Locking Down WordPress

By: Steven J. Vaughan-Nichols

Securing WordPress is a nonstop job, but if you do it right — from the start — and use the right plugins you can make it much easier.

What’s the single most popular Website content management system (CMS) of them all? If you said, WordPress, you’d be right. Today, WordPress runs 27.2% of all Websites. It’s easy to see why. WordPress is easy to install and it’s easier still to deploy Websites on it. Securing it though, that’s another kettle of fish.

WordPress is aware of this and they’re taking steps to make sure that WordPress out-of-the-box is as secure as possible. For example, Matt Mullenweg, WordPress’s founder, recently announced that in 2017 WordPress servers must be running HTTPS.

The easiest and cheapest way to do that is to use Let’s Encrypt. This Linux Foundation project operates as a certificate authority (CA). It provides free digital certificates to enable HTTPS (SSL/TLS) for your Website. For its part, Linode provides easy how-to documentation, so you can lock your site down.

Because it’s so popular, WordPress installations are often attacked. My own site averages several dozen attacks a day. That’s why, more so than most programs, you must update it frequently. It’s best to set your server to automatically update WordPress and your other security-critical programs.

You should also only use themes and plugins from trusted sources. Personally, unless I’m working directly with a developer, I wouldn’t use any theme or plugin that isn’t part of the official WordPress system.

If you get them from other sources, odds are they’ll have malware hidden within them. Never forget that both are programs. Themes are written in PHP, HTML and WordPress template tags, while plugins are written in PHP. In both cases, there’s plenty of room for a malicious programmer to hide nasty traps for the unwary.

That’s also why you must — I repeat, MUST! — update your themes and plugins as well. Again, they’re not simple webpages and functions, they’re code and they can have holes in them like any other program.

You should also harden every WordPress website using tools outside of WordPress proper. For example, you should password protect your directories.

In WordPress’s case, you’ll always want to lock down the /wp-admin/ folder. An easy way to do that, if you’re using Apache, is to use HTTP Authentication. You can use similar methods to protect directories under NGINX.

Another easy way to protect your WordPress installation is to disable PHP execution in your /wp-includes/ folder and /wp-content/uploads/ folders. Hackers love to plant corrupt PHP files in these directories. To prevent such attacks from taking hold, simply place a .htaccess file in each directory, which contains the following code:

<Files *.php> deny from all </Files>

That’s all there is to it.

You should also avoid using WordPress’ default administrator user-name “admin.” That’s because if you do, you’re just making life easier for any would be hacker. That is, they already know the root user-name, now all they need to do is work out your password.

Consequently, you must also use a strong password. There are WordPress brute-force passwords out there that can crack common English word passwords in less time than it takes you to get up and get a cup of coffee.

What makes a good password? Well, it’s not a random combination of numbers and mixed-case letters between 14 and 19 characters and includes a food emoji. You’ll never remember that!

Instead, I’m fond of using nonsense phrases that are human readable, but unlikely to be guessed. For example, “Cubs4theWinter!Cardinals?Lusers!” Or “Volt!Amp!Tesla!Edison?” are easy for me to recall and are unlikely to be broken.

These basic security methods are a good start, but you need to more. That’s where the plugins come in. Many of these duplicate each other’s functionality so you won’t need more than one or two of them. I’ve used all of these at one time or another and I’ve done well by them.

My favorite is the the ever-popular WordFence. This easy-to-use program scans all your core, theme and plugins files for malware and supplies a wide-variety of other security features.

Perhaps the best of these is an application firewall, which automatically updates its rules to address the latest threats. It also includes simple, Distributed Denial of Service (DDoS) attack mediation tools and traffic monitoring tools.

The premium version of WordFence costs, at most, $8.25 per month with significant discounts on multiyear and multilicense purchases. If you wanted to get just one WordPress security program, WordFence is the one.

Similar programs worth checking out include Ithemes Security, This program, formerly WP Security, is another do-it-all WordPress security plugin. Sucuri Security is also excellent and comes backed by a security company, Sucuri, that can help you bring dead websites back to life. It also has excellent log-analysis features. Prices vary, but they’re all in the same ballpark.

Finally, if you allow comments on your site, you must use Akismet. This is the best anti-spam comment program out there. And, since spam can often conceal links to malware, I consider it to be a security must.

So, armed with this information, you should now be ready to set up your WordPress site, or defend your live one, with an excellent chance of keeping it safe from attackers. Good luck!

Please feel free to share below any comments or insights about your experience using WordPress plugins and locking down your webpage. And if you found this blog useful, consider sharing it through social media.