July 18, 2020

A Guide to WordPress Security

With a robust ecosystem of thousands upon thousands of plugins and millions of users, WordPress is immensely popular. In fact, nearly 40 percent of all websites on the internet run on some form of WordPress.

But popularity has its downsides: WordPress is one of the most targeted website platforms for hackers and crackers. Whether you’re using it in its simplest form as a blog or as an e-commerce website that’s your business’s bread and butter, security should be at the fore of your concerns.

Out of the box, WordPress is fairly secure, but it’s not bulletproof. Taking some time to familiarize yourself with WordPress security can save you a lot of headache later down the road.

If you run your business through WordPress, you’ll probably want to consider more advanced security measures to ensure your website’s integrity. This post will walk you through the ways you can secure your website from within WordPress.

WordPress Updates

WordPress updates

Hackers and software developers are in constant battle with each other: The former continuously look for exploits in software to gain access to systems, while the latter must provide updates to fix the exploits in their software identified by hackers.

That said, the single most important thing you can do to maintain WordPress security is to make sure your core installation and all of your plugins and themes are regularly updated.

This can be a chore. Depending on how complex your WordPress website is, you could have dozens of plugins. These plugins are developed and maintained by different developers—updates don’t arrive from only one source. It’s immensely important to keep track of your updates within WordPress. It only takes one exploit on one plugin or theme to cause big problems for your website.

Login and Authentication

Your WordPress website’s login portal is the area that many bad actors target first. They’ll look for back doors into your website or try to brute force your admin password using software. Thankfully, there are a few practices and plugins that can help you tighten up your authentication.

Use Strong Passwords

The most secure way to prevent someone from guessing your password is by having a strong one. This may sound obvious on the surface, but it’s quite common for people to use words or phrases they’re familiar with to help them remember their password. This is exactly how hackers break into websites.

Your WordPress website’s user passwords should be made up of random letters and symbols. If you’re worried about remembering your password, consider using one of the many great password managers out there. All modern web browsers come with them preinstalled, so there’s really no reason to not have a secure password.

Limit Login Attempts

One common way for hackers to gain access to website is by using software that runs through thousands of password attempts to try and gain access to your website. You can help prevent this by limiting the number of times a user can attempt to log in.

To accomplish this, you’ll need to install the Limit Login Attempts Reloaded plugin. Once installed, you can access the plugin’s settings page, which is pretty straightforward:

  • Allowed Retries determines how many times a user can attempt to log in.
  • Minutes Lockout is how long a user will be locked out once the max login retries are reached.
  • Retry Time Reset is the time period for login attempts that count towards a retry.

You can modify the settings according to your preferences, but the plugin’s default settings are just fine.

Log Out Idle Users

People who have wandered away from their computer and left their account logged into your site are a big security risk. In most businesses and offices, users are logged out after a certain amount of idle time. You can do the same with WordPress using the Inactive Logout plugin.

implement session timeout

Once installed, you simply set the duration and logout message in the plugin’s settings. It’s a good idea to set it to 10 or 15 minutes.

User Permissions

Understanding WordPress user groups and permissions is a big part of the security on your website. The idea here is to give a user only the abilities they need on your site and to reserve higher privileges to those that absolutely need them. Before understanding the groups, though, you need to understand what kind of things can be done by a user in WordPress.

Generally speaking, there are two types of tasks that can be performed. The first—which we’ll call administration—includes installing themes and plugins, modifying core settings, and making changes to user accounts.

The other is the management of your website’s content, including writing and publishing posts, writing and approving comments, managing post categories, and generally doing anything on your website that doesn’t have to do with administration.

By default, WordPress comes with five user roles:

  1. Subscriber
  2. Contributor
  3. Author
  4. Editor
  5. Administrator

User roles in WordPress

1. Subscriber

A subscriber is a basic user group with limited abilities. Members of this group can log in, change their user profile, and write comments. Most people who have registered on your site should be in this group.

2. Contributor

Moving up, the contributor has the rights of a subscriber, and they also gain the ability to write posts. Note the distinction between writing and publishing here: Contributors can write and submit posts to your site, but before they’re posted, they need to be approved by an editor or administrator.

The contributor group is good for people that occasionally write posts for your website, but you want to sign off on them before publishing.

3. Author

The author group gains the ability to write and publish their posts. They can also delete their posts, but they can’t modify other posts in any way.

If you have writers that contribute regularly to your site and you want them to have the ability to publish posts without your approval, this is the level you want for them.

4. Editor

The editor has full access to all the content portion of your WordPress website. They can add, change, and delete all posts and comments. They also gain the ability to create new post categories.

Editors can be thought of as, well, editors. This is the group that edits and manages all of your website’s content.

5. Administrator

Administrators have full and complete access to your entire WordPress website. They can modify all posts and content, add, remove, and change all users, and can add, remove, and update plugins and themes.

This role shouldn’t be assigned lightly—you’ll want to have as few admin accounts as possible. If you don’t have a company managing your WordPress website for you, it’s best to have a single admin account.

Wrapping Up

Plugins, best practices, and a solid understanding of WordPress user groups can take you a long way in making your website more secure—but it’s only the beginning.

Security extends beyond WordPress and into topics such as firewalls and web hosting. If you do considerable business through your website or you have sensitive information that can’t be compromised, consider enlisting a WordPress management company to help secure your website.

Join Our Newsletter

Stay up to date on the latest WordPress tips and news