WordPress Admin Security

The most obvious security issue with WordPress is your administrator account logon information. By locking that down you can protect your website content and install information. 

But there are other security measures you should implement if you really want your site to be secure. We’ll talk about those on this episode 113 of the BeBizzy Break Podcast.

Your WordPress Admin Account

There are several ways for a hacker to gain control of your website or server. I’m going to start with the most obvious, then give you some tips on protecting the rest of your site and social engineering opportunities

• Admin Accounts

  • Admin Passwords – choose a good password. I assigned a tough, 16-characters admin password today which was promptly changed by the user to a weak password. The client didn’t want increased security on allowing weak passwords, so now an admin has an easy password, which would allow total access to the site and the data.
    • Force strong passwords : Ideally every website would force users to have good, strong passwords. It’s really easy to turn on in WordPress. Follow the steps here :  https://ithemes.com/security/wordpress-password-security/
  • Delete unused accounts – I recently killed a few accounts on a site that haven’t technically been active in over five years. However, if that person had really wanted to cause an issue, it would have taken no time to change that password, log in to the site and start causing all kinds of damage. And technically, it wouldn’t have to be the person who “owned” that account, it could be hacked by virtually anyone, especially if they had email access (see below)

Other Website Security Concerns

So once you have a handle on the admin accounts in WordPress, now it’s time to take a quick audit of the other weak links

• Your email password – This is 100% the most important password you will even use. Almost every password recovery, confirmation, and communication from other systems come through your email. If someone gets your email password, they can get almost anything else including your bank, your credit cards, your mobile phone records, Office accounts, business files… everything.

  Make your email password as secure as humanly possible, set up two-factor authentication (2FA) where possible, and guard this password with your life.

• Password Managers – Now that I’ve made it clear your email is THE weakest link, a good password manager like LastPass is essential is managing strong, unique passwords for all of your pages. And most modern browsers allow easy use to auto-fill or provide easy copy/paste of passwords into your web apps and pages.
• Server login – Having access to a WordPress site is good, but getting direct access to a server WHM or Cpanel is even better. You could point the site at a different location, change up some of the settings, or even just delete everything. Lock that down with a good password.
• Registrar – Hijacking domain name isn’t new, but it is relatively easy with access to the registrar. From here DNS records can be changed, contact emails can be changed, and domains can even be cancelled/deleted. Turn on 2FA and set a good password.
• Other technical sources for the site – Make sure logins to your CDN, WooCommerce account, plugin sources and more are all protected with great passwords and 2FA.

Passwords will usually scrub off the casual hacker, but to ensure your site’s security to those with a little more skill you may have to take some additional measures. Set good passwords, utilize 2FA when possible, and change the passwords on a regular basis. 

Update on WordPress 5.4 which was released on March 31, 2020. Some issues emerging on the editor going full screen, and favicons disappearing or affecting load time. So at this time I would advise you not to update until an incremental update is released to address some of these concerns.

Have horror stories or tips on securing your WordPress or other website? Send them to me @BeBizzy on Twitter!