Top 10 WordPress Security Tips
By the Gravity Forms community
Published April 4, 2024
Written by the Editorial team at Melapress…
Keeping your WordPress websites secure is critical for many reasons. Bad actors often target websites indiscriminately, and with WordPress being as popular as it is, it often finds itself in the crosshairs of those who, for one reason or another, are looking to breach websites’ defenses.
The irony, if you can call it that, is that many of the websites that get breached are not the primary targets. Instead, these bad actors will use these compromised systems to launch an attack against the real target. Keeping your WordPress secure can help you avoid falling victim to these crooks.
Taking care of security basics is not as difficult as you might think. With a little bit of effort and the help of a few plugins, you can easily meet security best practices without breaking a sweat.
In this article, we will be sharing our top 10 WordPress security tips that you can easily implement, even if you have little to no technical knowledge.
Let’s get to it.
Mandate Strong Passwords
Passwords are like the keys to your WordPress front door. The right username and password give the holder full access to your WordPress website. As such, you’ll want to make sure they’re as difficult to guess or crack as possible. After all, weak passwords make illegitimate access a fairly easier affair. The easiest way to do this is through a password policy.
Having a strong password policy ensures that all users use passwords that meet best practice criteria. This ensures that passwords are not easily compromised. But what goes into a strong password policy?
- Minimum password length of 12 characters or more
- Inclusion of upper and lower case letters, numbers, and special characters
- Preclusion of old password re-use
- Password expiration
Mandating such passwords can be difficult. After all, given the option, most users would rather choose a password they can easily remember. While this is understandable, passwords that are easy to remember are also easy to crack.
This is where Melapress Login Security comes in. It allows you to set password policies for all users. Policies can be set site-wide or by role. The plugin will also help users meet the policy requirements by telling them what is missing as they are setting the new password.
Encourage users to use a password manager to memorize the new (and secure) password for them, ensuring less user frustration while keeping your website secure.
Use Two-factor Authentication
Strong passwords that follow best practices are great. It’s like having a very secure lock on your front door. However, using this analogy, adding WordPress 2FA to your login process is like adding a second lock to your door.
When using WordPress two-factor authentication, users need to supply an OTP – a One-Time Passcode – in addition to their username and password. OTPs can be delivered to the users through an authenticator app on their phone, SMS, or email. Alternatives such as push notifications and email links are also available.
OTPs are only valid for a limited time, usually 30 seconds, which makes them incredibly secure.
Two-factor authentication greatly reduces the risk of account breaches and is easy to deploy. Industry giants such as Microsoft and Google are making 2FA mandatory for all of their users, and you can, too.
Only Install Reputable Plugins
Plugins are a very useful part of the WordPress ecosystem. They can transform a simple blog into any kind of website, from a full-blown e-commerce solution to membership-based websites and beyond.
Plugins add their own code to your website, which means they need to be as secure as possible to avoid drastically increasing your attack surface. Reputable vendors such as Melapress and Gravity Forms test their plugins before releasing them and provide support should you experience any issues. This greatly reduces the risk of security holes being present in the plugins you install.
They also provide regular updates, ensuring any issues that might be present are ironed out as quickly as possible.
Non-reputable vendors and nulled plugins do not carry the same kind of guarantees, often making them more of a liability than an asset. Sure, it might seem like a great deal to get a premium plugin for free – until there is an issue and no one to turn to for support.
Have a Strategy for Updates
Updates add new features and functionality but also address any security issues that might be present. WordPress, plugins, and themes all receive updates – and these updates are very important in keeping your WordPress secure.
A strategy for updates details how updates are to be installed. Some might choose to install them as soon as they become available. Others may instead opt to test them in a staging environment before rolling them out to their live server – ensuring they do not inadvertently break any design or functionality.
Whichever strategy you choose, it’s important to have one and adhere to it. Keep in mind that bad actors can scan your website for known vulnerabilities very easily. As such, you’ll need to focus on reducing the time from when an update becomes available to when it’s installed on the live WordPress website.
Lock Inactive Users
Inactive users are users who haven’t logged in for some time. There is no official inactivity duration to count a user as inactive, so it really depends on your particular setup and workflow. Either way, inactive users pose a particular security threat.
If a bad actor manages to take over an inactive user account, it is highly likely that it will go unnoticed. If the legitimate owner of the account is not logging in on a regular basis, it’s going to be very hard to notice something is amiss. A compromised account, even if that account has limited access, can be used for harmful purposes through privilege escalation. Locking inactive accounts greatly reduces the risk.
You can lock Inactive users manually or automatically through a plugin such as Melapress Login Security.
Use HTTPS
HTTPS certificates are a basic tenant of website security. They encrypt data as it traverses the internet between your WordPress website and visitors or users. This ensures sensitive data such as passwords is encrypted and safe from attacks such as man-in-the-middle attacks.
SSL certificates (now called TLS) are mandatory when looking to comply with certain standards and legislation, such as PCI DSS and GDPR. You should be able to purchase a TLS certificate from your registrar/hosting provider or even create your own for free through services such as Let’s Encrypt.
Encrypting data in transit also helps with SEO. In 2014, Google moved to add HTTPS as a ranking signal, meaning having a TLS certificate for your WordPress website can help you rank better.
Take Regular Backups
Backups are like an insurance policy should the worst happen. They ensure you can be back up and running in a relatively short time should the worst happen.
The optimal backup frequency will largely depend on your particular circumstances. If your WordPress website is receiving several important updates over the day, you should backup regularly. On the other hand, if you’re only updating your website every so often, you can choose to take less frequent backups.
Testing backups to ensure your website can be restored is just as important as taking backups. The last thing you want is to try to restore your website only to discover the backup contains the wrong files or is corrupted.
Keep an Activity Log
Just like backups, an activity log acts like an insurance policy. It has added benefits such as faster troubleshooting, user ownership, and compliance.
WP Activity Log is the most comprehensive activity log plugin available. It can log user and system activities across WordPress and several third-party plugins, including WooCommerce. There’s a free edition that’s more than enough to get you started. The premium version, however, comes with additional features such as user session management, email and SMS notifications, and much more.
WP Activity Log is also compatible with Gravity Form straight out of the box, logging Gravity Forms-specific changes related to:
- Settings
- Entries
- Notifications
- Confirmations
- Fields
- Forms
Find out more about WP Activity Log.
Monitor file changes
WordPress website files change for all sorts of reasons – from software updates to malware injection and code changes. As such, it’s important to keep an eye on what changes and when – enabling you to take action before it’s too late.
Change monitoring can be automated through plugins such as the free plugin Melapress File Monitor. It uses hashing to ensure that even the slightest changes are detected and can compare your WordPress core files to those in the official repository to ensure that everything is above board.
Reducing spam to improve security
Five years ago, it was very easy to spot spam. Grammatical and formatting issues used to be a dead giveaway. Since then, spammers have wised up, got themselves a dictionary, and learned some CSS – making for more convincing spam. Aside from emails, spammers will also use any form submission they can find to ensnare unsuspecting victims.
CAPTCHA is one way to fight back, stopping spam before it makes it to your or your users’ inboxes. Gravity Forms has CAPTCHA capabilities, which you can access from the Gravity Forms settings. You might also want to install CAPTCHA 4WP – a dedicated CAPTCHA plugin that offers access to:
- Integration with multiple CAPTCHA service providers
- V3 failover to avoid false positives falling through the cracks
- Customization options
and much more!
CAPTCHA 4WP is fully compatible with Gravity Forms and many other plugins, including WooCommerce, straight out of the box. As a dedicated CAPTCHA plugin, it also enables you to set up CAPTCHA tests across your WordPress website – protecting Gravity Forms and all other forms, including contact forms.
Better WordPress security with Melapress and Gravity Forms.
In this article, we looked at several other measures site owners can take to ensure they’re protected from different types of attacks
It is equally important to note that security is always evolving. As such, it requires our attention at all times, and whenever decisions need to be made, security should always be one of the considerations.
You can make the job of securing your WordPress website much easier by partnering with reputable plugin vendors such as MelaPress and Gravity Forms. Both companies are considered leaders in their respective fields, with teams of experienced professionals ready to assist you in making sure your website is as secure as can be.