The security of a WordPress website is not a joke.
You can face serious problems if you ignore website security. The Internet is full of opportunities and information, but it is also a source of trouble for security threats.
Spam, data theft, brute force attacks; hackers always try to puncture WordPress websites. The threats are many, but there’s no reason to doubt: Is WordPress secure? Of course, it is one of the most used and best developed open-source CMS for digital publishing.
So, do you want to increase the security of your WordPress effectively? If ‘Yes’ here are 10 security tips that will probably get a half day of work. But trust me, it’s a great investment of time. Let’s read on!
- Table of Contents
Table of Contents
- Get Managed WordPress Hosting
- Update Themes, Plugins and Core
- Limit Attempts to Login
- Two-factor Authentication
- Change Login URLs
- Secure Your Password
- Protect wp-admin Folder
- Change Admin Username
- Back up Database and Files
- Scan Your WordPress
1. Get Managed WordPress Hosting
Looking for hosting resources does not mean you should overlook managed WordPress hosting that is the frontline of security. The hosting service ensures a block against the dangers that hackers used to exploit your server or website.
For example, what are the characteristics of a secure hosting according to you? The presence of a firewall and malware scanning system are the basis, and brute force prevention can be convenient.
Remember that the vulnerabilities of hosting are among the most obvious causes of the attack, as highlighted by WP WhiteSecurity. It has the highest percentage of vulnerability, and after that themes, plugins, weak passwords damage your websites.
So pay attention to your hosting and make sure it offers a daily backup. In the worst case, it can come in handy!
2. Update Themes, Plugins and Core
Keep your plugins, themes, and WordPress always updated to the latest version available.
Many Word Pressers think that it is only necessary to click on the ‘Update’ button from the WordPress Dashboard. In reality, it is not an operation to be done lightly! Always make a backup before updating even just one of your installed plugins.
Regarding the plugin updates, you have to pay
attention that the developer still releases updates. If you don’t get frequent
updates, it is better to replace that plugin with similar functionality.
Finally, the theme update can reveal the most delicate part to perform. Many users install a theme and directly modify the source files. This is a wrong practice because when you update, your changes will be lost!
You could then find the website with totally different graphics from yours. If you don’t have a backup available, you cannot do anything but redo all the changes manually.
3. Limit Attempts to Login
Everyone knows the path to enter a WordPress website, i.e., /wp-login or /wp-admin. Fortunately, WordPress allows you to change these default URLs, making it more difficult for hackers to guess.
During a brute force attack, your login page can be affected. Hackers could try to access your website using the easiest way: try to guess your password. They will require many attempts before getting your access details.
This is why it is advisable to limit access attempts and possibly to ban the IP address of those who try to log in suspiciously too many times.
To take this tip as a security measure, you just need to install the Login LockDown plugin.
This plugin is able to record the IP address and the date of each failed login attempt. It also blocks a certain range of IP addresses in case of attempts at a distance from each other. By default, this plugin blocks the attacker’s IP address for an hour after three failed login attempts in 5 minutes.
4. Two-factor Authentication
One of the most used methods to protect a
website is to use two-factor authentication.
The 2-factor authentication (2FA) is a great way to tighten your website security.
There are various 2FA plugins that allow you to integrate two-factor authentication on WordPress. I usually use Google Authenticator made available by mini Orange. In no time, you can have 2FA ready on your website without writing a line of code.
5. Change Login URLs
As I said before, it is a good idea to change the URLs for authentication on WordPress. Fortunately, changing the default URLs is really very simple.
Only through this simple operation, you will drastically reduce the chances that hacker can reach your login page. The quickest and safest method is to use the Custom Login plugin. This plugin allows you to perform different tasks such as custom login page, stealth login, login redirects, 2FA, etc.
6. Secure Your Password
You may seem trivial as advice, but a strong password is really crucial for your website. You will not believe it, but there are many users who use simple passwords, such as their date of birth or the name of their pet. Do not make such a mistake as hackers can easily access this information!
I advise you to use a random alphanumeric sequence, using capital letters, numbers and special characters. Finally, you prefer a fairly long password: Only then will you really make your password safe!
If you do not have much imagination, you can always rely on password generation software. There are so many online and they are all very intuitive and easy to use.
7. Protect wp-admin Folder
The wp-admin folder is certainly among the most important on your server. It is important to carefully secure it with a password.
You can set two types of authentication for your admin access. The first one with the normal login of WordPress and the second one with the password protection of Apache. This is a non-trivial operation, more suited to system admins.
8. Change Admin Username
Many users who use the username “admin” to access the login page actually invite hackers. This happens in the installation phase WordPress itself suggests you as a placeholder admin.
to change your username. A hacker will immediately try to access your website
using admin as the username. It is better to avoid this!
To change the username, go to WordPress Dashboard → Users and create a new username with more difficult to guess. Don’t forget to remove the old user!
9. Back up Database and Files
Always take a recent backup of your database and your website’s files beforehand. Most of the hosting providers offer free or paid backup service for your server and websites.
It often happens that Sys Admin of a website decides to give up the backup service to save a little bit on the hosting. Trust me, it’s worth for your website!
If you have not chosen the first solution, then you just have to perform manual backups. Files can be backed up directly from FTP. The folder that is more useful is wp-content.
As for the database backup, you can export the DB directly from phpMyAdmin or using the WP-DBManager plugin.
10. Scan Your WordPress
The last tip is to frequently scan your website to make sure that that there are no malicious files. There are so many plugins that allow you to quickly scan the website. I personally use Wordfence Security.
Wordfence Security allows you to quickly scan and know the IP address of each individual user. Do programmatic scans and send you an email with the top 10 IP addresses that have tried to connect to your website.
Now you know different methods to protect your WordPress website. If you put even half of it into practice, you can definitely secure your website. If you know other ways to protect a WordPress website, please write them in the comments. It might also help others to secure their WordPress.