Wordpress Security Plugins and Best PracticesJan92017

Wordpress Security Plugins and Best Practices

Digital security is probably one of the most important aspects of running a website. As a business, your website is capable of collecting massive amounts of information. Some of this information is crucial and very sensitive.

A breach in your security can bring about countless hours of headaches and migraines. If the damage is severe enough, you might even end up dealing with lawsuits. Nothing is more important than a secure website.

WordPress is one of the most used open source website creation tools out there. Although being open source means we get a ton of plug-ins and modifications created by all sorts of genius minds across the world, it can also mean increased vulnerability. This is exactly why observing some common security measurements can take you a long way when it comes to creating a secure website. Let’s take a look at what you can do to bulletproof your WordPress website.

  1. “Admin” is Not to Be Used
    No, we don’t mean that you don’t need administrative privileges to run your website. We mean that your administrative account’s username should never, under any circumstances, be named Admin. If someone is trying to brute force their way in, they can still get the right administrative username. But why make this easier for them? It’s easy as pie to create a new username, give it administrative privileges, and then delete the default Admin account.

  2. Thou Shalt Not Use “Password” as a Password
    One of the 25 most commonly used passwords is actually “password”. The others are:

    • 123456
    • 12345678
    • Qwerty
    • 12345
    • 12345678
    • Football
    • 1234
    • 1234567
    • Baseball
    • Welcome
    • 1234567890
    • abc123
    • 111111
    • 1qaz2wsx
    • Dragon
    • Master
    • Monkey
    • Letmein
    • Login
    • Princess
    • Qwertyuiop
    • Solo
    • passw0rd
    • starwars

      Hopefully, your administrator password isn’t listed amongst them. If it is, then we strongly suggest you go and change it ASAP. 
  1. Use an Authenticator
    It might sound like a huge pain, but its benefits are beyond worth it. Taking an extra 15 seconds entering a few random letters and numbers is far better that getting stuck in a multi-thousand-dollar lawsuit because a hacker stole all of your customers’ credit card information. Secure yourself and everyone who uses your website. Get an authenticator. There is a great plugin available called “Google Authenticator” that can make this step very easy to perform.

  2. Revoke Privileges
    Deciding who needs administrative privileges should be easy to determine. Figure out who needs the admin rights, when they need them, and how long they need them for. Don’t just hand out admin rights left and right and then forget about it. You are quite possibly inviting a security breach every time you do this. Make sure to revoke admin rights from those who don’t need them after they have completed their tasks.

  3. Limit Login Attempts
    No user should have unlimited attempts at entering passwords and usernames. We strongly suggest limiting the amount of login attempts per IP address for every login form. There is a wonderful plugin for this named “WP Limit Login Attempts”.

There are a few other things you can do to strengthen the security of your WordPress site, like hiding wp-config.php and .htaccess files or disabling file editing, but without implementing the above 5 suggestions the other security countermeasures won’t do much for you. Make sure your webmaster or designer has these 5 basics under control, and then talk to them about what else you can do to ensure your WordPress site is as secure as possible.