WordPress Security: The Ultimate 32-Step Checklist
Back when I was starting out as a web designer and developer, my biggest problem was getting stuff to work the way I wanted it to.
I was concerned more about getting things (mostly) working as I expected them to be. Getting things to look snazzy was usually one of my primary goals when finishing a website
WordPress security was the least of my concerns. Hacking was something I read about, not something I expected to happen to me. SQL injection, cross-site scripting, elevation of privileges and critical security vulnerabilities were just buzzwords in tech news.
But one day, securing my sites suddenly got very important, very quickly when my Facebook feed told me there was a critical vulnerability in WordPress, which was actively being exploited. When I next tried to log in to my site, my credentials were not accepted.
Most of my sites had been compromised by the vulnerability.
I got lucky, though. I had taken one inadvertent precaution, which saved my sites from being fully exploited – I had renamed my admin username – and despite the fact the vulnerability had been exploited on my site, the hackers could not log in. I was using a complex administrator username rather than the default “admin” username the hackers were expecting.
Today I know different.
WordPress security is fundamental: Every WordPress website needs to be fully secured and hardened.
Why Would a Hacker Be Interested In My Site?
Before actually diving deeply into securing your website and all of the steps you need to take to stop WordPress getting hacked, it’s crucial to understand the logistics and the reasoning behind a website hack.
It’s understandable that you might wonder:
"Why would a hacker be interested in my website? It’s just the website of my local business, seen by a few hundred people at most. What are they going to get out of it?”
There are many reasons why a hacker would be interested in your “small” website.
Although some hacking is done for political reasons (defacing of websites to send particular political messages, for example), these types of hacks are typically very localized and not as popular as the mainstream media would make them out to be.
Most hacking attacks happen for more devious reasons.
These days, hacking is part of a ring of criminality whose ultimate aim is to make money through fraudulent means. Typically, after a website is hacked it becomes a middle-man for the distribution of malicious software. Most times, the website owner is oblivious of all of this.
There are frameworks which are bought and sold in the online black market, making it dead-easy to distribute malware through hacked websites.
In essence, your website could become an involved party in criminal activity!
Besides that, there are other negative implications:
Your site could be used as a spamming proxy
A website that is hacked and defaced would most likely result in tarnishing of a brand’s reputation. That’s besides serious embarrassment
Hacked sites typically overwhelm their hosting server, resulting in the closure of the site. This will typically result in loss of business
The costs of recovering a hacked website can vary from very little (if you have a website backup) to a full redevelopment if your data is deleted/lost with no chance of recovery
Do you think your site is so small nobody will attack it? Think again.
Using the following WordPress security checklist will go a long way towards making your WordPress site hacker-proof.
How Does a Hacker Find My Site?
You might falsely assume that in the millions of websites available online, the likelihood of a hacker finding and targeting your site is extremely remote. After all, your site is only a drop in an ocean of websites, right?
You’re horribly wrong.
Hackers don’t do this work manually. They employ minions to do their dirty work.
Well, not really minions – they’re actually (ro)bots, or programs whose sole purpose is to seek out vulnerable websites.
These programs or scripts are typically run on cloud servers, where they can be setup and destroyed at will leaving little to no traces. The scripts employ means to discover hundreds if not thousands of websites per hour.
The fact that the scripts are bought very cheaply and run on cheap cloud hosting servers make the “investment” worthwhile. These scripts are commonly bought and sold on dodgy marketing forums.
Once a site is found, it is probed for thousands of known vulnerabilities. If your WordPress site has not been fully secured, the likelihood of the site emerging unscathed is absolutely minimal.
Vulnerabilities are continuously being discovered in WordPress and its plugins. That’s why securing WordPress is critical to the health of your website.
Securing WordPress: A 32-Step Checklist
With all of the above scary stuff in mind, I want to make sure that you’re armed with all the knowledge you can get to fully secure your WordPress website.
Here’s a checklist of ALL the things you should be doing to secure your WordPress sites.
This checklist is split into two: The first part includes measures absolutely everybody should be doing – mostly basics stuff, like having strong passwords. The second part goes into advanced measures for WordPress security for those who are really paranoid about security. This is for admins who want to lock the door, put a chain around the door, and put a padlock on it. And then a padlock on the padlock.
Part 1: The Steps Everybody Should Take to Secure Their WordPress Website
ALWAYS Keep Your Version of WordPress Up-To-Date
Don’t Change WordPress Core
Make Sure All Your Plugins Are Updated
Remove Any Inactive or Unused Plugins
Make Sure All Themes Are Kept Updated
Install Themes, Plugins and Scripts ONLY From Their Official Source
Choose a Secure WordPress Hosting Service
Make Sure Your Site is Running the Latest Version of PHP
Change the Admin Username
Always Use Strong Passwords
Don’t Reuse Passwords
Protect Your Password(s) By Avoiding Plain-Text Password Transmission
Only Update Your Site From Trusted Networks
Use a Local Anti-Virus
Enable Google Search Console
Secure WordPress With a Bulletproof WordPress Security Plugin
If All Else Fails, Restore From Backup
Part 2: Securing a WordPress Website for Security Freaks
Well, not really security freaks, per se.
Although these are slightly more advanced WordPress security tips, you typically only need to know how to install a plugin, tweak a few files here and there and in general be ready for the possibility to break stuff. Be ready to revert with backups if that happens.
Limit Login Attempts
Enable Two-Factor Authentication
Ensure File Permissions Are Correct
Change the Default Table Prefix
Ensure You’ve Set WordPress Secret Authentication Keys
Disable PHP Execution
Segregate Your WordPress Databases
Restrict Database User Privileges
Disable File Editing
Secure Your wp-config.php File
Disable XML-RPC (If You Aren’t Using It)
Disable PHP Error Reporting
Install a Firewall
Use a Content Delivery Network Firewall
Monitor Your WordPress Security With Security Logging
READY TO GET STARTED?
Ready to see how funnels can help your business grow? Contact us today!