How to secure WordPress? This is an issue that inherently affects everyone who runs a website with this content management system. It is not only about the security of the owners of the website, but also of the visitors (and customers) who are on the website. For example, access data to accounts, user information, or control over the website are at stake. Security is therefore worth paying due attention to.
First, let’s look at the top three reasons not to underestimate security. Next, we’ll give you 12 tips for WordPress security. With their help, you can effectively improve WordPress security right now. You will avoid unnecessary troubles related to lax site security.
(WordPress) safety first!
- One of the big threats is malware – websites with poor security are usually targeted by hackers who can spread malicious programs through them.
- A security breach can slow down a site – from there it’s just a step to losing visitors or customers, because no one wants to spend time on a slow site.
- There is also the threat of complete damage to a website’s reputation – hackers can steal user information, passwords or take control of a website from a poorly secured site, etc.
12 tips to effectively increase WordPress security
1) Check for WordPress vulnerabilities
A basic step you can take right now is to test for WordPress vulnerabilities. The WordPress Security Scanner online tool is designed to do just that. The basic test is free. For the more advanced version, you must become a subscriber. For example, the security of the currently used WordPress version and template is monitored. Attention is also focused on the environment of your web hosting provider, including the server on which the website is stored. As a result, you get a basic overview of whether your website is generally OK. Ideally, they will receive a rating of “PASSED”, i.e. they will pass this test successfully. Another online tool, Sucuri SiteCheck Scanner, will also do you a good service in this respect.
2) Update WordPress regularly
It may sound like a cliché, but regularly updating WordPress, its plugins and templates, is the alpha and omega of your website’s security. So keep it in mind regularly and update to the latest version as soon as you can. The idea is really simple. Each update “patches” security vulnerabilities and other flaws in previous versions. This will better protect you from potential attacks targeting your website. WordPress will always alert you to the presence of new updates directly in the administration. We also recommend that you use as few plugins as possible (even unused templates). If you already use plugins, only install those from trusted vendors and with positive reviews. This will help protect you from bringing “uninvited guests” to your website with plugins.
3) Strong passwords and unusual usernames = the foundation of WordPress security
The more unusual your username, the less likely it is to be “guessed”. The least secure option is its default form, i.e. “Admin”. Try to be more creative in this regard. Use a less specific username – for example, WebMakerMichael etc. And what to do with your password? For example, choose an easy to remember, but very strong password (e.g. “Hey,SaYH3llOt0M3!” aka Hey, Say Hello To Me! etc.) Make sure your password is sufficiently complex. Ideally, it should contain a combination of upper and lower case letters, numbers and special characters such as a call sign. We also recommend changing your password regularly, ideally every three months. Similar rules apply, of course, to FTP accounts, user accounts with a web hosting provider, databases, email accounts, etc. Also think carefully about who you give access to your website to. If you work in a team, you should be clear about who has admin rights to WordPress and who does not (i.e. user roles). In short: security first!
4) Limit the number of login attempts
It may happen that someone tries to get into your WordPress account by guessing your password. We discussed how to prevent this in the previous point (#3). However, there is more you can do to support site security. By limiting the number of login attempts. There are various plugins for this, for example: Limit Login Attempts Reloaded. One of its main capabilities is to limit the number of login retries for each IP address. It will also let you know about unusual behavior on the site via email. You can also find various and more complex alternatives to this plugin, including All-In-One Security (AIOS). Everyone can choose according to his or her own preferences and support the security of his or her own and visitors’ websites.
5) Do not underestimate the role of a quality web hosting provider, as well as the necessity of the HTTPS protocol
A quality web hosting provider is an essential element in building a secure website free of malware and intruders. So it really depends on which one you choose. High-quality providers, such as Wedos or other hosting providers, take important measures to protect their servers from the common risks of the online world. However, you may encounter related risks with shared hosting (so-called multihosting). Since the space on the server is shared with other users, if one site is infected, it is easier for “neighboring” sites to be compromised. The ideal option therefore seems to be the use of managed hosting specialized in the WordPress editorial system. They usually offer regular updates of WordPress, its backup, including more advanced security configuration, etc. Quality hosting service providers also offer SSL certificates, i.e. the operation of sites under the HTTPS protocol. You probably know it from your web browser. If a website is protected by this protocol, a green lock will usually appear in the address bar. Basically, thanks to it, the connection between the server and site visitors is protected. This minimizes the risk of eavesdropping, forgery of fake content, etc.
6) Backup WordPress regularly
Backup or restoring from a backup is “first aid” in case of any attack or even damage to the site. This way you are sure that in case of problems you will be able to restore your site quickly. There are a number of free and paid WordPress backup solutions. We can personally recommend the All-in-One WP Migration plugin, which is also intended for users without deep technical knowledge. The advantage is, for example, that it allows you to save backups to remote storage, such as Dropbox, FTP, Box, etc. This is important precisely with regard to the certainty that you can really access the backed-up content in the event of an attack on the website or server. More experienced users can also try the Duplicator plugin, which is also widely used and proven in WordPress backup.
7) Install a quality WordPress security plugin
The area that plays a key role in WordPress security is the choice of a suitable security plugin. This will help you in monitoring and protecting websites. This will reduce the likelihood that WordPress will be hacked or even lose your valuable and long-form content. There are a number of plugins and it’s up to you which one you choose. We will introduce you to at least two of the very best. The first is All-In-One Security (AIOS). A comprehensive, easy-to-use and long-proven security plugin. It will help you permanently reduce the risk of attacks, thanks to the implementation of the latest security methods just for WordPress. Another plugin is Sucuri Security. Sucuri is the global authority on website security. This is not the case with WordPress. The plugin is free for all users. For you, it is a valuable helper in the effective protection of websites through the latest trends in security.
8) Don’t forget your computer’s anti-virus protection
In order to be really sure that you are doing your best for the security of WordPress, in addition to a high-quality security plugin (see previous point 7), you also need a high-quality antivirus program that continuously protects your computer. If malicious programs get onto your PC, you can very easily provide attackers with access data (and not only) to your WordPress. Likewise, other valuable data that should belong only to you is at risk. There are many antivirus programs on the market, starting with ESET and ending with Avast. It is entirely up to your preferences which one you choose. However, as a general rule, it is better to have at least some anti-virus program than none at all.
9) Change the default WordPress prefix in the database
More advanced users know that before installing WordPress it is possible to choose a specific prefix that individual database tables related to WordPress will have. The default form of this prefix is “wp_”. Leaving it that way makes it easier for potential hackers to guess it easily. Therefore, we highly recommend changing it at the very beginning, i.e. during the WordPress installation process. At the same time, we point out that it is advisable that this step be done exclusively by those who consider themselves to be more experienced users.
10) Disable indexing and directory browsing
Directory browsing can be used by potential attackers, for example, to see if files with known vulnerabilities are available on your website. Through them, they can more easily take control of the site. But it is not only hackers who may be interested in the contents of directories. It is also the competition or various curious people from the online world. Thanks to free access to directories, they can easily copy images, find out the structure of directories, their contents, or perhaps “fish out” a lot of interesting information. Many web hosting providers have directory access disabled by default. However, if you are more experienced users dealing with this problem, you can take these steps:
- Connect to your site via FTP.
- Find the .htaccess file in the root directory.
- Download it to your computer and insert a line with the phrase: “Options -Indexes” at the end of it
- Don’t forget to save the changes and upload the file back to the directory via FTP.
11) Have all inactive users log out automatically
Logged-in users can be a potential target of malicious intent. Hackers sometimes deliberately attack logged-in accounts that are inactive. If they succeed, it is no longer a problem to change the password or make various changes within the editorial system, whether visible or invisible. Another fact is that many users leave their accounts logged in and leave the computer for various periods of time. This is less of a risk in the home environment. But in public, the risk is very high. You will surely remember, for example, the function of internet banking, where the user is automatically logged out after a long period of inactivity. The reason is simple: SAFETY. WordPress also offers this option, in the form of dedicated plugins. One of them is the easy-to-use Inactive Logout plugin, in which you can easily configure this functionality (plugin configuration is available in the “Settings” item, in the left menu of the WordPress administration column). Of course, there are a number of other plugins that perform this function well and you can try them out.
12) Add security questions to the WordPress login screen
If you add security questions to the login screen of your WordPress administration, you will “seal” all the security steps mentioned above. Again, there are appropriate plugins for this purpose. One of these is e.g. All-In-One-Security (AIOS). After installing the plugin, you can enter specific security questions through the “Settings” item located in the left menu of the WordPress administration column. It is in it that the configuration of the plugin is located.