WordPress is a very powerful and popular Content Management System (CMS), but as such it is also a popular target for those trying to gain unauthorised access to systems or websites. As part of the support services we offer our clients, we check for any out of date WordPress installations. However, that check only encompasses the base WordPress installation itself, not any plugins that may be in use.
Here’s some suggestions to further improve the security of any WordPress sites you may have, including checking for out of date plugins:
- Keep your installation up to date. There are a lot of out of date WordPress installations, and they will have known vulnerabilities. Don’t let your site be one of them.
- Change the name of the WordPress administrator account. By default, it is
adminbut any user can be made an administrator. Create an account for yourself or your administrator and set the role to “Administrator”. Test that it works, then remove the original
- Use Two Factor Authentication (2FA). There are a number of plugins that support 2FA; we like and use Two-Factor by George Stephanis. It’s Open Source (hosted on GitHub), and whilst it takes a little bit of time to set up, we’ve found it to be very reliable.
- Use SSL (aka TLS) to serve your site. In other words, it should only be available via https:// (not http://), which in turn means that the admin username and password will be encrypted when sent from your browser.
- Consider installing the Wordfence plugin. It’s available in both a free and “premium” version, and even the free version is valuable. Amongst other things, it will mail you when any of the plugins used on your site are out of date.
Need a hand?
If you need help implementing any of the above, get in touch.