Secure your WordPress Website Before the Weekend – 5 Simple Steps in 30 Minutes
How to get a more secure WordPress website in just 30 minutes.
I'm embarassed to admit that I once had three WordPress websites hacked. Three of them. And all on the same day.
My mother-in-law called to let me know.
“Why is our granddaughter’s photo site not working?” she asked, “There’s a strange message there.”
The strange message she saw was in support of a free Saharan republic.
Source: A customer's hacked website from a few years ago
Neither their method of publicity-seeking nor their interruption of my customer's businesses endeared me to their cause. So I took down the message and cleaned up the sites.
“Cleaned up the sites” makes it sound simple.
It took me days to get things back to normal, even with backups.
Two of the sites belonged to customers of mine. These were customers who had done nothing to secure their websites.
And, I’m ashamed to admit, there was also my site. I had also done nothing to secure my own website. I thought “no-one’s looking at this site so it doesn’t matter!”
A Pipe Dream
I used to dream of a day when I could wake up secure in the knowledge that all my customers’ WordPress websites were completely hacker-proof, impervious to all but the most determined attack by a ruthless organisation, perhaps one that Anonymous wish they might be.
Years of experience tell me that such a state is impossible in today’s world. This is in part due to the very nature of WordPress and websites in general:
- the code is visible to anyone who wants to look (right-click in your browser and select view source or similar)
- most of the software used is free, which is a good thing, so …
- the problems in the software are public knowledge; not such a good thing because … people will NOT always do the work they should to keep things even safer; things like updating regularly. This is definitely a bad thing.
But it’s human nature to take the easy path after all.
Well, here’s an easy routine to make you feel instantly safer. How do I know this is what you need? Because most hacked sites are either outdated or otherwise making it really easy for the hackers.
This routine is easy because:
- Anyone can do it
- Each step takes about 5 minutes or less
- Everything you need is FREE, as in beer, software or however Mr.Stallman wants to sing it.
So, want a more secure WP website 30 minutes from now? Read on ...
A Warning - Be Among the 3%
97% of people will just read this information and do nothing else.
Information is only “potential” power. It must be put to use.
Be one of the 3% who take action on each step of this guide and reap the benefits of experience.
The 5 steps to a more secure WordPress website
I don’t in any way want to trivialise the whole complex topic of website security but you really can drastically improve your own site security just by following this step-by-step guide.*
You can’t be too secure, right?
For this article let’s assume your WordPress website is at http://justforthispost.com
Step 1. BackUp
Do I really need to spell this one out?
Before you ever do anything to your website back up your site files and your database. If anything goes wrong you can simply restore instead of pulling your hair out.
I would love to leave it there for backups but of course some of you won’t have this step covered.
Most hosting providers will have a feature allowing you to backup and/or download your WordPress website files and database. Unfortunately you cannot rely on these and hosting providers will deny all responsibility when it comes to providing backups for you.
If you’ve already got my free WordPress website maintenance email course then you have all the info you need about how to do backups.
If you don’t have the free course, you can get it here now.
Learn how to do your own backups, updates and security scans with our free email course.
OR just use a plugin like the free version of Updraft Plus:
The 5-minute steps
- Install the plugin as you would any other. (If you don’t know how to install a plugin then see this article from WPBeginner.)
- Once the plugin is activated, select menu Settings, UpdraftPlus Backups
- Select the schedule for your backups.
Files refers to the actual files of your WordPress installation. These files contain all the code needed to run your website and includes your theme and plugins.
Database refers to the underlying database being used for this installation and is where all your site’s posts, pages, users etc. are stored.
- Select where you want to save the backups.
As you can see there is a wide choice here, from Dropbox, Google Drive or an FTP server to something as simple as having it emailed to you; this latter should only be used if your site isn’t very big. Note that some of these options, like UpdraftPlus vault, will require payment.
- Scroll to the foot of the page and click Save Changes.
And that’s it for backups.
(Note that our service here at WPStrands includes various backup schedules as well as automatic WordPress updates, security scans and much more. Take a look at our offerings and costs here.)
Step 2. Update
The next step is to make sure your WordPress installation has all the latest software updates. This helps to plug any security problems found since the last release and makes sure your site has all the latest and greatest features.
The 5-minute Steps
- Log on to your website via http://justforthispost.com/wp-admin
- To check all available updates at once click the Update menu item.
You'll be taken to a page where all WordPress, Plugin and Theme updates are listed. Click Update buttons wherever you see them on this Updates page and you’re done!
- If you want to check around for the updates yourself, there will be a notice at the top of the page saying something like “WordPress version 4.6.1 is available. Update now”
- Click Update Now and the WordPress files will be updated now. If you’ve been regularly updating then the process will usually be smooth and pain-free.
- If there are updates for any of your Plugins you’ll see a small red circle beside Plugins in the menu on the left. This tells you how many plugins have updates available.
- Again, click to see what is updated or just click Update all
Step 3 Make it hard work for the bad robots
This is where you’ll set your site apart from the majority of the WordPess installations out there.
Change your Administrator username
WordPress hackers know the inner workings of WordPress very well and they know the default administrator username is admin. Thus they automatically have half of your username/password combination.
Unless they don’t! By being sneaky and changing the administrator username to something non-standard you’ll make it much harder for the bad guys to guess your login by brute force.
This advice from WordPress founder Matt Mullenweg from several years ago is still sound today.
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password … and of course make sure you’re up-to-date on the latest version of WordPress.
Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.
The 5-minute Steps
- Click on Users in your Dashboard menu
- Make a new administrator user: click Add New and enter a new administrator username that’s not easily guessed, something like “altadmin”. But you’ll pick a much better name, right?
You’ll need to provide an email address (one that’s not used for this site already – can be changed later) and a password (can also be changed later)
- Make sure you select Role:administrator for this new user.
- Now hover your mouse over the default administrator account and select Delete.
Before being deleted WordPress will ask what to do with Posts and Pages created by this user, if any.
Usually you’ll want to keep them so select “Attribute all content to:” and select the new administrator user you’ve just created (or another user if you prefer)
Hide the login form
You can also assume that those knowledgeable WordPress hackers also know where to go to login to your WordPress website – http://justforthispost.com/wp-admin right?
So, again, you can get sneaky and change the address of this page to further thwart the hackers and robots that will try to logon automatically. The simplest way to do this is with a little unobtrusive plugin called WPS Hide Login. Install according to the instructions and in the settings enter whatever you want to name the new login page e.g. “newlogin”. But again, pick a better name.
Now to logon to your site you’ll go to http://justforthispost.com/newlogin instead of http://justforthispost.com/wp-admin and the bad guys won’t even be able to find your site's front door.
Step 3 Run a scan
Now you’re up to date and safe from most automated hacker attacks. We’re getting there and we’re just 10 minutes in!
In this step we’ll scan all the files in your website to check if there are any known viruses or other malicious code in them.
The 1 minute step
Go to https://sitecheck.sucuri.net and enter your website URL, http://justforthispost.com for our example.
Sucuri will scan all of your website files against many different databases including those from Google, McAfee and Norton, to name a few.
Of course, there are other ways to scan your site but Sucuri is extremely well-respected in the security field and on top of the WordPress security landscape.
So, assuming your site gets the green light it’s time to move on to the last stretch.
(If you didn’t get the all-clear during this scan then you will most likely need the services of a professional to clean up your website. You can send us a message including your site URL and we'll take a look for you.)
Step 4 Install Intrusion Detection
This is where we’ll get really serious but don’t worry, it’s all very non-technical – just follow the steps below and all will be well.
Hackers will frequently use programs called bots to repeatedly attempt a login to your website. Usually these attempts will fail many times because the program guesses a bad password or username. This is called a brute force attack – much more common than you might presume – and so it’s best to automatically block those login attempts for a defined period of time.
In this step we’ll install a plugin which will alert you whenever someone tries to login to your website and fails multiple times.
Again, there are many plugins to choose from but I’ll recommend WordFence because of its nice balance of features and ease-of-use, its maturity and its widespread adoption by the WordPress community. After you use it for this step you can also further configure its many features to add even more security to your WordPress website, such as installing a website firewall!
It’s also free, of course.
The 5 minute steps
Install the plugin according to the developers’ instructions.
- Install the Wordfence plugin as you would any plugin. You know how to do this by now.
- Go to the Wordfence options page. Click the Wordfence menu, then Options.
- Under Basic Options, make sure the checkbox at Enable Login Security is ticked.
- Scroll down to the Login Security Options section. Set the Lock out after how many login failures number to block login attempts after a certain number of failures. The default of 20 should be fine.
Now, whenever someone tries unsuccessfully to login to your site over and over again they will be blocked from accessing the login page after 20 attempts.
Coupled with hiding the login page in Step 3 above, this will hugely reduce the problems you have with repeated login attempts from hackers.
Step 5 Put your Feet up
Thought you had more work to do? Nope, take a break and apply a grin – you’re now more secure than the vaaassst majority of WordPress websites out there.
Congratulate yourself for taking action!
If you actually took action on each of these steps you now have a website that is much safer than it was 30 minutes ago.
You can feel safe instead of afraid, confident instead of doubtful, calm instead of panic.
You can of further by configuring a robust security plugin like Wordfence but of course that would take more than 30 minutes and make the title of this post inaccurate!
Do you have any tips of your own to share? Have you tried ours? Tell us more in the comments.
No website can be guaranteed 100% secure. Your website host, software and bad luck are all elements of your setup and the best plan is to have regular updates and backups and to plan for when you might need them.
This guide is just that - a guide - and WPStrands cannot be held responsible for any problems you have with your website as a result of following the advice in this guide.
But if you do encounter problems, we will certainly try to help - just contact us.
Also published on Medium.