In Nublue Blog 7 resolutions to improve your WordPress security Posted by Stefan Maintaining your WordPress website’s security, both for your customers and for your business, is just one of those ongoing tasks that’s never really 'done'. Things change, certain security measures can fall out of date, and new platform vulnerabilities can develop or be discovered. The more regularly you can review your site’s security practises, the better. With this in mind we’ve put together seven resolutions that you can carry out or check up on throughout 2016 to make sure that your WordPress site, or sites, stay safe in the coming year. 1. Re-evaluate your online passwords Sometimes the simpler things are the most effective – like making sure that you’re using a strong, unique password for your WordPress site, which you change regularly. Don’t use the same two or three passwords across all your sites, and don’t rely on combinations of words and dates that might be easy to guess! If you don’t already, now’s the time to start using a password manager like KeePass or LastPass to generate strong, random passwords and store them safely. According to Torquemag 47% of people use passwords that are 5 years old, while 21% use passwords that are 10 years old. Lock down your passwords, change them regularly, and don’t be one of those people! 2. Lock admin access to your IP address The default WordPress admin URL is one of the most common locations for hacking attempts, so if only you can access it, you are protecting yourself from a lot of unwanted attention. If you have a static IP you can lock your admin to only be accessible from your IP. 3. Update your WordPress version Just 22% of WordPress sites are up to date, according to Torquemag. Updating your WordPress site to the latest version of the platform will provide patches against previous vulnerabilities, as well as security enhancements and new features. It’s an easy, effective way to keep your site more secure, and WordPress version 3.7 onwards updates automatically for new security features (just keep your WordPress version itself up to date.) Remember too that your plugins, themes and core files will have their own updates too, which you’ll need to apply yourself through your site’s admin panel. Just 22% of WordPress sites are up to date 4. Listen out at online communities With over 46 million downloads of WordPress, there’s a massive community around the platform. Often just keeping your ear to the ground can be one of the best ways of staying secure, so it pays to be involved in community forums to know what’s going on with the platform. You’ll be up to date with any vulnerabilities when they’re found; you’ll find forum discussions on what’s being done about threats and where to find the latest patches… and best of all you can get to know your platform more in-depth, which may even benefit your WordPress site overall. 5. Disable WordPress trackbacks Trackbacks are a WordPress feature that let you know when other webpages have linked to content on your site, and they’ll appear as notifications in your comment moderation panel. Not a threat themselves, but they can also be used by third parties to hack your site – so while they sound handy, it’s probably better in the long run to lock this back door on your WordPress site. To disable trackbacks: Click Settings in your WordPress control panel Go to Discussion Find Default article settings Untick ‘Allow link notifications from other blogs’. Don’t forget to save your new settings! Please note that this will disable trackbacks for your future WordPress posts, but not existing ones. To do this you’ll need to enter the following query in your WordPress site’s SQL, or ask your site’s developer to do this for you: UPDATE wp_posts SET ping_status=’closed’ WHERE post_status = ‘publish’ AND post_type = ‘post’; UPDATE wp_posts SET ping_status=’closed’ WHERE post_status = ‘publish’ AND post_type = ‘page’; 6. Install WordFence – do it now! One of the best WordPress security plugins you can install is Wordfence. It provides your website with protection against both malware and hack attempts, it’s free to download, and with 710,000 sites using it, it’s the most popular WordPress security plugin available (so download it now!). It secures multiple WordPress sites, firewalls your site against third-party scans and false Googlebots, scans your WordPress site/s for a wide range of threats (including the Heartbleed vulnerability) and blocks against whole networks that are found to be malicious. You also have the option to sign in via your mobile phone, giving you an extra layer of security too. 7. Set up two-factor authentication for admins As its name suggests, two-factor authentication doubles up your site’s steps to access. Authentication extensions like the Clef and Duo plugins are an easy way to establish secure access for your WordPress site admins by using email or mobile verification to confirm their identity. You’re bound to have run across similar signup procedures yourself when creating sign-ins for a variety of websites. A little annoying sometimes to have to go to your email inbox just to click a link to confirm you are who you say you are, but at least you know the sites you use are taking your security seriously and add that extra layer to keep you safe. Shouldn’t you do the same when it comes to admins accessing your WordPress site? So there you go – our top resolutions to help keep your WordPress site secure in 2016. Remember that there’s never a 100% guarantee of immunity from attacks online, but the more security measures you implement, the greater your chances of keeping your website safe.