When WordPress security is brought up external resources are discussed. Hardening WordPress must start with the install and the administrator of the website. Websites are no longer like sheets of paper. They are dynamic. And like software that requires strong protection you must update. Here we are looking at 5 simple ways to secure your WordPress website.
Don’t use “Admin” as your username
Hosting platforms that are not “Managed WordPress Hosting” includes some defaults. Such as a default user called, “admin.” Now with recent versions of WordPress, the installation process is much more reliant. The user picks their username at the start. Still it can result in a new user creating the name “admin” or “administrator.”
No matter the urge you have, don’t do this. When a hacker wants to crack into a website it’s the first thing they look for. So they know that the not so savvy users will create such an account for a login.
Pick a strong password
Along with creating a new installation is WordPress’ password generator. It’s designed to avoid the typical passwords, like your dogs name or your first crush. Gone are the days of using passwords without number, symbols and letters. Passphrase’s are ok. But with a little extra digging into your Facebook profile the answer can be discovered. The best solution is two-step authentication. Or using a password service to manage passwords. As password generators are completely random on purpose.
Don’t set your new users to the default of anything but “subscriber”
I’ve actually debated on whether to include this one, until we started migrating a few sites this year. I found several of the websites with the default setting set to: “administrator.” Not the “subscriber” user level. When creating users to login to your website, you have by default 5 access levels. Here they are in the order of authority and what they do:
Administrator: Nothing is off limits. A user with this level of access is granted to all the sensitive places on a WordPress website.
Editor: A user can create, edit, publish, and delete any post or page. As well as moderate comments and manage categories, tags, and links.
Author: Can create, edit, publish, and delete only their own posts, as well as upload files and images. Authors cannot change or create pages and can edit comments made on their posts.
Contributor: A Contributor can create and edit only their own posts. But cannot publish them.
Subscriber: These users have zero editing ability. And who have signed up to receive updates each time you publish a new post.
So you can see by the list above that the default should always be “subscriber.” And if you are managing a team at your business, don’t assign everyone as “administrator.”
Keep your plugins and WordPress version updated
The largest security issue by website owners is neglecting to keep WordPress updated. We cannot stress enough how important this is. It’s a must to maintaining the stability and reliability of your website. I’ve written a ton of articles about why and how to do this if you’d like to read further:
Delete any plugins and themes you are not using
When consulting about WordPress, what usually comes up is maintenance and plugins. I’m thrilled to see users inquire about this. It gives me an opportunity to clear up misunderstandings and myths about plugins.
Plugins are what extend the functionality of WordPress. But if you would like to read more I’ve written about them in another article. For this section I plan to focus on plugins and why you shouldn’t install any plugin or theme you discover.
There are approximately 49,242 plugins totaling 1,594,416,640 downloads. So it can be daunting to find a good plugin. WordPress does a few things to help users decide which plugin is best. It’s done on each plugin detail page. They show you download amounts, star rating, user reviews and the author. These are important when deciding, like you would decide on Amazon what’s the best buy.
But after you install the plugin (or theme) and find that you don’t need it, you should delete it. Old plugins that you’re not keeping updated, though inactive, can still be a problem. Inactive plugins can make it hard to troubleshoot conflicts. They also pose a security risk if they’re not updated.
You can check out housekeeping tips on WordPress.org at: