Prop up your site with better security settings

Jun 4, 2015 12:28 GMT  ·  By
Easy Updates Manager sets up an automatic update policy for the site
10 photos
   Easy Updates Manager sets up an automatic update policy for the site

Keeping WordPrss security locked and tight is a must for any professional Web developer. Since WordPress doesn't include many security enhancing features, a series of tips and tricks are needed to help lesser technically skilled users bolster their site's protection level.

Below is a list of recommendations on how to improve your WordPress site's security, along with the names of various plugins, where's the case, that can help you implement it.

We won't provide links to the plugins' homepages since it would be an SEO catastrophe, but you can easily type their names in the WordPress built-in plugin installer and have them added to your own sites.

1. Keeping the WordPress core, themes, and plugins up to date

There are quite a few plugins that can do this. First off, there's Easy Updates Manager, then there's WP Automatic Updates, and Advanced Automatic Updates.

Outside these, they are also plugins dedicated specifically to separate automatic updates to the site's plugins, themes or core like Background Updates for Major Releases, Auto Update Themes, or Automatic Plugin Updates.

2. Downloading themes & plugins from well-known sources

Themes and plugins should always be downloaded from well-known, trusted, and established sources.

This includes the WordPress theme and plugin repositories where unsecure content is regularly exposed by WordPress employees or the community, or online marketplaces like ThemeForest, CodeCanyon, Mojo Themes, YOOthemes, WooThemes, Themezilla, and such, where content is provided by famous developers or tested by someone with expertise.

Sure you'll find developers offering themes and plugins on their personal sites, and most of the times the code will be harmless and quite useful, but try and avoid any such "free" offerings if you can't read PHP and can't tell what that particular tool actually does.

3. Backups! Backups! Backups!

Having the site automatically backup itself at regular time intervals allows you to go back in time before any "malfunction" or point of attack.

I don't think you need help or recommendations finding a plugin for WordPress backups. Just type in "backup" in the CMS' built-in plugin's search field and you'll get more than 25 pages of results. From local backups to automatic backups, to Amazon S3 backups, to Dropbox backups, all the niche cases are covered by a plethora of tools.

Admin renamer extended lets admins change their username
Admin renamer extended lets admins change their username

4. Change your default admin username

For a long time, WordPress automatically created the "admin" username during the installation and generated a random password to use with it. A few versions back, there was a shift in policy and Automattic allowed users to setup custom usernames for the main admin user.

Just in case you were uninspired during the installation and continued to use "admin" for the admin username, the Admin renamer extended plugin can help you change this later on, even if the site has been installed. Of course, if you like over-complicating things, you can do it the hard way by editing the wp_users table in your MySQL database.

5. Force users to register with stronger passwords

For a few consecutive years now, security researchers are finding out that people still tend to use weak passwords phrases like their username, the word "password," "123456," or other similar terms.

We cannot fully express in written words what a bad idea is to have such a weak password. Not just for a WordPress site username, but for any online account.

As a site admin, you can install WP Password Policy Manager or Force Strong Passwords to make users setup accounts with stronger passwords, even if they like it or not.

6. Prevent access to the administration panel

This can be done via a series of plugins that changes the login page URL, and some of the tools that can do this are WP Admin Block, HC Custom WP-Admin URL, Protect Your Admin, Custom Login URL, and WPS Hide Login.

Protect Your Admin lets webmasters change the admin panel's login URL
Protect Your Admin lets webmasters change the admin panel's login URL

7. Use CAPTCHA fields for forms

CAPTCHA fields can help you keep spam bots away from your comment fields, but a CAPTCHA field on the registration and login pages can also be useful to prevent brute-force attacks that might expose your backend.

The same as with the site backup, just type in "captcha" inside the WordPress plugin installer, and you'll end up with over 15 pages of results. Most of them work fine, and the style of CAPTCHA you implement may be only of personal preference.

Sure, more advice can be given on this topic, and we can actually go on for pages and pages, but these are the basic steps you need to take, even if running WordPress as a personal blog or for a mere three pages site.

Photo Gallery (10 Images)

Easy Updates Manager sets up an automatic update policy for the site
WP Automatic Updates has fewer options, but practically the same resultsAdvanced Automatic Updates lets developers automate overall site updates
+7more