How to Secure WordPress site
WordPress is the most popular Content Management System (CMS) and powers more than 30% of websites. However, as it grows, hackers have taken note and are beginning to specifically target WordPress sites. No matter what types of content your site provides, you are not an exception. If you don’t take certain precautions you could get hacked. Like everything technology related, you need to check your website security.
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, and passwords, install malicious software, and can even distribute malware to your users. In this tutorial, we will share our 14 Best Tips to keep your WordPress website secure.
How to Secure WordPress site
1. Back Up Your Website
Before you do anything else, you’ll want to save a backup copy of your website files. That way, you can recover your site should something go wrong in the future.
Check out How to Backup WordPress site?
2. Choose a Quality Host
If you’re not feeling confident in your hosting provider, now would be a good time to switch. Your hosting server must be a superb and secured server. The simplest way to keep your site secure is to go with a hosting provider who provides multiple layers of security. (Ex-: Hotlink protection, Two-Factor Authentication, Virus Scanner, Auto Backup tools, etc…)
Check out What is the Best Hosting Service?
3. Use a Strong Password
Passwords are a very important part of website security and unfortunately often overlooked. If you are using a plain password like 12345, 123abc, or password you need to immediately change your password. And also don’t use dictionary passwords. That password may be easy to remember it is also extremely easy to guess.
An advanced user can easily crack your password and get in without much hassle. It’s important you use a complex password, or better yet, one that is auto-generated with a variety of numbers, nonsensical letter combinations, and special characters like % or ^.
4. Change your WP-login URL
By default, to log in to WordPress the address is “yoursite.com/wp-admin”. By leaving it as default you may be targeted for a brute force attack to crack your username/password combination. If you accept users to register for subscription accounts you may also get a lot of spam registrations. To prevent this, you can change the admin login URL or add a security question to the registration and login page.
Check out How to change wp-login URL – Secure WordPress?
5. Limit Login Attempts
By default, WordPress allows users to try to log in as many times as they want. While this may help if you frequently forget what letters are capitalized, it also opens you to brute force attacks.
By limiting the number of login attempts, users can try a limited number of times until they are temporarily blocked. The limits your chance of a brute force attempt as the hacker gets locked out before they can finish their attack.
6. Update your WordPress version / plugins / Themes / PHP
Keeping your WordPress up to date is a good practice to keep your website secure. With every update, developers make a few changes, often times including updates to security features. By staying updated with the latest version you are helping protect yourself against being a target for pre-identified loopholes and exploits hackers can use to gain access to your site. It is also important to update your plugins and themes for the same reasons.
Check out How to change/update the PHP version?
7. Install SSL Certificate
An SSL certificate acts as third-party verification for a website’s security. It verifies the strength of the Secure Socket Layer encryption used when a user connects to the site and connects that encryption to the organization or individual that owns and maintains the website. SSL certification and validation are necessary pieces of web security for any business that collects information from its users.
Different SSL certificates provide different levels of security, depending on the level of protection and security features your website and its users need. You may be familiar with visual elements such as Site Seals, and the HTTPS:// protocol appearing in the URL, but there are less-visible functions that help protect your website and visitors.
Namecheap offers free SSL. Check out here.
8. Secure cPanel
Use a strong password for your cPanel and Add Two-Factor Authentication for cPanel. Two-factor authentication, also known as 2FA or two-step verification, is an optional feature designed to prevent anyone but you from accessing your hosting account by requiring two identity verification forms: your password and an authentication code. 2FA is ideal for anyone looking to increase their account security because stealing your password isn’t enough for hackers to access your account. They would also need access to your mobile device or email account, depending on how you set it up.
Check out How to Secure cPanel from Hackers?
9. Use Premium DNS
Make sure your business website performs fast and securely every time your visitors look you up. Premium DNS keeps your website running, even when flooded with traffic. It secures the very deepest level of the Domain Name System (DNS), preventing Distributed Denial of Service (DDoS) attacks, and giving you 100% uptime, guaranteed.
10. Connect Cloudflare for Your WordPress Site – if cannot buy Premium DNS
Cloudflare is one of the best WordPress CDN and firewall services available in the market. They offer a free CDN that speeds up your website along with a suite of powerful security features for small business websites.
- Secure your websites, APIs, and Internet applications.
- Protect corporate networks, employees, and devices.
- Write and deploy code that runs on the network edge
Check out How to set up Cloudflare for Your WordPress Site?
11. Don’t Use Nulled Themes / Plugins
WordPress premium themes/plugins look more professional and have more customizable options than a free theme/plugin. But one could argue you get what you pay for. Premium themes/plugins are coded by highly skilled developers and are tested to pass multiple WordPress checks right out of the box. There are no restrictions on customizing your theme, and you will get full support if something does go wrong on your site. Most of all you will get regular theme/plugin updates.
But, there are a few sites that provide nulled or cracked themes/plugins. A nulled or cracked theme/plugin is a hacked version of a premium theme, available via illegal means. They are also very dangerous for your site. Those themes/plugins contain hidden malicious codes, which could destroy your website and database or log your admin credentials.
12. Disable File Editing
When you are setting up your WordPress site there is a code editor function in your dashboard that allows you to edit your theme and plugin. It can be accessed by going to Appearance>Editor. Another way you can find the plugin editor is by going under Plugins>Editor.
Once your site is live we recommend that you disable this feature. If any hackers gain access to your WordPress admin panel, they can inject subtle, malicious code into your theme and plugin. Often times the code will be so subtle you may not notice anything is amiss until it is too late.
To disable the ability to edit plugins and the theme file, simply paste the following code in your wp-config.php file.
define(‘DISALLOW_FILE_EDIT’, true);
Check out: How to Disable File Editing – WordPress?
13. Hide wp-config.php and .htaccess files
While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them.
We strongly recommend this option to be implemented by experienced developers, as it’s imperative to first take a backup of your site and then proceed with caution. Any mistake might make your site inaccessible.
To hide the files, after your backup, there are two things you need to do:
First, go to your wp-config.php file and add the following code,
<Files wp-config.php> order allow,deny deny from all </Files>
In a similar method, you will add the following code to your .htaccess file,
<Files .htaccess> order allow,deny deny from all </Files>
Although the process itself is very easy it’s important to ensure you have the backup before beginning in case anything goes wrong in the process.
Check out How to Hide wp-config.php and .htaccess files?
14. Install a WordPress Security Plugin
I’ve got a lot of experience with WordPress security plugins. I want to share some of what I have learned so that you can make sure that your site, visitors, and reputation stay safe. Here are the top WordPress security plugins and a short guide to help you find the right one for your site.
- Wordfence Security – Firewall & Malware Scan
- Defender Security – Malware Scanner, Login Security & Firewall
We already tested the above plugins. They worked well. So choose the security plugin that you want.
Most WordPress users don’t take their site security as seriously as they should. When you follow the tips above, however, you can greatly reduce your risk of encountering a security hack. What steps have you taken so far to secure your WordPress site? What’s the next step you plan to take? Let us know in the comments below!
WordPress security is one of the crucial parts of a website. If you don’t maintain your WordPress security, hackers can easily attack your site. Maintaining your website security isn’t hard and can be done without spending a penny. Some of these solutions are for advanced users but if you have any questions please connect with me on YouTube. We are always here to help you.