Website security is one of the common concerns all the site owners have and surely a crucial thing to care for. You cannot afford to watch over your site being hacked for not taking just a few simple precautions. Malware/ spams can destruct the whole thing on your site, indeed years of your hard work – anyone is sure to lose a sound sleep for months or years.
Website security has been a widely discussed topic for WordPress users as WordPress has been one of the high targets of the hackers. It seems quite natural as WordPress is the king of all CMS technologies – the most popular platform in use that powers over 25% of all websites online. Along with the ever-growing popularity, WordPress security check has become an issue of major concern among the WordPress people.
You may find some people arguing that WordPress is vulnerable as it free and open-source platform but that is not true anyway. WordPress takes security seriously and a team of experts at WordPress is on standby to inspect and fix the issues anytime. Do not trust me but can you ignore them – celebrity websites, big brand website, top news and magazine site, popular websites you probably follow are created using WordPress.
While discussing WordPress security, there is no hard and fast rule or a formula to keep your site There are some misleading rumors as WordPress being vulnerable secure but taking some simple precautions can protect your site from spams and attacks. Installing WordPress from the official WordPress website wordpress.org only and using themes and plugins from trustworthy sources can save your site from being hit by spammers.
Some of the main reasons to WordPress website vulnerabilities are insecure WordPress installations, using easy to crack passwords and default usernames. Besides these, your WordPress website can be hacked when you use insecure WordPress hosting, themes, and plugins, have a virus on the computer, approve non-relevant comments.
So, I have tried to put together some simple yet actionable WordPress security tips that can help you to protect your site from being hacked.
Let’s explore them:
1. Keep WordPress software, themes, and plugins updated
A basic and vital rule to keep your WordPress website safe and secure is to keep it updated with the latest of WordPress. Every new WordPress version is updated with security fixes that were reported in the previous version. So, keeping it up-to-date helps to prevent your WordPress site from being hacked in a great deal.
While using your WordPress dashboard, you might have seen a small rectangular box with ‘An updated version of WordPress is available’ written in it. Update it as soon as possible and avoid possible attacks. Similarly, you should upgrade your WordPress themes and plugins to the latest updates available. Sometimes the theme and plugins used in your website may not be compatible with the latest version of WordPress as they are not updated. In such case, you must immediately replace them with a quality theme and plugins from a secure source.
2. Create a new user profile
Creating a new user profile helps greatly in keeping your WordPress site safe and secure as the hackers mostly attempt attacking your site using the default username ‘admin’. That is why you must delete the default username ‘admin’ and set a new custom username of your own as the administrator to the site.
You can easily create a new user by going to the ‘Users’ and then ‘Add new’. As you create it you can sign out from the default user account and sign in as the new user which will ensure your website’s security in a certain level.
3. Use strong and complex passwords
Hackers target the websites with weak passwords and TechCrunch is the latest victim. Many website owners simply use easy to remember passwords, but it is really a vulnerable act to do. If you use a commonly used password, it means that you are making it easy for the hackers to guess and break it.
To make your passwords strong, you can create a long password at least of 8 characters. You can make it more complex by using uppercase and lowercase characters, numbers and symbols. Besides, not using a complete word, your company name, real name etc. also makes it hard for the hackers to guess your password.
Using a plugin like Force Strong Passwords can help the site owners in a great deal to set stronger passwords.
4. Select a secure hosting company
The cost of hosting companies is ranging from minimum amount to a bundle, i.e. there are hosting services available at the very cheap price too. If you are just using any hosting provider for the low cost it charges, that can be a great mistake causing more harm to your website security.
WordPress.com is one of the most secure hosting providers for WordPress platform. In addition, WP Engine and some other companies provide managed WordPress hosting specifically designed for WordPress platform only. Before selecting a WordPress hosting company, you must go for research and find out a secure hosting company in consideration with some major security measures.
5. Activate a security plugin
WordPress updates often fix all the vulnerabilities reported however, there could remain some more vulnerabilities caused by the use of third party themes and plugins. Using WordPress security plugins, you can fix such vulnerabilities.
There are a plenty of WordPress security plugins available to help you to keep your site secure. Some of the popular free WordPress security plugins are All In One WP Security & Firewall, Wordfence Security, iThemes Security etc. You can find also the premium version of these security plugins for more features.
6. Limit login attempts
It is also a good idea to limit failed login attempts because hackers or a bot might be trying to guess your password. If you limit such login attempts, you protect your site from a brute-force attack. To add this functionality, you can easily activate a WordPress plugin. Some of the best free WordPress plugins to limit the failed login attempts are Login Lockdown, Limit Login Attempts etc.
Login LockDown plugin records the number of failed login attempts and the IP address with which it blocks all the login requests from the same IP range if it detects a certain number failed attempts within a short period of time. It prevents the hackers from discovering your password by trying random passwords infinite times.
7. Adopt Two-Step Authentication
Two-step authentication means adding an extra layer of security to your website, making the users verify their identity using a secret code or piece of information in addition to the regular username and password. Two-step authentication also called Two Factor Authentication (2FA), is a very useful measure to secure your website from hackers as it demands extra information beside the standard login details. It can be set as users must know a secret code, secret question or pass the verification step through social network accounts, cell phones etc.
8. Hide your WordPress version
If you display the WordPress version on your website, the hackers will find it easy to attack as they know the drawbacks of the version of WordPress you are using. So, it is very necessary to remove the generator meta for WordPress which shows the version of your WordPress website.
It is very easy to do so, however, it can be a great precaution in securing your WordPress site.
9. Change your site login page URL
By default, we can access login page of a WordPress site simply by adding ‘wp-admin’ or ‘wp-login.php’ to the site URL. An easy access to the login page of your website means allowing the hackers to attempt brute force attacks, by guessing the username and password. So, changing the site login page URL to a custom URL of your own can prevent a great number of hacking attempts.
iThemes Security plugin can help you to change the URL of your site’s login page and protect the most sensitive login area. Along with this feature, it offers you multiple ways to keep your WP website secure – Two Factor Authentication, password security, Google reCAPTCHA etc.
10. Back up your site regularly
Despite all the measures to protect your site from being hacked, you never know what part is the target of the hackers. So, keeping a regular backup is an act of wisdom, which enables you to restore the site immediately even if something goes wrong. Though it is not a direct solution to protect your site from hackers but surely a way to save a lot of your time and effort.
11. Reduce overall number of plugins
WordPress plugins are cool as they come up with almost every functionality you want to add to your site while they can be fatal to your website. So, you must be very careful while installing plugins to your site – download them only from the known/ secure sources only, research well on their features and usability. Besides, you must try to pick a plugin with advanced functionality so that you don’t require two or three extra plugins for each particular function.
For instance, using Jetpack plugin alone can provide you multiple features such as site traffic stats, speed, and security, contact forms, image galleries etc. Similarly, WP Ultimate Social can be an all in one social media solution for your WordPress site.
12. Protect your wp-config.php File
You must protect your wp-config.php file because it contains all the confidential details and information about your WordPress site. So securing this file means protecting the core of your WordPress site by making it difficult for the hackers to learn about your site’s important details.
To protect your wp-config.php file, you just have to move it to the directory above your WordPress install i.e. above your root directory.
If your server has .htaccess file, you can simply place the following code at the top of the of it and protect the wp-config.php file.
13. Use SFTP encryption
SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol which is a secure alternative to FTP with an SSH connection. FTP is popular for transferring files between two remote systems but it lacks the security measures. On that point, SFTP is a cool thing to start with as it ensures that all the files are securely transferred. SFTP encrypts your password and other data while transferring between your computer and your website so that can’t learn about your password anyway.
Most of the web hosting companies these days include SFTP encryption in their service package, however, it’s your responsibility to make sure if they offer it or not. Even if they don’t provide such a service, you can do it on your own.
14. Manage and change file permissions
Allowing write access to the web server is not safe, mostly when your site uses a shared hosting. So, it is essential to lock down the certain file permissions. The root WordPress directory (/), The WordPress Administration area (/wp-admin/), The bulk of WordPress application login (/wp-includes/) should be writable only by the user account while you can allow writing access to the web server in User-supplied content (/wp-content/) that includes theme and plugins.
Besides, changing the directory permissions to “755” and files to “644” is a smart deal which protects your site data in a great deal.
15. Securing your own device
Last but not the least, securing the device that you use to access the website is very important. There are actually various kinds of viruses and bots ready to harm you anytime or mess up with your whole site data. Using a good antivirus software, updating the OS time to time and monitoring the computer malware all the time can help you reduce the vulnerabilities that can be caused by the viruses on your machine.
Website security really does matter because a hacker may spoil your complete project, investment of time and money. You must ensure that you are in the safe hands to keep your site healthy, stand out of the crowd and make a profit for you. So taking some precautions to stay safe can be a wise idea for any smart website owner.
In addition to these in my list, there can be more ideas for keeping a WordPress site secure. If you have anything more to share on this topic, feel free to write your view in the comment box below. I will kindly appreciate your suggestions.