3 WordPress Security Tips You Need to Know

We use HubSpot's COS for an increasing number of projects - it's simply the best option for companies who want to make their B2B website the centre of an inbound marketing strategy that can also be managed through HubSpot. However, WordPress is still the CMS that many of our clients are most familiar with. And, dare we say it, WordPress remains hard to beat in some areas.

A common reason we encounter for building a new site in WordPress is the need to incorporate a specific function, such as an online store or booking/reservation service. The vast range of plugins makes WordPress the obvious choice in these scenarios. But conversely, the large number of available plugins is also one reason that the security of WordPress is sometimes called into question.

Here are three simple WordPress security measures we use with all the sites we design, build and maintain. You can apply them to keep your own sites protected.

1. Only install trusted plugins

We rely on a handful of tried and tested plugins from trusted developers. In addition, the standard installed plugins we don’t use are deleted to ensure nothing can be hidden in those folders should an exploit be found in them before an updating patch can be applied. The same goes for any plugin we have previously installed but no longer use.

All our in-house development follows the rules and utilises the input and output functions from the WordPress codex system, so there’s no way that what we've written can inadvertently create access to the site. We ensure all input is sanitised in this way to avoid SQL injection attacks that would either bring the site down or hide pages on the server for link-building purposes.

2. Create watertight passwords and login details

Back in 2013 there was a lot of activity with hackers targeting WordPress sites via users' login details. This was largely due to a historical weakness - before the release of WordPress 3.0 in 2010, the only administrator username you could choose when first setting up a site was 'admin'. This meant any hacker already had 50% of the required login and could try random passwords in combination with the username. Any weak passwords would thereby allow access via an administration account, which is basically like handing someone the keys to the entire site.

To protect against this sort of breach, we never use 'admin' and we create much longer and varying usernames instead. We also use passwords that are 18 characters long and incorporate upper and lower case letters, numbers and punctuation characters. There isn’t a supercomputer on the planet that can spin through that many different combinations in a short period of time.

WordPress encrypts all passwords using a method called hashing, whereby extra code - or 'salt' - is added to change the password beyond recognition before it is stored in the database. This effectively renders the data useless to the naked eye (and is the reason you cannot retrieve a password, only reset it, as the journey is one-way).

We make it even harder for would-be hackers with a lockout mechanism - the number of unsuccessful login attempts a user has made is counted and once a certain number has been reached they are denied access for a set period of time.

Finally, there is one more layer of WordPress security we apply to passwords. Whenever a user tries to change their password, the strength of the new suggestion is automatically reviewed using an additional plugin. If the new password isn’t strong enough, it will be rejected.

3. Stay up to date and vigilant

Keeping a close eye on your WordPress sites is really the best way to keep them secure. We employ a monitoring plugin that constantly sweeps the files on a WordPress site, looking for any changes in the code from the last time it read the files. Anything suspicious prompts an immediate alert to the administrators, so they can decide whether the change is a result of their activities or something unauthorised.

Sometimes users forget to make simple changes that can greatly improve WordPress security. For example, one default setting that has been exploited is the naming convention of the tables in the database. The original files will set them all up with the prefix of ‘wp_’, but a simple and often overlooked option is to change it to something unique. This will render most attackers' scripts useless because they won’t be able to write code that will affect the database without knowing the prefix.

We believe these three measures are the key to WordPress security. Along with our hosting company, we take regular snapshot backups of all the WordPress sites we work on. This is a precautionary measure should the worst happen and we have to restore a site, but that is yet to happen and I strongly believe it is due to our focus on working with trusted plugins, strong password procedures and overall vigilance.