Making WordPress Super-Secure

This was the topic for the September meetup. You may like to read my blog post on the most recent bot attacks on WordPress sites, in April this year. website-hacking_newsA few years back site security was a relatively minor issue.

Today it’s a major, growing problem for site owners and their host providers. Most intrusions come via automated malware-type bots that attack sites on a regular basis. It’s worse if you’ve done good work around SEO to get more traffic and sales, which will bring in both good and bad traffic. Sadly you can’t have one without the other… Below is an example off one of our client sites showing a tenfold increase in bot traffic over several days. Any weakness on your or your hosts part, will have dire consequences. bots-threats

So, what are these bots trying do do?

how According to the 2013 DBIR report most security attacks required no special resources to perform – in fact only 1 out of 621 confirmed breach cases used sophisticated hacking methods. Most attacks were opportunistic in nature. i.e. there was never a specific target, just an easy one. Here’s some stats on those that study how WordPress sites are hacked.

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress Theme they were using
  • 22% were hacked via a security issue in the WordPress Plugins they were using
  • 8% were hacked because they had a weak password (Yet many WordPress ‘experts’ say weak passwords is the major worry and reason sites get hacked. It isn’t).

Note that WordPress software isn’t mentioned here which would be under 0.1%. It’s the things around it (server) or added to it (themes, plugins), that cause all the problems. WordPress itself has few security problems. As long as you’re on a WordPress v3.7 or later, you’ll be fine since this has a slick auto-update facility, meaning any security issues with WordPress coding are taken care of automatically. Sadly, the same isn’t true for web hosts, themes, plugins or users.

So, what’s required to ensure your site is not an easy target?


Use a local host provider running the latest software and hardware

Hosting vulnerabilities are the main reason WordPress sites get hacked. They account for a huge 41% percentage of WordPress sites being hacked. When choosing a web hosting provider, don’t simply go for the cheapest you can find which seems to be the trend today as everyone assumes every host offers the same technology and services and that the costly ones are just being greedy. Although NZ hosting is more costly than the US, you still get what you are prepared to pay for. Those cheap $10-30/mth host accounts are always prime targets for most hackers and bot attacks.

Cfronttrainheap shared hosting have a large number of domains using them (up to 1,000 for the cheapest providers). Because of this, they provide very erratic performance as the demands from each domain vary from minute to minute. It’s a bit like having a long queue of people all wanting to use the same computer. One $1/mth host in the US we tested was the slowest we’ve ever seen. Page response times of 10-30 seconds instead of the 0-2 seconds needed today. So, treat any ‘amazing hosting deals’ with suspicion. A slow host will kill your search rankings too. Users and Google prefer fast websites.

I often think the overloaded Indian train (above) a good analogy for shared hosting plans. Yet the sales pitch is always inviting. Unlimited this and that, cloud hosting etc. Even girly photos to attract new clients, as done by the likes of godaddy and crazydomains.

Latest software and hardware essential

But pretty girls and great deals have little to do with running hosting or keeping it fast and secure. A good, modern host server should use the latest hardware loaded up with the latest software, just like your home PC should. For hosting, the software is Apache (2.2), MySQL (5.5) and PHP (5.4) or later versions. php-5-4The version of PHP you are given (and unless you run your own VPS, you’ll seldom get a choice) is particularly important. For hardware, check they use fast processors (dual/quad 2GHZ or more) and SDD (solid state) disk drives as standard.

Many shared hosts still use PHP v5.2 software which is an old, end-of-life product having nil security updates since 2011. Even PHP v5.3 which most shared hosts use, is not the latest version, released in 2009 when most of us were still using Windows XP or Vista.

phpversionsTypical of most are the major providers like Hostgator who still run v 5.2. V5.3 is an option, but not 5.4 or later. For WordPress sites at least V5.3.27 or preferably v5.4.20 or later which are well supported, provide higher performance and are more secure. From 2016, php version 5.6 should really be the new default.

Yet most budget hosting companies like Hostgator, Net24 and Openhost tend to be conservative, avoiding updates due to the support overhead it often generates and the fact some client apps don’t run on the latest server software. It’s exactly the same issue you see with PCs. Some apps don’t yet run on say Windows 10.

But the security and performance benefits of utilising the latest web server software (and hardware) is obvious. WordPress 3.9 or later is industry-leading software that runs best on the latest technology. Issues will only arise if you have a badly coded theme or plugins, or are running an old version of WordPress, which are all things you do need to know about and fix asap…


1. Strengthen up those passwords

According to this infographic, around 8% of hacked WordPress websites are down to weak passwords. (Yet if you read many wordpress support blogs, they give the impression that poor passwords are the major worry). If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.

2. Never ever use “admin” as your username

..or administrator or your domain name. In April 2013 there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords. If you use “admin” as your username, and your password isn’t strong enough, then your site is very vulnerable to a malicious attack.

It’s strongly recommended that you change your username to something less obvious. Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account. If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.

4. Don’t use an admin level for day to day site editing

When establishing a new site, most obviously use admin level access, but continue to use this same login for day to day editing too. After the site is setup and design finalised, it’s better to have a separate editor access for day to day editing and site updates. Admin level should only be used for site maintenance purposes. Make sure all articles or posts are set as written by this person.

5. Have a secure home / business PC

Seldom mentioned, but one of the other avenues for getting your website logins is from your own PC. Nastier viruses can look at your browser or pc files to gather up your credentials, giving them admin access to your site and/or hosting account. This happened to me a couple years back, accessing a key password file, ultimately destroying a dozen client sites. It took me days to sort out. And I was running the [free] AVG antivirus program thinking it would protect me. I now use a professional paid-for version. e.g.

6. Keep a backup

I can’t overemphasize the importance of making regular backups of your website. Don’t just rely upon your host company for this. Many people put off backups until it’s too late. Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack and corruption of data. If that happens you want to make sure all of your content is safely backed up. There are many good backup tools available. Updraft is a free one, with files sent to my free dropbox account. However if you want a bulletproof set and forget solution, go with vaultpress, not free but probably the best WP backup system out there.


1. Update all the things

Running updated software is important at the host server and the WordPress application. Every new release of WordPress will contain patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you may be leaving yourself open to attacks, though the risk of WordPress itself having a security issue is small these days, especially if you’re running v 3.7 or later. Updating WordPress is a very quick and simple process.

Many hackers will intentionally target really old (2.6-3.5) versions of WordPress with known security issues as well as bad plugins, so keep an eye on your Dashboard notification area. The same applies to themes and plugins. Update to the latest versions every few months and immediately when there is talk of security-related issues. But do a backup of your site first. Updates occasionally break things. (Quite rare compared with other systems, but can occur)

2. Add in Security plugin(s)

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address. Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts. But there are ways around this, as most attackers now use a large number of different IP addresses.

Other more powerful security and firewall plugins like Wordfence work well here doing everything limit login does and much more. Better WP Security (iThemes Security) is probably the best I think, but the options presented can confuse.

Be well aware that WordPress security plugins, although recommended, are NEVER enough to resolve all security issues or stop a nastier bot attack from taking down your website. A side effect is that they can also slow your site down from the monitoring alone. The value of security plugins is often ‘oversold’ with many believing it’s all they need. Sorry, if you’re told this, the person is either lying or ignorant of the facts. If there are still old, insecure WordPress versions running, with insecure plugs or theme, then simply adding a fancy security plugin is not going to fix much or prevent it being hacked.

Some host companies specialising in WordPress, seeing the proliferation of security and backup plugins and the problems they can generate, have started banning many of them. There are in fact more ways to harden WordPress installations than just relying upon plugins. We need protection at the level below WordPress or plugins, being the host server software, config and network layers. Talk to your host company or developer about this.

3. Add third party filtering

Use of a DNS filtering/security service like Cloudflare, Sitelock, Incapsula and a dozen others can also help filter out the nastier traffic before it hits your server. All these features are handy add-ons, but seldom the total solution they make out to be. And the free ones don’t work as well as the premium versions. You get, what you pay for…

4. Try to avoid free themes

But, beyond the host server, bad themes and plugins are the major worry. As a general rule, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer. Bad themes are the second most common way (29%) of a site being hacked. Even some premium themes are suspect.

Here’s my preferred list. The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems. 8 out of 10 site reviewed on one WordPress theme directory site pushing free themes contained base64 coding. If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official theme repository.

Note: The same logic applies to plugins. Only use plugins that are listed on, or built by a well-established developer.

6. Captcha, SSL Certificates. (Update Sept 2016)

recaptcha-exampleMore recently, we see more hackers using network spying tools to monitor people logging in to WordPress sites and stealing their passwords. You can change the login urls and add in captcha systems, which is good.

httpsBut, to have the network traffic to the site and login area encrypted the ultimate in best practices. The quickest way is to have your host add an SSL certificate (usually a setup plus annual fee applies), so the website url has an https at the front. You also get your own host IP address which is another security bonus  Google also says it will help your site ranking a bit too.

p.s. Contracy to popular belief, an SSL certificate doesn’t magically ‘secure’ your entire website and make it hacker-proof. It just makes the traffic to and from the site encrypted, which is why it’s important for eCommerce sites, to prevent hackers gaining buyer data. You still need to do all the other things mentioned in this article.

Repairing Hacked sites

Putting these things in place can save a lot of time and expense. Repairing a hacked site is not always easy or that cheap. Sometimes it is only an hours work, other times a day to sort, especially if no backup files are available. At worst you have to start again.

Let the Geeks Sort if out….

Sometimes, when none of the above works, some of the issues can really only be addressed by the host company and a good sysadmin person that knows their way around apache, unix command lines etc. Setting up host servers, DNS filters and similar is often beyond the amateur user and not even done much in local developer circles. Yet these low level tools are good options to further reduce the number of nasty bots and website attacks.

logo-imhStart by upgrading to a better host platform. This is always a good first step, since the host is the most common security hole. My favorite host provider is Inmotion who provide some amazing value VPS accounts for web designers or businesses demanding higher security and performance than shared or cloud hosting can provide. Their VPS systems have far higher technical specifications and performance, for under half the cost of local alternatives.

For assistance with security, hosting, fill in the form below.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s