Security is one of the major concerns when it comes to running a WordPress site. As a WordPress site owner, it is your responsibility to protect your site from hackers and other security attacks. No doubt, WordPress is a power-packed CMS platform that comes with a ton of themes, plugins and out-of-the-box capabilities, but you can’t change the fact that it is one of the most hacked CMS platforms across the web.
Whether you are a WordPress beginner or an experienced webmaster, make sure that you use the best security practices to prevent your site against hackers. You should strengthen the login page, admin page of your site to restrict hacker from gaining access to your site. You can also install the best security tools and plugins offered by WordPress to get the most of it quickly and efficiently.
Apart from this, WordPress offers you some of the best security tips/tricks that will keep your site safe and secure to a great extent. Below are some of the best practices that every WordPress site owner should consider while optimizing their site for higher security. These tips will protect your site from hackers in 2018.
To make your job easier, we have divided our tips into four different categories:
Let’s get started!
(a) Fortifying the WordPress Login Page
Tip 1: Don’t use “admin” as your username
Unfortunately, the login page of a WordPress site is one of the major targets for hackers. They try to gain access to the site by guessing the login details ( username and password) over and over again. So, make sure you don’t use the default username for your WordPress site – this makes it easier for hackers to get into your login page instantly.
If you’ve already installed WordPress using the default username, you can immediately change it by adding an SQL query in PHPMyAdmin. Also, ensure that you use something unique and difficult-to-crack username for your website.
Tip 2: Create a Strong Password
No matter how unique your username is, if your password is weak, a hacker can easily gain access and destroy your site’s online visibility.
To strengthen this particular section, you should use a unique username along with the strong password. Also, make sure your password is a combination of different characters (such as kHiU778@3O) and it should be 10 to 15 characters long. You can also use Strong Password Generator if you are not able to pick the most secure password for your WordPress site.
Also, change your password at regular intervals. This will fortify your WordPress login page to a great extent and keep the hackers away from your site.
Tip: 3 Incorporate Two-factor Authentication
This is one of the best ways to protect your WordPress site from brute force attacks. The brute force is a type of attack where a hacker penetrates the unlimited combinations of usernames and passwords over and over again until he/she gets into the site.
With the integration of two-factor authentication, you can take the security of your login page to the next level. In this method, a password is required along with an authorization code that is sent to your mobile phone to let you log into your site. Without the combination of password and authorization code, you won’t be able to access the login page of your WordPress site.
Quick tip: Install the Google Authenticator to add this functionality to your site, without any heavy lifting.
Tip 4: Customize your login URL
It is better to change the URL address of your login page if you want to protect your site from hackers. By default, the WordPress login page can be browsed through wp-login.php, which anyone can see in the main URL of a site.
This makes it super easy for hackers to access your login page and try to brute force to gain access to the site. Therefore, it becomes necessary for you to customize your login URL and make it more secure and unbreakable. You can create a custom URL such as my_custom_login, Or install the iThemes Security plugin to automatically change your login URLs.
Tip 5: Upgrade to HTTPS
Don’t forget to switch your WordPress site to HTTPS in order to protect it from hackers and other security attacks. HTTPS encrypts the connection between your web browser and your web server, which will keep the attacker away when you are transferring the data from one server to the other.
Plus, it can protect your site from unreliable hidden scripts available on your computer system, and a script that is used to steal data from login forms. Apart from this, WordPress has made it compulsory to have HTTPS in WordPress websites if they want to get better ranking on Google search results – this is a great boost for your brand awareness.
Tip 6: Secure wp-admin directory
Protection of the wp-admin directory is one of the key practices when it comes to WordPress security. Since the admin dashboard is one of the targeted parts of a site for hackers, don’t forget to strengthen its security.
To ensure the security of your admin panel, you can use a password to protect the wp-admin directory. Under this method, a website owner has to submit two different passwords if he/she wants to access their dashboard. One password is dedicated to the login page, while the other is for the WordPress admin area. This is a great way to protect the admin panel of a WordPress site.
(b) Enhancing the Security of WordPress Themes and Plugins
Tip 7: Delete the unused themes and plugins
Delete all the unused themes and plugins from your WordPress admin area. Such themes and plugins not only make your site slow but also make it vulnerable to security attacks.
It is quite obvious that if you are not using any plugin/theme, you stop updating it. This permits a hacker to find a loophole within the outdated element and gain access to your site. To combat this situation, you should deactivate and delete it from your WordPress admin dashboard.
Tip 8: Keep them updated
Update your installed themes and plugins along with your WordPress core on a regular basis to keep hackers away from your site. Since each installed theme and plugin is like an open door to your admin area, make sure you update it with their respective latest versions.
But, sometimes it becomes difficult to maintain the site on regular basis, and this is where automatic updates come into a play. You can configure automatic updates for themes and plugins by inserting a few line of code into wp-config.php.
- Use the following line of code for plugins:
add_filter( ‘auto_update_plugin’, ‘__return_true’ )
- Add this line of coding for installed WP themes:
add_filter( ‘auto_update_theme’, ‘__return_true’ );
This will auto update your WordPress themes and plugins whenever their new version is released.
Tip 9: Never Download Premium Plugins for Free
Instead of downloading a premium plugins for free, make sure you buy it from an official site. Most of the beginners download the premium plugins from unreliable sources because they are free. But this is a wrong approach.
With this trick, a user is taken to the illegal websites which can corrupt their WordPress site with malware. This means hackers are targeting premium plugins to get inside the site’s backend. This all happens because you wanted to save your money.
So, make sure you overlook all the illegal websites, downloads, and torrents while downloading a new premium plugin for your site.
(c) Strengthening the security of database
Tip 10: Tweak your WordPress database table prefix
While the trick is quite complicated, it will definitely enhance the security of your WordPress database. WordPress by default employs a “wp_” table prefix to all database tables of a site, which makes it quite easy for hackers to steal your database via SQL injection attacks.
To prevent such attacks, you should change your default database table prefix to something more reliable. A custom table prefix makes it difficult for hackers to guess it, which in turn, protects your site from getting hacked. To customize it, you will need to access your wp-config.php file to see your default table prefix:
Now, change it to something more unique:
$table-prefix = ‘wp_OH77&K”;
Tip 11: Backup and Update your site regularly
It doesn’t matter how secure your site is, you should always create a backup of your WordPress site. This will keep your site in a safe mode as anything could happen with your site. So, ensure that you keep a regular backup using VaultPress, BackUpWordPress or BackWPUp.
Apart from this, always update your core WordPress on a regular basis. Fortunately, WordPress releases its latest version on a frequent basis to address security flaws and vulnerabilities and modify the existing features to let you enhance your site’s security with ease.
(d) Securing WordPress Hosting Environment
Tip 12: Pick the most reliable hosting provider
It doesn’t matter how latest tricks you are implementing to secure your site if you don’t have a reliable hosting provider, you won’t be able to boost the security of your site.
According to a survey, 41% of WordPress websites were hacked because of a security vulnerability available in the hosting server. This means selection of a right hosting providers matters a lot when it comes to the WordPress security.
If you want to use shared hosting, make sure you choose SiteGround or BlueHost. Both the providers have some of the helpful security-driven features. But if you want a more reliable solution, you can opt for a dedicated hosting provider. They offer you a ton security features, unlimited bandwidth and disk space and other features to let you protect your site with ease.
Tip 13: Secure the wp-config.php file
The wp-config.php file contains all the confidential information related to your WordPress installation. Since it is one of the most vital files of your site, make sure you protect it from hackers and other security attacks.
To protect your wp-config.php file, add the following piece of code in your .htaccess file:
deny from all
Tip 14: Disabling directory listings
Never put your index.html file in the new directory of your WordPress site. As visitors can easily access your full directory listing that is available in that particular directory, it is better to disable your directory listing with the .htaccess file.
For that, you will need to embed the following piece of code in your .htaccess file:
Options All -Indexes
Tip 15: Wisely change the directory permissions
Being a website owner, you can’t afford to set wrong directory permissions, especially if we are securing your shared hosting environment.
It is better to change your directory permissions by setting them to “755”. You should also set your files to “644” – this will protect your filesystem, including directories, subdirectories, and other files.
To change it, you can do it either manually through the File Manager within your hosting control panel, or via the terminal (connected with SSH).
(Tip 15+): Using WordPress Security Plugins
Last but not the least; install WordPress security plugins for protecting your website from security threats. Using WordPress security plugins is a comparatively easier tip yet a very effective one that you won’t want to miss.
Well, there are several WordPress plugins for security purposes each functioning in a different way. Some of the plugins protect login security and brute-force attacks, while some of them prevent spamming and insecure bots. And, you can get both free and paid plugins on the web.
I have mentioned some of the most useful security plugins for WordPress below.
1. Wordfence Security
WordPress Security is the most downloaded free WordPress security plugin. The major features of this plugin are:
- WordPress Firewall: Identifies malicious traffic, blocks the attackers and prevents the site from being hacked.
- Blocking: Blocks the known attackers, entire malicious networks.
- WordPress login security: Two-factor authentication, helps to improve passwords.
- Security scanning: Scans core WordPress files, themes, and plugins.
2. iThemes Security
iThemes Security is yet another popular WordPress security plugin for WordPress. It provides a number of ways to secure your WordPress site. The major features of this plugin are:
- Brute force attack protection: Prevents brute force attacks by banning hosts and users invalid login attempts.
- Detect: Detects bots to search for vulnerabilities, monitors file system, scans for malware.
- Obscure: Hides common WordPress security vulnerabilities including changing URLs for WP dashboard, wp-content path etc.)
- Regular Backups
3. All In One WP Security & Firewall
All In One WP Security & Firewall plugin is a free WordPress plugin useful for protecting WordPress security. It is a good alternative to the above mentioned two security plugins. Major features of this plugin are:
- User login security: Protection against brute force login attack.
- Database security: Maintains automatic backups.
- Blacklist functionality: Bans the users by specifying IP addresses, user agents.
This plugin can be downloaded completely for free from WordPress.org.
These are some of the best tips and tricks that will help you protect your WordPress site from being hacked. You can follow these tips carefully and make your site more secure, without spending a huge amount of money.
Tracey jones is a proficient web developer who has vital skills to convert website to WordPress in less time. She is a prolific writer who constantly tries to create new ways to produce the informative content for the users in a more streamlined way.
(This is a guest post.)