and point it to servers under their control. This basically bypasses any hosting or WordPress security features that you’ve enabled.

Enabling two-step authentication is a great way to help enhance your domain security. This requires that the user first enters a login and password, and then enters a code sent to your mobile device. In other words, someone who doesn’t have access to your phone cannot login to your account by simply accessing your credentials or guessing your password.

Contact your domain registrar about enabling two-step authentication. If you registered your domain through GoDaddy, here’s how to enable two-step authentication on your GoDaddy Account. By default, any GoDaddy domain is locked. This means someone cannot make domain changes or transfer your domain without you being alerted first.

Hosting security

Utilizing a reputable host is important to ensure your hosting company is not at risk. Additionally, reputable hosts ensure that tools for file transfer are secured.

If you have an option to modify ports and utilize strong passwords, you should maximize those passwords utilizing upper case, lower case, numbers and symbols in as long a password as possible.

You may wish to use a desktop platform to manage your logins and passwords to ensure you utilize strong passwords. Password managers allow you to use exceptionally strong passwords without needing to remember them. You simply remember your password manager credentials to access any of your saved logins and passwords.

WordPress security

You should feel at ease that there are caring companies and security experts testing WordPress security issues and immediately reporting their findings to the WordPress project’s security team. The WordPress community has been responsive in thoughtfully releasing updates to any WordPress security issues as they have been identified.

However, just because WordPress publishes a release to WordPress core doesn’t mean you know about it. You can monitor WordPress’s security archive for updates, or you can create a profile at WordPress.org and subscribe to WordPress Development News for security updates. (Do note that one of the primary benefits of GoDaddy Managed WordPress is that updates to WordPress core are automatically applied for customers as the patches and updates become available.)

There are also steps you can take to harden WordPress, available through the WordPress site. These steps aren’t often necessary if you’re with a reputable host, but you might wish to double-check them or find a professional who can.

Security plugins can also help you keep WordPress secure.

WordPress theme and plugin security

Themes and plugins are only as secure as the developer who’s written them. It’s imperative that you review your developer history and ensure the theme or plugin is actively supported, typically indicated with recent version updates. If you’re purchasing a theme or plugin from a third party, you must ensure it’s reputable. If a plugin is published within the WordPress repository, it’s already been reviewed by the WordPress staff.

Security plugins can also help you keep WordPress themes and plugins safe. Many will alert you or even update automatically depending on the settings applied. (Keep reading for more information about the most popular plugins.)

User security

WordPress offers Two-Step Authentication plugins to force your users to use it. WordPress also offers plugins that require users to have strong passwords, expire them periodically, or integrate with services like Google Authenticator or social login services.

By integrating third-party integration, you’re depending on the third party to keep your site safe — but keep in mind that many of those third parties have sophisticated resources for security monitoring.

WordPress often loads a default admin login that’s one of the easiest targets for brute force password attacks. Add a new administrative user and remove your admin user.

WordPress security plugins

The major security plugin offerings out on the market focus on auditing, hardening, malware scanning, and post-hack repairing:

Auditing provides logging and alerts for any routine or irregular behavior in accessing your site or files.

Hardening provides tips and automated tools to lock down your WordPress instance.

Malware scanning offers the ability to find hacks and vulnerabilities before they do any harm.

Post-hack repairing provides scripts that remove common hacks or reverse the results of a hack.

The four most popular security plugins available for WordPress are:

For a side-by-side feature comparison table of each of these offerings, be sure to read the comprehensive analysis at Research as a Hobby, where each plugin or solution is analyzed based on price, overall protection, monitoring, scanning, post-hack repair, user-friendliness as well as an overall score. The platforms with the highest ratings are often paid solutions — which could be a great investment in the long run!

Image by: Fashismo Mike via Compfight cc

Bryant Tutterow
Bryant brings over 18 years of business acumen to DK New Media focused on strategic marketing and e-commerce. He has more than a decade of P&L responsibility, leading in-house marketing organizations at Fortune 500 companies and building three separate marketing departments from the ground up into world-class teams of as many as 14 people. As the Chief Marketing Officer for DK New Media, he provides overall strategic direction for marketing and e-commerce while leading business development of all strategic advisory and measured marketing services.