WordPress is a popular blogging platform and according to a recent survey, around 26% sites on the Internet are powered by WordPress.
But, as you know, “with greater power comes great responsibilities”, WordPress has become a major target for hackers.
WordPress security is something you should never take lightly.
Hackers from around the world are targeting WordPress Websites that have security loopholes.
A survey reveals that out all the blogging platform hacked during 2016, WordPress was on the top in the list. See the chart below.
Does that mean WordPress isn’t secure? No. If your site gets hacked then it’s all your fault and not of WordPress.
WordPress is an open source platform and almost all open source (with few exceptions) are prone to hack.
But, it can be secured. It can be secured up to a great extent which will give a tough time to hackers trying to bypass the security.
And whose job is to add those extra levels of security? You guessed it… Yours.
You put a lot of time and efforts in establishing your WordPress site and get it to be popular within your niche.
So, it’s always recommended to take care of security and making securing your site the first priority.
In this article, I’ll discuss some common, uncommon, and creative ways to secure your WordPress site.
But before, you need to know what types of attack is WordPress vulnerable to –
Types of Attacks WordPress May Face
- Backdoors: Injected code within files or plugins on your server. Most common is the use of nulled plugins and themes.
- Pharma Hacks: Used to insert rogue code in outdated versions plugin, theme or WordPress itself.
- Brute Force: Using automated scripts to exploit weak passwords and get access to your WordPress dashboard.
- Malicious Redirects: It creates backdoors in WordPress installation using FTP, SFTP, wp-admin, and other protocols.
- Denial of Service (DoS): a Most dangerous form of vulnerability, which exploits errors and bugs in the code to overtake the memory of website. DoS attacks were able to bring down the internet On October 21st, 2016.
So, now let’s get started and understand ways to improve WordPress security like top bloggers.
11 WordPress Security Tips To Secure a WordPress Website
Move to a Secure WordPress Hosting Provider
I have always stretched my clients to chose a secure web host which understands website security and takes necessary steps to keep your site safe.
If you’re using a low-quality hosting service from a bad reputed host then immediately migrate your website to one of our recommended WordPress hosting providers.
Use a clever username and complex password
The next important security check you can do is to set a unique username with a complex password. It is often underestimated by a lot of site owners and they simply use username admin and set a password to 123456.
I understand you’re in a hurry while installation but do change it to something more secure afterward. You can try this password generator to get a strong password.
Below are the results of a security survey which reveal passwords of hacked websites.
- 123456
- password
- 12345
- 12345678
- qwerty
- 123456789
- 1234
- baseball
- dragon
- football
As you can see, people are this dumb to use silly passwords.
Always Update to Latest Version
Updates are for your goods. Every update of a software brings some good changes and most of the time updates are rolled out due to security issues.
Having outdated plugins or themes installed on your WordPress site leads to Pharma Hacks attack.
You can download the latest WordPress version from here.
Change WordPress Login URL
It is a clever tactic used by top bloggers to secure WordPress sites.
By default, the login URL of your WordPress site looks like http://www.yoursite.com/wp-admin/
And the first step hackers try is to visit this page and try random login credentials.
Changing WordPress login URL improves your site security to a good extent and keeps you safe from noob hackers.
Use free WPS hide login plugin to change the default login URL.
Limit Login Attempts
Another simple yet creative way to secure your site is to limit login attempts by a user.
Often the hacking scripts are automated and fixed to keep using different credentials until they get some data. By limiting the login attempts, WordPress will disable the login for the user or browser used.
Use the free Cerber Limit Login Attempts plugin and it will handle this job for you.
Enable Two-Factor Authentication
Two step factor authentication is probably the best way to secure your website as it adds an extra level of security which is almost impossible to break.
It involves a 2 step process in which you need a second method alongside the units login credentials. The second method used is generally a text (SMS), phone call, or time-based one-time password (TOTP).
You can use Authy plugin to add two-step authentication to your website which allows up to 100 authorization per month.
Another recommended plugin is Google Authenticator which entirely free and makes a use of secret keys or QR codes.
Install HTTPS – SSL Certificate
Secure Socket Layer certificates add an extra level of security to your HTTP request and it can prove to be secure for your site as well as user’s information.
Sites with active SSL certificates have added S in the HTTP version.
Also, there will be a green padded lock which signifies that the site is secure.
You can either use CloudFlare or LetsEncrypt services to add a free SSL certificate onto your website or you can buy a SSL certificate from Godaddy.
Disable File Editing in WordPress Dashboard
WordPress is commonly used by many users and the administrator often allow multiple users with full access.
Due to the nature of work, it may become a compulsion to allow full access which may turn out to be a nightmare for the original website owner.
For security, you should disable Appearance Editor which contains codes of your WordPress site.
Also, there’s no need for other users to see the code as they aren’t going to use it for any contribution.
To disable Appearance Editor from other users, simply add the below lines of code in your wp-config.php file.
define(‘DISALLOW_FILE_EDIT’, true);
It will remove the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users.
Use WordPress Security Plugin
The next big step to secure your WordPress website is to install a WordPress security plugin which would take care of most of the work.
There are a lot of developers and services which prove hardening of WordPress and some of these are:
I personally use WordFence security plugin on my site and it does a great work of handling basic security issues such as but not limited to:
- Generating and forcing complex passwords while adding new users.
- Malware scanning
- WordPress Security Firewalls
- Two Factor Authentication
- reCAPTCHAs
- IP Whitelisting and Blacklisting
- Monitor DNS Changes
Enable DDoS Protection
DDoS is a type of DoS (Denial of Service) attack which is getting common day by day.
Unlike other attacks, DDoS attack is not used to hack and retrieve data from your site but takes your website down for hours or even for days.
To secure yourself from these attacks, what you can do is to use 3rd party security services such as CloudFlare.
CloudFlare is one of the biggest DDoS protection networks and they use this network to keep your site up even if it’s a victim of DDoS attacks.
Most importantly, they offer a free service which makes it worth giving a shot.
You can also consider moving to a DDoS protected dedicated server if your website receives heavy traffic.
Take Daily WordPress Backups
By applying above security tips, there are very fewer chances that your site will be hacked, but you should always be prepared for the best.
If in case your site gets hacked and you lose all of your data, then having a proper recent backup is the only way you’ll be able to recover and get your site up and running again.
Most of the quality web hosting service, inclusive SiteGround takes daily backup of your site and they’ll help you recover this backup data.
You can also take daily backup of your site using the free UpdraftPlus WordPress plugin which enables you to take periodical backups to remote storage systems.
Refer to this guide to learn how you can set up UpdraftPlus on your WordPress website.
Signing Off
WordPress security is your responsibility and you shouldn’t take it lightly. An attack can cause you a big loss and all your hard work of months or years will be wasted.
Securing a site is easy with WordPress and you hardly require any technical knowledge.
Do implement a maximum number of these security tips and make your website hack proof. It will help you in long run.
What’s your take on the WordPress security? How do you make sure that your blog is hack proof and you are free from attacks? Share your thoughts below.
Have any other security technique you are using which is missing from this list? Add a comment and help other readers.
Also, do share this post with your friends and followers on different social media channels and help them in securing their blogs and sites.