WordPress without a doubt is an extensive content management system that powers over 25% of websites across the globe. Business leaders are developing their businesses by creating well-designed websites on WordPress. One can customise the design as well as the functionality of their websites, without embedding any code, thanks to its broad range of themes and plugins. But it doesn’t mean you ignore the key aspects of your website.
Security is one of the most important areas you must consider spending some time on, especially if you are on WordPress. Most users overlook this aspect, believing that WordPress is a secure platform. Of course, WordPress is secure but you need to keep your WordPress core, installed themes, and plugins updated to the latest versions, and you need to use robust login details. By taking these things into consideration you’re already on your way to having a more secure WordPress website than most.
Improving your website’s security further will help strengthen the reputation of your business and its brand; by avoiding a future hack that could take your website down and steal your customer’s data. Thankfully, it’s not that challenging to do. You can follow some easy-to-do security tips and tricks within this post, without needing the assistance of a professional web developer, to help make your website safe and secure for you and your visitors.
1. Use Unique Usernames and Passwords
It’s harder for a hacker to gain access to your website when your user account details (both the username and password) are unique. Therefore, it is recommended to delete the default “admin” username and create a unique one. This is the most important thing that you need to keep in mind while setting up a new website. It is because the default usernames are soft targets for hackers so they should be tweaked with a new username.
Create a new user by visiting the “Users” section then select “Add New” in your WordPress admin dashboard. Now log out from your default “admin” account and log in again with the new user details. In “Users” delete the old (default) username and ensure that you choose the option to transfer your old posts to your new username whilst deleting the “admin” account.
Another simple way is to use a Username Changer plugin. With this plugin, an administrator of a website can change the username in a matter of a few seconds.
Most hackers gain access to websites by cracking a simple password associated with your WordPress account. That is why it is important to use a strong and secure password. Instead of using “ABC” “123” or your name as a password, you must create a robust one.
Also, try to create a lengthy password – it should contain at least eight characters. You can also add numbers, uppercase and lowercase letters, and special characters within your password to make it a complex one. A reliable password management tool will help you create, store and use unique and complex passwords.
2. Limit Log-in Attempts
Brute force attacks are one of the many ways hackers use to gain access to your WordPress admin area. Aside from using a unique username and password, you can also strengthen your log-in form by installing plug-ins such as Login LockDown to limit the number of login attempts from a given IP range. The All in One WP Security & Firewall plugin also has an option that will simply change the default URL (/wp-admin/) for the login form.
3. Use Two-Factor Authentication
WordPress, by default, does not yet have two-factor authentication built into it. Installing authentication plugins such as Google Authenticator will make it more difficult for hackers to gain access to your website through brute force attack. This method is the recognised standard today for enhanced security at your access points.
4. Choose a Reliable Hosting Company
Research conducted by WP White Security reported that 41% of websites were hacked through a security vulnerability on their hosting platform. Having said that, choosing a reliable hosting company to host your website is one of key factors to keep those hackers at bay. According to wpmudev, a good hosting company gives emphasis on security and has:
- Support for the latest versions of PHP and MySQL.
- Is optimised for running WordPress.
- Includes a WordPress optimised firewall.
- Malware scanning and intrusive file detection.
- Trains their staff on important WordPress security options.
5. Hide Your Log-in Page
You can login to a default installation of WordPress at yourwebsite/wp-admin and yourwebsite/wp-login.php. Make it harder for hackers to perform brute force attacks to your website by moving the location of your login files. You can do this by installing plugins which will allow you to conceal and change the name of your login page, admin area, logout page and forgotten password page. Some of the plugin solutions available are: Rename wp-login.php, Hide Login+, and Lockdown WP admin.
6. Disable File Editing
The WordPress plugin and theme editor allows authorised users to modify your theme and your installed plugins. This feature itself is one that hackers use to crash your website by simply injecting malicious code into your theme to give them access to your site. Luckily, you can disable this feature by adding this line of code to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
Doing this will make it impossible to modify your themes and plugins without FTP access.
7. Hide Your WordPress Version
Some versions of WordPress are known to possess more vulnerabilities than others. Having said that, WordPress by default also places a meta tag within your source code that displays your WordPress version number. This bit of information is useful to hackers, especially if your version number states that you are not keeping up with the latest updates. To solve this, you can add the following code to the top of your themes functions.php file:
remove_action('wp_head', 'wp_generator');
In addition to this, you also need to delete the readme.html file located in the root of your WordPress Install because this also contains the version number of your WordPress installation.
8. Use Security Plug-ins
If you are not that knowledgeable on how to tweak the code within WordPress, you can strengthen your website using plugins that offer all-in-one security solutions. Some of the great all-in-one WordPress security plugins are:
- Sucuri– Scans your website and detects PHP mailers, injections, malicious redirects, phishing attempts, and also includes one-click hardening options such as protecting your uploads directory, removing the WordPress version number, disabling theme and plugin editors, and restricting access to wp-content and wp-include directories
- iThemes – Monitors core files for any changes, hiding both the login and admin pages, two factor identification, limits login failed attempts, forces use of secure passwords for specific roles and file permissions
- Wordfence– Scanning for file changes, Blocking IP addresses, two factor authentication, country blocking redirects, and custom alerts
- Malcare – Detects malicious files that could put your website at risk. Read this interview we conducted with its founder to better understand what the plugin is about.
9. Use Correct File Permissions
On computer filesystems, different files and directories have permissions that specify who and what can read, write, modify and access them. Ensuring that you are using the right file permissions and ownerships will not only allow you to keep your WordPress website updated, it also prevents hackers from exploiting poor file security and taking control of your website. Make sure that your WordPress folder permissions are set to 755 or 775; file permissions are set to 664; and the wp-config.php permission is set to 600 or 664. You can check out the Changing File Permissions guide on WordPress.org for more information on how to change file permissions.
10. Stay up to Date
According to a study by Sucuri, 56% of WordPress installations were running out of date core versions. In addition to this, the same study shows that a very large percentage of the website hacks came from out-of-date versions of plugins. Having said that, always make sure to keep your WordPress core up to date as well as your plugins. You can always download the latest version of WordPress from WordPress.org. An updated version will lessen your website’s vulnerability to hackers.
Since WordPress 3.7, WordPress core upgrades are now automated – this means that minor security and feature releases are automatically applied. However you’ll still need to update when it comes to the major releases.
11. Choose a Managed Hosting Plan
If you want to run a safe and secure website, make sure that you choose a hosting provider that can offer you a well-supported, secure, and reliable hosting service. Instead of opting for a shared hosting plan, you can go for a managed host. It is more secure compared to a shared hosting plan.
There are various companies, offering Managed WordPress hosting services, such as SiteGround and WP Engine. If choosing from these two I recommend the former for starter websites and the latter for a website that’s more substantial. However, you can choose the most suitable one that meets your requirements.
Managed hosting providers can automatically update your WordPress installation and installed plugins; they can also be on hand for support and disable any plugins that are causing security and speed issues.
Plus, they offer hardware-based firewalls and configurations to eliminate the risk of Distributed Denial of Service (DDoS) attacks from your website.
12. Carefully Choose your Theme & Plugins
Always choose your themes and plugins from a reliable source, they should be actively maintained and updated on a regular basis. This ensures that the developers are actively patching security vulnerabilities, which can be updated instantly via your WordPress dashboard.
Don’t forget to check the detailed descriptions of plugins because some of them might be audited by third parties.
These practices will give you a sense of relief when it comes to the security of your website.
13. Blacklist IP Addresses from Logging into your Admin Panel
You can also strengthen the security of your website by blacklisting everyone except you from logging into your admin account. For this, you need to go to the /wp-admin/folder of your WordPress installation and access the .htaccess file (if one doesn’t already exist then you’ll need to create it). You can embed this code within the file, but don’t forget to add your IP address where it says YOURIPADDRESS
:
order deny,allow
deny from all
# whitelist home IP address
allow from YOURIPADDRESS
# whitelist work IP address
allow from YOURIPADDRESS
# whitelist holiday IP address
allow from YOURIPADDRESS
When someone tries to open your login page, the screen will flash with this message:
Forbidden. You don’t have permission to access/wp-admin on this server.
Although it is a better and stronger solution, sometimes it can create problems if you change your IP address. In this situation, you need to access your .htaccess file via FTP and update the document with your new IP address. If your IP address changes frequently then this could become a boring and time-consuming process, but it helps protect your website from hackers, so you need to weigh up how it fits within your business.
10 WordPress Security Tips to Defend Your Site from Hackers Infographic
These simple WordPress security tips and tricks will help you run a safer and more secure website. So, make sure you execute all of these steps in a fair and effective manner in order to give hackers and spammers a tough time when trying to hack your website.
Now that you’ve read through our article, check out our infographic below where we revisit 10 of the most important WordPress security tips that you can quickly run through and apply to your website today, to help protect yourself from malicious hackers and the nefarious things they can do to damage your reputation and brand.