The most common misconception about website security is that the average WordPress user can’t take a stand against hackers. Millionaires who hide their wealth were exposed due to a WordPress vulnerability. It’s what journalists called the Panama Papers. If people who hide billions of dollars have been hacked, how can a standard user be protected?
The reality is that the most gifted hackers look for big sites. A personal blog and a small-to-medium size company are targets for only regular hackers. The chances are that a few proactive measures will considerably reduce the possibility of getting hacked. So your site’s security deserves your focus because you can genuinely win the fight against hackers.
It’s a rough approximation, but I firmly believe that if you apply the following security tips, 80% of hackers won’t be able to break into your site. Read the following lines carefully, implement the suggestions, and you will have an 80% hackerproof WordPress site.
Choose a Reliable Host
Choosing a reliable host is a complicated equation made up of multiple factors. The host is responsible for uptime, speed, and security, and your success heavily relies on these three things. Hackers attack servers to maximize the effects. That means that even though you did a great job regarding your site’s security, hackers can gain control of the server and, consequently, your site.
On average, the more secure a hosting provider is, the higher the pricing plans will be. If you have almost zero budget, go for the cheapest hosting platform, but you will be risking a lot. Fortunately, you can find tons of professional hosting reviews on the internet to get a complete idea of each hosting provider.
Update the WordPress Version, Themes, and Plugins
This no-brainer tip is featured on many similar lists on other blogs because users underestimate the importance of updates. The updated versions usually improve functionality, but they also fix security bugs.
A hacker needs to find out that you are using an outdated WordPress core, theme, or plugin. They can identify the vulnerabilities of your outdated version and will break into your site. Even if you buy premium themes and plugins, don’t expect that they are invulnerable. Check the WP White Security list of vulnerabilities identified in January 2017 to see how many vulnerabilities there are.
Back Up Regularly
Is making a backup a task related to website maintenance or security? It depends on your perspective, but everyone unanimously agrees that it’s a must. A backup helps you regain control of your site if it was hacked or taken down for various reasons.
You can back up your site manually, but using a plugin is the most efficient method. Head to the WordPress repository to find tons of solid backup plugins.
Use a Security Plugin
If you have been already to the WordPress repository, take into consideration installing and activating a security plugin. It strengthens your site, and you don’t have to do anything. Some of them are extensively used and have satisfied billions of people.
Wordfence is a freemium plugin that scans your files, protects against brute-force attacks, and alerts you when your site is attacked.
Security Ninja is a unique security plugin that performs 50+ tests to determine your level of security. The free version (available in the WordPress repository) isn’t enough to protect your site, but it’s perfect for a security audit.
All in One WP Security and Firewall is a strong competitor for Wordfence. It’s a complex security plugin that creates a firewall preventing malicious attacks, makes database backups, disables files editing, bans IPs or IP ranges, and monitors the user activity. Of course, it has many other features, including a good-looking strength meter that gives a strategic security rating.
iThemes Security (formerly Better WP Security) is another remarkable plugin that strengthens site security. It does almost the same things as Wordfence and All in One WP Security and Firewall.
In conclusion, you can’t blame developers for not coding robust security plugins. There are many free or premium plugins in this respect.
Pay Attention to Passwords
I believe that the simpler a method to secure a site is, the more users will disregard it. Strengthening a password is the simplest method of securing a site. Don’t fall into this trap but take action—make your passwords unhackable by using a password meter.
Even if you use only a moderately strong password, you can complicate the job of a hacker by changing the default admin username. If you still use “admin” as the administrator username, take a break from reading and go to change it!
On top of that, don’t enhance the login password only; also check the password to access the site’s files on your host platform.
Switch to HTTPS
Sooner or later, HTTP will be history. You had better switch to HTTPS because there are two significant advantages. First, it offers secure encryption of the data transmitted between your site and a client’s browser. Second, the general perception of HTTPS can affect your site; people won’t buy from you unless they see the green padlock in the address bar.
Switching to HTTPS isn’t cheap and straightforward, but I expect that by the end of 2018, it will be simpler and cheaper.
Limit Unsuccessful Login Attempts
Let’s suppose that you still use the standard “admin” username. Half of a hacker’s job is done, and cracking the password is the next step. They use automated software to try all potential passwords. This is the mechanism behind a brute-force attack.
You can protect your site against these attacks by using a sophisticated security plugin (see tip 4) or by using a plugin to limit unsuccessful login attempts. Login LockDown is a plugin aimed at restricting login attempts that have satisfied hundreds of thousands of users.
Protect the Sensitive Files
This step requires more involvement from you in addition to minimal coding skills. You can strengthen a site’s security by adding a few lines of code.
- wp-config.php file
This file is located in the root folder of your site. Add the following lines of code:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
The result: nobody will be able to edit the theme and plugins files from WordPress admin area.
- .htaccess file
Make sure that you have generated this file. To get a .htaccess file, go to Settings > Permalinks and change your permalinks. Once you generate it, add the following snippet:
order allow, deny
deny from all
It will protect your wp-config.php file from unauthorized access.
Add the following snippet, and you will also protect the .htaccess file from unauthorized access.
<files ~ “^.*\.([Hh][Tt][Aa])”>
deny from all
You don’t want to waste time on useless things such as the login to your site. If you want security, you have to spend more time on everything, including logins. One of the most efficient methods of adding an extra layer of protection is to use two-factor authentication. For example, you can opt to receive an SMS password to type in to log in to your site. WPMU Dev did a complete analysis of the two-factor authentication solutions. Check it out, and chose the best option for you.
Read about Security
Reading alone isn’t worth too much. Reading and applying the information learned is the golden solution. Subscribe to our newsletter, and we will send you actionable tips to protect your site better. You can also visit other blogs for WordPress lovers and check out the Security category. If you want more insightful data, visit the Wordfence blog, WP White Security blog, or Sucuri Guides.
These are our suggestions to strengthen your site’s security. Have you applied any of them? Do you have any extra tips to add?