Hardening means firming up your site’s security. WordPress is a fairly secure CMS which is perhaps why it has held on to the number one position globally for several years now. Nevertheless, the default security settings aren’t sufficient to keep your website secure.
There are general well-known principles of ensuring a site’s security such as strong passwords, disabling default admin accounts and using 2-factor authentication. The following is a look at the security measures that aren’t covered as much when people think about WordPress security.
Minimize the Use of Plugins
Plugins and themes can greatly expand the functionality of your website and give visitors a much more sophisticated experience. Nevertheless, there’s such a thing as too many plugins. Once your core WordPress site is done and as you consider the themes and plugins you’ll need, take a step back. Think about what you must have and what you can do without.
Plugins may grow your site’s capabilities but they also introduce new vulnerabilities. In addition, too many plugins will have a negative effect on your site’s speed and overall performance. Where possible, look for plugins that provide multiple must-have features so you don’t have to download as many.
Don’t Cut Corners On Premium Plugins
Thankfully, a lot of highly useful WordPress plugins are available for free. Nevertheless, you are unlikely to create a functional, navigable and high quality site without purchasing at least one premium plugin. If you are on a tight budget, it’s tempting to look for shortcuts in order to get that premium plugin you long for. That can be a catastrophic error of judgement.
There are numerous sites where you can download pirated premium plugins. But such plugins are rarely truly free. Before they are made available on the illegal download sites, they are likely to have been infected with malware. As opposed to getting a high quality plugin, you may be giving a hacker unfettered access to your website’s backend.
Regularly patching your WordPress version is one of the most important pillars of securing your site. It’s a well-known principle of security but it can never be overemphasized which is why it bears repeating here. You won’t always immediately know when a new update is available and even when you do, you may postpone applying it.
To avoid falling into this quandary, turn on automatic updates for your WordPress. Remember that updates are supposed to fix security flaws. Often this knowledge is public by the time this update is available meaning hackers have the information too.
Get Rid of PHP Error Reporting
When a theme or plugin doesn’t work as expected (especially after a WordPress update), it will create errors. The errors are meant to make it easy to zero in on the problem. However, they can also be a source of vulnerability.
Default error pages will include server paths. This information may not seem much to the ordinary person but for a hacker, the server path gives them useful information on how they can navigate your site. Irrespective of how valuable error messages might be, the risks outweigh the benefits. It’s best to disable them completely.
It would be more prudent to, for instance, send PHP logs to Loggly for offline analysis away from the prying eyes of criminals.
Hide Author Names
Under WordPress default settings, it’s relatively easy for someone to establish the name of every blog and article author on the site. This can be a problem since the main author is often simultaneously the site administrator. Someone may be able to figure out the administrator’s username by for instance inserting ?author=1 after the main URL.
Such information is invaluable for hackers and increases the odds of your site being compromised. Hiding author usernames will make a hacker’s work more difficult. You need only add some code to the functions.php file of your website.
Securing your WordPress website will take more than just installing an off-the-shelf plugin and calling it done. A more complete strategy involves taking care of all the subtle nuances outlined above.