6 tips for protecting your WordPress website
Even beginners can and should take these steps to protect their WordPress sites from cyber attacks.
WordPress already powers 30% of the Internet, it is the fastest growing content management system (CMS) in the world, and it’s not hard to see why: through the vast amount of custom code and plugins available, top-notch search engine optimization (SEO), and a strong presence in the blogosphere. SEO, and an excellent reputation in the blogosphere, WordPress has gained a lot of popularity.
However, with that popularity comes some not-so-good attention. WordPress is a common target for intruders, malware, and cyber attacks – in fact, WordPress accounts for about 90% of CMSs hacked in 2019.
Whether you’re new to WordPress or an experienced developer, here are some important steps to protect your site. Here are 6 key tips to help you get started.
1. Choose reliable managed hosting
Hosting is the invisible foundation of all websites; without it, you can’t publish your site online. But hosting is much more than simply hosting your website; it is also responsible for its speed, performance, and security.
The first thing to do is to check that the host includes SSL security protocols in its package.
Whether you are running a small blog or a large online shop, the SSL protocol is a necessary security feature for all websites. If you conduct online transactions, you will also need a premium SSL digital certificate, but a basic free SSL certificate will be fine for most websites.
Other security features to look out for include the following.
– Daily automatic offline site backups
– Malware and antivirus scanning and removal
– Distributed denial of service (DDOS) protection against distributed service attacks
– Real-time network monitoring
– Advanced firewall protection
Also, in addition to these digital security features, your hosting provider’s physical security measures are worth considering. These include limiting access to the data center with security guards, closed circuit monitoring, and secondary authentication or biometrics.
2. Use security plugins
One of the most effective and easy ways to secure your website is installing a security plugin such as Sucuri, a GPLv2-licensed open-source software. Security plugins are important because they automate security management, so you can concentrate on running your website rather than wasting time-fighting online threats.
These plugins detect and block malicious attacks and alert you to any issues that need attention. In short, they run continuously in the background to protect your website, so you don’t have to stay awake 24/7, fighting hackers, exploits, and other digital junk.
A good security plugin will give you all the necessary security features for free, but some premium features require a paid subscription. For example, if you want to unlock Sucuri’s web firewall, you must pay for it. Turning on the web application firewall (WAF) blocks common threats and adds an extra layer of security to your website. When choosing a security plugin, looking for one with this feature is a good idea.
3. Choose trustworthy plugins and themes
The joy of WordPress is that it is open source, so anyone and everyone can offer themes and plugins that they have developed. But this also needs to be fixed when choosing high-quality themes and plugins.
When picking a free theme or plugin, some need to be better designed or may hide malicious code.
To avoid this, always get your free themes and plugins from a reliable source, such as the WordPress Theme Library. Review it and research to see if the developer has built other programs.
Outdated or poorly designed themes and plugins can leave “back doors” or errors for attackers to enter your site, so you should be careful when choosing them. However, you should also beware of invalid or cracked themes. These are premium themes that have been hacked and sold illegally. You might buy an invalid theme that looks fine but will corrupt your website through hidden malicious code.
Avoid invalid themes, avoid being lured by discounted prices, and always stick to a reliable theme shop, such as the official WordPress directory. If you look elsewhere, stick to large and trustworthy shops such as Themify, a theme and plugin shop that has been in business since 2010. Themify ensures that all its WordPress themes pass the Google Mobile-Friendly test and are available under the GNU General Public License Open Source.
4. Run regular updates
This is a basic rule of WordPress: always keep your site up to date. However, only some people adhere to this rule, with only 43% of WordPress sites running the latest version.
The problem is that when your site is out of date, it is vulnerable to failures, vulnerabilities, intrusions, and crashes because it needs to catch up on security and performance fixes. Outdated websites cannot fix vulnerabilities as well as newer ones, and attackers can tell which websites are out of date. They can search for the most vulnerable sites and attack them accordingly.
This is why you should always run the latest version of WordPress. To keep your website security in tip-top shape, you must update your plugins, themes, and core WordPress software.
If you choose a managed WordPress hosting package, your provider will check and run updates to see if your host provides software and plugin updates. If not, you can install an open-source plugin manager. For example, the GPLv2 licensed Easy Updates Manager plugin as a replacement.
5. Fortify your logins
As well as creating a secure WordPress site by choosing your theme carefully and installing secure plugins, you must prevent unauthorized login access.
If you’re using easy-to-guess phrases like “123456” or “qwerty,” changing your password is the easiest way to enhance your login security.
Try using a long password rather than a single word so that they are difficult to crack. The best way is to combine them with a series of words that you can easily remember and that are unrelated.
Here are some other tips.
– Never re-use passwords
– Don’t include obvious words like the name of a family member or your favorite team
– Don’t share your login details with anyone
– Your passwords should include case and numbers for added complexity
– Don’t write down or store your login details anywhere
– Use a password manager
Change your login address.
It is a good idea to change the default login URL from the standard format mywebsite.com/wp-admin. Hackers know the default login URL, so not changing it will risk brute-force attacks.
You can change the login URL to a different one to avoid this. Using open-source plugins such as WPS Hide Login, licensed under the GPLv2, makes customizing the login address safer, faster, and easier.
Apply two-factor authentication
You should add two-factor authentication to protect against unauthorized logins and brute-force attacks. This means that even if someone does get your login details, they will need a verification code sent directly to your mobile phone to gain access to your WordPress site administration.
Adding two-factor authentication is very easy; install another plugin, search for “two-factor authentication” in the WordPress plugin directory, and select the plugin you want. One of the options is Two Factor, a popular GPLv2-licensed plugin with over 10,000 installations.
Limit login attempts
WordPress allows you to guess the login details multiple times to help you log in. However, it can also be helpful for hackers trying to gain unauthorized access to WordPress sites and distribute malicious code.
To combat brute force hacking, install a plugin to limit login attempts and set the number of guesses you can make.
Protecting your WordPress website is very important!
6. Disable the file editing function
This is not a step for beginners; unless you are a confident programmer, don’t try it. And always back up your site first.
That said, disabling file editing is an important measure if you want to protect your WordPress site. If you don’t hide your files, anyone from the admin backend can edit your theme and plugin code, which can be dangerous if an intruder gets in.
To deny unauthorized access, go to your .htaccess file and type.
<Files wp-config.php> order allow,deny deny from all </Files>
Alternatively, to remove the edit options for themes and plugins directly from your WordPress admin backend, add an edit to your wp-config.php file at
define( 'DISALLOW_FILE_EDIT', true );
Save and reload this file, and the plugin and theme editor will disappear from your WordPress admin backend menu, preventing anyone from editing your theme or plugin code, including yourself. If you need to restore access to your theme and plugin code, delete the code you added to your wp-config.php file.
Whether you block unauthorized access or disable file editing altogether, it is important to take action to protect your website code. Otherwise, it’s easy for unwanted visitors to edit your files and add new code. This means that an attacker can use the editor to get data from your WordPress site or even use your site to launch an attack on other sites.
An easier way to hide your files is to use a security plugin that works for you, such as Sucuri.
WordPress Security Overview
WordPress is an excellent open-source platform; beginners and developers should enjoy it without fearing attacks. Unfortunately, these threats will not go away soon, so keeping your website secure is vital.
Using the above measures, you can create a more robust and secure level of protection for your WordPress site and give yourself a better experience of using it.
Staying secure is an ongoing task, not a one-off checklist, so revisit these steps regularly and stay vigilant when building and using your CMS.