Target: anyone using WordPress as the CMS for their websites
In this How to Create A Website: Building A Secure WordPress Website tutorial, you will learn how all the essential action steps to make your website secure after the WordPress website software has been installed on your web hosting account with the 1-click WordPress installation wizard.
If you don’t currently have a website, you are advised to take a look at the How to Create A Website Guide to follow the steps to create your first ever website within one hour. Don’t worry, if you know how to use a browser (e.g. I.E., Chrome, Firefox or Safari) to browse a website as you are currently doing, you will be able to create your own website following this guide as the How to Create A Website Guide is written in everyday English and is jargon free.
How to Create A Website With Security in Mind
What is Website Security and Why is Security Essential?
Website security is concerned about allowing only authorized access to your website while identifying and blocking unauthorized access that might bring about harmful changes or leakage of information. In short, website security allows you as the website owner / developer to ensure that the website is under your control.
Website security is of top priority as a website owner/developer as:
- You don’t want others to gain access to your sensitive data or information;
- You don’t want to have your website deleted or amended out of a sudden;
- You don’t want your website to spread viruses to your visitors unaware;
- You don’t want search engines to blacklist your website as security breached and cease to bring in visitors to you;
- You don’t want hackers to control your server to carry out cyber crime.
But as often said, the only 100% secure website is one that is offline. Once you have created your website and made it available online, you will be exposed to security hazards. Read on to learn the tips and tricks to make your WordPress website as secure as possible.
Why isn’t WordPress Secure Out-of-the-box?
- As WordPress is open sourced and can be downloaded by anyone and installed in any compatible servers, the security of the installation environment cannot be guaranteed.
- The security knowledge of the web developers and/or the web owners is also not guaranteed as WordPress is easy to learn but difficult to master, especially concerning the security. One wrong setting may jeopardize the website.
- Another reason has to do with flexibility. WordPress being the most popular content management system (CMS, or also called website software by newbies) needs to take flexibility in mind when building the code. Developers have tweaked WordPress into Q&A application, customer management system, calendar application, event management system, you name it owing to its flexibility. Otherwise, WordPress could only have limited use.
- The popularity of WordPress is also a culprit. Similar to Windows OS which, as the most popular OS in the world, attracts the most viruses and attacks, WordPress also attracts a large number of hackers owing to economy of scale. Once a vulnerability of WordPress is identified, the hackers can make use of this knowledge to attack hundreds and thousands of websites around the world.
- Many installations of WordPress also make use of the default setting, like database tables prefix with WP_ or using admin as the username. These would eliminate much guesswork on the hacker side.
WordPress Website Security Concepts
Website security covers three major themes: protection, monitoring and recovery.
Protection is mainly about limiting the access of malicious persons to the website, in particular, the admin area and files of your WordPress website where the greatest impact to your website can be made. It is also about granting barely enough privileges to authorized persons. If done correctly, the risk of hacker activities on your website would be very low.
Monitoring is about keeping a close eye on the status of your website or whether your website is a target of security attack. It would also give you hints on possible vulnerabilities of your website. If done properly, you will be notified of the tale-tell of a possible attack and make timely changes to block the hacking action.
In case your website security is compromised, you will want to revert it back to the previous state with all the code and information intact. If done properly, you can minimize the downtime of your website even though it has been tampered.
How to Secure Your WordPress Website?
- Use very strong passwords for WordPress and your email accounts that include a random combination of uppercase and lowercase letters, numbers and symbols, do not use common dictionary words as these passwords can be guessed in no time with today’s technology. The password strengthen indicator of WordPress will give you hint on whether your password is strong enough. Also, change your password regularly. Strong passwords also mean that they are difficult to remember, you might need the help of password managers like LastPass to remember them for you automatically.
- Do not use the default “admin” as the username for the WordPress website admin. Many websites owners would adopt admin as the username out of convenience, however, this would also benefit the hackers as they don’t need to guess both the username and password at the same time.
- Always update WordPress, themes and plugins to the latest version as the updates may be security updates (meaning that vulnerabilities have been identified and fixed by the software coders). Many hackers will target website without these updates applied with the knowledge of the vulnerabilities. For websites running WordPress 3.8 or above, all the security patches and fixes would be automatically installed to improve the website security.
- Free WordPress themes should be used with caution. Whenever possible, use a trust-worthy source for paid WordPress theme instead of downloading free themes from less-known sources.
- Install only trusted plugins from the WordPress plugin directory. Choose only those plugins with lots of positive review and download. The number of resolved support threads in the “Support” section of the plugin will also give an indication of how well the plugin is being maintained. You need to seriously consider whether or not to install a plugin that have no resolved support threads during the past two months.
- Limit the privileges of other users. You should grant the least privileges that would allow them to perform their tasks. For example, grant only ‘amend’ and ‘publish’ rights to an editor but not ‘delete’. The same should be set for the database access privilege.
- Move wp-config.php out of the website root directory so that hackers cannot amend your configurations of WordPress through the attacking the website. However, if the FTP security is breached, hackers will still be able to amend this.
- Use SFTP instead of FTP so as not to expose your FTP credentials. FTP is not secure as your password is transferred without any encryption, should a hacker be able to look into your FTP traffic, they can extra your username and password in no time. This is the instruction for Bluehost to use SFTP.
- Only access your WordPress admin area on a computer you know to be clean and secure (i.e. be free of malwares or viruses). Also, don’t connect your computer to open WIFI networks while accessing the admin area, the data transmitted over open WIFI networks can be seen by anyone.
- Be sure to install anti-virus software on your computer.
- Install security plugins:
- Better WP Security – once installed, this plugin allows you to configure many automatic protection and monitoring activities
- All-in-one WP Security and Firewall – in addition to the normal security protection, this plugin also install a software firewall for your website
- Exploit Scanner – this plugin will scan the database for any suspicious code
- Keep an eye on whether your files and database have been changed by others unaware by checking the last amended dates. This tedious and manual task can be assisted by WP security plugins (e.g. Better WP Security)
- Check your website server log periodically to detect anything unusual access traffic or pattern.
- Install the plugin Limit Login Attempts to allow WordPress to detect any password guessing activities and block an IP for repeated failed login attempts.
- Perform regular backup of your WordPress website, including making copies of the WordPress files as well as the database file. You might also check with your website hosting company to know if they provide automatic scheduled backup for added protection.
- Perform regular off-site backup to copy the backup files to other web servers so that the hackers will not be able to delete such backup files. You might install this WordPress Backup to Dropbox plugin will help you to back up selected files from your WordPress website to your Dropbox account automatically (you can register for an dropbox account free with 2Gb storage space if you don’t have one).
- Only download WordPress from wordpress.org or use the installation wizard of your web host (1-click installation), never ever download WordPress from other sources as they might have already been tempered with by hackers.
- Refer to the WordPress Codex – Hardening WordPress for additional suggestions.
Conclusion – How to Create A Secure WordPress Website
After you have implemented most of the security enhancement suggestions listed above, your newly created WordPress website should be immune from the attack of most hackers as almost all the vulnerability of WordPress have been addressed. You will now have created a website that is as secure as those by professional web developers.
This post is part of a series of articles addressing various aspects of website building in the Advanced Guides on How to Create A Website. You are highly advised to read the articles, learn the tricks and apply them to turn your amaeuter website into a truly professional one!