How to secure your school’s WordPress website

WordPress is great for school websites, but is your installation secure?

WordPress is a great platform – used as a content management system (CMS) for many school websites around the world – but like many CMS platforms, including joomla and drupal – left unsecured it can present an inviting target for a speculative hacker. A secured WordPress site is just as safe as any other platform, and there are a number of simple and free steps which can be taken to ensure your school’s website, blog or extranet don’t become compromised.

Check what your web designer has included as standard

Unscrupulous web-designers often don’t include website security as part of the build, or they charge for it as an expensive add-on. Surprisingly, most commissioned website builds don’t include anything other than the site – SEO, backups, security, image optimisation and even caching are often left out unbeknownst to the school. If you are considering a new CMS school website – ensure all of these features are included in the quote for the initial build.

Shared or dedicated hosting?

Try to ascertain how your developer intends to host the website. (In other words, where are they going to put it?) The cheapest form of hosting is ‘shared hosting’, whereby your website space forms just part of the storage space on one server. If your site is on a shared server – eg Godaddy – lazy ‘brute force’ hackers, also known as ‘script kiddies’, will search out vulnerable sites in order to gain access to a particular website which they have targeted on the shared server – it might not be yours. If one client’s website has a vulnerability which a hacker can exploit, then the entire server space – including your hosting and website – can become compromised. On any given ‘shared server’ there might be hundreds of sites. Therefore securing your site’s access and database configuration is very important for shared hosting.

A better solution is to ensure your web designer uses ‘dedicated hosting’ – whereby your website is the only one operating on that server. It’s more expensive, but it dramatically reduces the possibility of an opportunistic hacking attempt.

Controlling the number of login attempts is crucial

Many WordPress hacking attempts are very low tech. Hackers simply bombard your login page with thousands of login attempts, called a ‘brute force’ attack, trying to guess your password. Assuming they know a username for your website – for example ‘admin’ – this type of attack can be successful. Two measures will counteract this.

Firstly, don’t make it easy for the hacker to guess the username. Avoid using ‘admin’, ‘manager’ or similar usernames. Also, don’t advertise the usernames on every page or post or author archive – set ‘author’ tags to display real names, rather than usernames. If the hacker doesn’t know any administrative usernames, a brute force attack is impossible.

Secondly, limit the number of unsuccessful logins allowed from any particular location – the WordPress default is unlimited – changing this to two, for example, will mean the hacker would only be able to attempt two logins before having to change IP (location) address – rendering a brute force attack virtually impossible.

Invaluable security plugins for your WordPress site

  • Bullet Proof Security – this is by far the best option to secure access, hosting and databases for WordPress installations. Even if another website on the shared hosting is compromised, BPS will ensure your site remains secure. It also works well with WP Super Cache and W3 Cache and it won’t slow down your site or cause plugin issues. BPS secures your .htaccess file and database.
  • Wordfence – this plugin can control the number of logins allowed, it will ban access attempts using an incorrect username, and best of all, it will scan your site and find any malicious or suspect code and show you how to remove it.
  • Hide login – this is a very simple and effective way to secure your site. Brute force hacking requires the hacker to know the login page for your website. Typically that is . ‘Hide login’ simply hides that page – giving it an address the hacker won’t know. If they don’t know the login page, they can’t hack the site.
  • Better WordPress Security – this is a great all round security plugin. It removes the information and meta tags which a hacker typically looks for when targeting a vulnerable site. It also renames any ‘admin’ users to prevent speculative brute force attacks. It enforces password polices and it will scan your site looking for vulnerabilities and any unauthorised changes to the code or plugins.

Hacking is akin to cyberbullying – if there are no vulnerabilities to latch on to, the hacker will get bored and select a new target. If there is a clear vulnerability, the hacker will return again and again.

If you believe there are potential hackers amongst the student body – try to turn the threat on its head. Place a copy of your website on the internal school network, or a test server, and invite the students to test the site and try to spot, and rectify, any security vulnerabilities. Useful suggestions and modifications can be credited on the live website, and the successful real world IT security experience can be used to form part of the pupil’s CV.

Tom Tolkien is a qualified teacher with senior leadership experience including Head of ICT positions in two schools. If you require an appraisal of your school’s website security please contact him via this website or on Linkedin.

See also:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: