WordPress powers approximately 50% of all the websites online around the world. This means that it is a very attractive platform for hackers to try and compromise as it gives them the ability to take down many websites in just one go. Namecheap prepared this guide to help you understand the risks and threats as well as explaining how you can defend against them. We are reposting this for the reader of our blog
Choose a custom username and strong password
The default WordPress login is “admin” and all WordPress hackers know this. Usernames can only be changed using phpMyAdmin after WordPress is installed so it is important to choose an un-common username when installing WordPress. Assuming you are using Softaculous for installing WordPress, you may specify the username on the installation setup screen.
Good strong passwords are equally important for basic security of your WordPress. Choose a selection of letters and numbers not based on a dictionary word. Worried about how you might remember it? We suggest using RoboForm or LastPass tools in order to securely store all your passwords.
Do not use the same username and password as your hosting account or any other installed web application.
Perform updates on a constant basis
Update your WordPress installation regularly. We suggest that you check for updates at least once a week as WordPress developers frequently release new updates/patches to secure any security holes that hackers have exposed. You can update WordPress from the admin area or you can update WordPress directly from within Softaculous. Please find a step-by-step tutorial here.
Back up regularly
Back up your WordPress blog regularly. This means that if you are faced with a hacking attack, you can quickly and easily roll back at any time. At Namecheap, we have two backup options available for you.
Recommended backups – CodeGuard
Our partnership with CodeGuard gives you an easy point-and-click method of backing up WordPress. CodeGuard will back up your entire account as well as scan the account for any malicious changes (from hackers) and alert you if it notices anything untoward. Namecheap customers get a significant discount on CodeGuard subscription services. We have created the guide How to backup WordPress site Using CodeGuard to help you get acquainted with this service.
Alternative method – Softaculous backup
Softaculous also has a backup option. Check “Backup or Delete WordPress with Softaculous” part of our How to Install WordPress using Softaculous article to learn how to use it.
Use themes and plugins developed by officially recommended suppliers
Many themes and plugins are available for WordPress offering a variety of options and opportunities for your website. Here are our recommendations on which themes and plugins you should choose.
Free Themes – important note
If you wish to use free themes, we suggest you install only free themes that you can search for through your WordPress Admin area at Appearance >> Install Themes tab. These have all been vetted and approved by the official WordPress developers and are safe for use. We do not recommend you download free themes from third party non-verified websites unless you are 100% sure the theme you are about to download is “clean”.
Free Plugins – important note
We strongly recommend you only use free plugins that are rated highly and have been recently released or updated. WordPress shows you the star rating and the latest updates for any particular plugin through the WP Admin area once you request for more details of a plugin you liked. A high number of downloads and excellent star ratings mean the plugin is used and liked by many other WordPress users and recent updates show that the developers are committed to keeping it secure.
Paid Themes and Plugins
The following sites offer paid themes and plugins and are reputable:
We recommend you download and enable the following security plugins. These help keeping your WordPress website secure:
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks.
1. You can choose options and actions that will be blocked by firewall.
2. Here, an email address can be specified to receive warnings and notifications from the plugin.
3. With this option, you can whitelist trusted IP addresses.
BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.
There are many options available with the BulletProof Security plugin, and you can find details using “Read Me” option. But the main one we are going to use is .htaccess protection that can be enabled with “BulletProof Mode” radio button for each .htaccess.
As most WordPress attacks are results of plugin vulnerabilities, weak passwords, and obsolete software, Better WP Security will hide the places where those vulnerabilities live, preventing an attacker from learning too much about your site and keeping him away from sensitive areas like login and admin areas, etc.
Many different security options are available with this plugin, but you can simply enable basic security mode using “Secure My Site From Basic Attacks” (1.) Or enable each separate option you need (2.)
Also we recommend the following top rated cache plugins to optimize the performance of your blog.
W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration.
This plugin generates static html files from your dynamic WordPress blog. After a html file is generated, your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.
General Security Tips
Always connect securely to your website. When using your web browser, use a https:// connection. You can easily install one of our SSL certificates to secure and encrypt data between your PC/Mac and your website. Some hosting accounts include a free SSL certificate or you can purchase one separately at our SSL Products Page. Prices start at $7.95 per year.
Use FTP securely too. Use FTPS instead of FTP when uploading. This encrypts your FTP connection and any data you upload to your website. You can learn how to use secure and non-secure FTP in the most popular FTP clients with a help of our FTP related articles.
Enable CloudFlare. CloudFlare is a CDN (Content Delivery Network) that improves performance of your blog by serving it from CDN nodes around the world. CloudFlare also has security scanning built in as part of the service offered.
Namecheap customers can use CloudFlare’s entry level service free of charge. Paid upgrades are available for CloudFlare’s larger service plans. Click the CloudFlare icon in cPanel for more details.
Change your passwords regularly and keep them secure. Never used a dictionary word and always use a combination of capital letters, lower case characters, numbers, and symbols.
The tips provided above do not guarantee 100% security of your WordPress website. However, they drastically decrease chances of getting your WordPress installation defaced, hacked, or abused.
Leave us your comments…