THE MSHINI BLOG

The ultimate 12 step WordPress security guide

July 16, 2018

There’s no way around it. If you have a web presence, you’re at risk of someone breaking into your website. It might be to steal your customers’ data, it could be to push a political agenda or just because they can. But following these security steps will help your WordPress site weather almost any attack any ne’er-do-well might throw at it.

1. Always keep your WordPress core, theme and plugin versions up to date

According to a scan done by The SSL Store, a full third of all WordPress sites are out of date and vulnerable to hackers using exploits that have been patched.

The five main reasons for keeping every aspect of your WordPress site up to date are:

  • Security
  • Performance
  • Bug fixes
  • Compatibility
  • Features

Keeping WordPress, its themes and plugins up to date is an essential part of managing any WordPress site. This ensures that your site performs as efficiently as possible and guarantees that your site always receives the latest bug fixes and security patches. Keeping your WordPress core, theme and plugin versions up to date is one of the most effective methods of enhancing security and keeping the hackers at bay. Best of all, WordPress makes it easy to do this automatically, so you don’t need to constantly keep an eye out for their update schedule.

 

2. Don’t make changes to the WordPress core files

The moment that you or your developer edit the WordPress core files, you are no longer able to automatically update WordPress to the latest version. This feature is to stop you losing custom changes made to your site, but at the cost of the added security the updates offer.

If you need to change WordPress functionality, you’re far better off creating a plugin which gives you the ability to do whatever you need without compromising WordPress core.

The same logic applies to plugins and themes. The moment you perform any core tweaking of plugins and themes you lose the ability to update to the latest version, thus exposing your site to hackers.

 

3. Deactivate and remove any unused plugins and themes

With every additional plugin and theme installed on your site, the risks of a vulnerability being discovered in one of these plugins and themes increases. If a vulnerability is discovered in one of these plugins or themes, your site becomes a sitting duck.

While most major plugins have crack teams of developers keeping an eye on security, some plugins are made by one person in their spare time. They do not have the resources to deal with every vulnerability proactively. Your WordPress site is still left vulnerable even if the affected plugin or theme is installed but inactive. The safest way to mitigate risk is to deactivate and completely remove any plugins and themes that you are not using.

Security aside, poorly coded and unnecessary WordPress plugins and themes can cause all sorts of other issues like memory leaks, which negatively affects the performance of your WordPress site for your users.

When testing plugins and themes, avoid testing them on your live site. Instead, create a copy of your site on a staging environment and test your plugins and themes with absolutely no risk to your live site.

 

4. Only ever install themes and plugins from their official source

No matter how tough times may be, avoid downloading premium plugins and themes from pirate, torrent and warez sites. Many of these pirated themes and plugins have been maliciously tweaked to contain back doors for hackers to come and go as they please.

Remember, if the service is free, you are usually the product!

WordPress.org is the most common place to find free, reputable plugins and themes for WordPress. Commercial plugins or themes can often be purchased from the developers themselves or through sites like WordPress.com, ThemeForest.net or CodeCanyon.net.

 

5. Choose a secure WordPress hosting service

A great WordPress hosting service goes a long way towards protecting your site from attacks. The allure of free or cheap hosting can be enticing to say the least, but with the wisdom of hindsight, you’ll quickly learn that hosting isn’t an area to skimp on.

The free option on many of these services are usually there to entice you to a premium service. As such, the free option usually doesn’t include active monitoring of services, backups or customer service that you can reach should the worst scenario occur.

If you value your website, and your customers, it’s worthwhile investing in a specialist managed WordPress hosting company that is able to support both you and your WordPress site.

 

6. Ensure that your site is running on the latest version of PHP

According to Cloudways.com, less than 3% of WordPress sites are using PHP 7.2, and a shocking 32,4% are using versions no longer supported by WordPress itself! Additionally, Sucuri reports that 71% of all compromises had a PHP-based backdoor hidden within the site in 2017.

If you are still using an outdated version of PHP, not only is your site not benefiting from performance features released with latest versions, new vulnerabilities that are discovered will not be fixed. They will remain in the wild, ready for exploitation by anyone with ill-will and access to the internet.

Updating your PHP version depends largely on your hosting service. A good hosting service should make the latest PHP versions available for use with your WordPress installation.

 

7. Choose obscure WordPress admin usernames

If your WordPress admin username is currently “admin”, you should immediately create a new administrator user.

Your credentials have two parts, the username and the password. If you use the default “admin” username, hackers already have half of the keys to your whole website!

Choose a username that is less obvious, then delete the “admin” user. This quick and easy WordPress security trick can thwart many simple hacking attempts.

 

8. Always use strong passwords and never reuse passwords

You’ve no doubt heard it before, and you’ll no doubt hear it again…

Don’t choose simple and easy to guess passwords. The simpler your password, the easier it will be for hackers to brute-force it and gain access to your WordPress site. This is especially true if your admin username is something simple like “admin” or “admin123”. Hackers attempting to brute-force your WordPress password will have a list of the most commonly used passwords, which they try over and over again.

An example of a strong password is:

Thi5I5al0ngstr*ngp4zzw0rd$

The longer the password, the longer it will take to brute-force a solution.

Avoid reusing passwords at all costs, regardless of where you use them. If one of your accounts has been compromised, the hacker has probable access to ALL of your accounts that uses the same password.

We know that it’s tough, even impossible, to remember different passwords for every account. Luckily there are plenty of password managers out there that will allow you to create different passwords and store them securely.

 

9. Use an SSL certificate to encrypt all data being transmitted

Implement HTTPS on your WordPress site, particularly on your backend, to avoid data being sent in plain-text. We have a guide on our Knowledge Base that will show you how to enable a free Let’s Encrypt SSL certificate within your Mshini control panel. Once your SSL certificate is enabled, check that your site has the coveted Green Padlock icon marking it as “Secure” next to your URL.

 

10. Secure WordPress with a reputable WordPress security plugin

Anyone can list a plugin with WordPress, even those with a vested interest in getting into your site. Just as you wouldn’t give a stranger the keys to your physical office building, make sure that you vet any security plugins carefully before installing them.

Check out reviews from multiple sources before making a decision, as user reviews are easily manipulated by sock-puppet accounts.

 

11. Enable two factor authentication (2FA) for your WordPress site

You can easily add an additional layer of security to your login details by setting up Two-Factor Authentication within your WordPress dashboard. By doing so, any potential hacker now needs access to your Username, your Password and your phone!

 

12. Only ever access your WordPress dashboard from a trusted device

Accessing your dashboard on a public terminal, such as a library computer or an internet cafe, means you do not have control of the software that is installed on that device. Malware, such as Trojans and Keyloggers, are able to capture passwords and send them to a third-party without your knowledge. An easy rule of thumb is: If you wouldn’t trust a device to do your internet banking, don’t trust it with your website.

 

Any questions? Feedback? Give us a shout! We’re friendly! Promise!

WordPress.org vs WordPress.com

    Most of us, who are familiar with WordPress, have run into the WordPress.org vs WordPress.com debate at some point, typically while trying to create our first website. Chances are, the very first website you launched was on wordpress.com. If you are new...

In need of an email account? Cloud mail hosting vs everything else…

    We've all been there. You wake up, grab a cup of coffee, open up your Macbook and proceed to draft an intelligent reply to that email that you've been postponing for days. Only now it's become a little awkward and you're left wondering if it's best just...

What’s new in WordPress 5.9?

    Yes, today, the 25th of January 2022 is the release day for the latest version of WordPress. We understand that not everyone follows the Make WordPress blog so we decided to provide you with a brief overview of what’s new in 5.9. If you haven’t seen this...

2020 Mshini year in review

    2020 has been a year full of all kinds of different and we were sad to see a few of our customers being forced to close down their businesses. Like you, we’re hopeful and optimistic that 2021 will be a better year for all and that those businesses that...

PHP 7.4 is now available on all new sites, staging sites and dev sites

    PHP 7.4 was released on 28 November 2019, which meant that active support for PHP 7.2 ended on 30 November 2019.  Security support for PHP 7.2 will continue until 30 November 2020. Mshini has made PHP 7.4 available on all new sites, staging sites and dev...

FREE DEV

R0

PER MONTH

Up to 3 WordPress sites

3 WordPress Installs
Auto Generated Dev URLs
10GB Local Storage per Site
Unlimited Data Transfer
Let's Encrypt SSL Certificates
Free Site Migrations
SSH / WP-CLI / GIT

SINGLE SITE HOSTING

R129

PER MONTH

A single WordPress site

1 WordPress Install
10GB Local Storage
Unlimited Data Transfer
Let's Encrypt SSL Certificate
Free Site Migration
Staging Site
30 day money back guarantee

BULK PLANS

R799+

PER MONTH

From 10 WordPress sites

From 10 WordPress Installs
From 10GB Local Storage per Site
Unlimited Data Transfer
Let's Encrypt SSL Certificates
Free Site Migrations
Staging Sites
SSH / WP-CLI / GIT

WHAT YOU GET WITH MSHINI

The fastest WordPress hosting in South Africa. A toolset that will make maintaining your WordPress site the pleasure it ought to be. Friendly and efficient service from WordPress experts. We're committed to enhancing your WordPress experience and raising your expectations.

Locally Hosted

Local hosting means reduced latency and quicker response times for visitors to your site.

Optimised Servers

Our technologically advanced software stack delivers superior WordPress performance.

Server Side Caching

No need for caching plugins with hundreds of settings. Your site will load really, really fast!

Daily Backups

Scheduled and on-demand backups of your content are stored in secure off-site vaults.

Staging Site

Clone your live site to a staging site with 1-click to test plugins, themes and custom code.

Highly Secure

Daily malware scans secure your website and give you an edge over spam and hackers.

Free Let's Encrypt SSL

Install a free Let's Encrypt SSL certificate for your website with 1-click in your control panel.

Expert Support

Our friendly South African WordPress experts will help resolve any hosting issues.

Automatic Updates

Choose to have your WordPress core files, plugins and themes automatically updated.

Vulnerability Scanning

We scan your WordPress core files, plugins and themes for known vulnerabilities.

Free Site Migrations

Free site migrations to a Mshini staging environment without impacting your live site.

Emergency Rollback

Restore your live site from the most recent backup with 1-click in your customer control panel.