Today I will be discussing and providing tips on how to secure a WordPress site. This comprehensive guide outlines simple and quickly implementable steps to secure your site from the bad guys out there.
WordPress, an open-source content Management System (CMS), is the best buddy of a lot of website owners and bloggers out there on the vast World Wide Web. WordPress has helped, is helping, and will continue to help in the easy creation of websites and blog sites.
Nowadays, security is a big problem, especially with online retailers. According to Willem de Groot – a Dutch developer, he has scanned numerous online stores and found out 3501 compromised stores in November 2015. However, this has increased to a whopping 69%, with 5925 online stores now compromised as he scanned again last September 2016.
Who were the usual victims?
- Automotive industry – Car makers (Audi ZA)
- Government industry – Government website (NRSC, Malaysia)
- Fashion industry – Online clothing businesses (Converse, Heels.com)
- Entertainment industry – Pop stars (Bjork)
- Non-Profits – NGOs (Science Museum, Washington Cathedral)
However, this helpful tool is not without risks as there are lots of hackers and malware out there that are targeting WordPress sites. In order to fortify your WordPress site’s defense, we at Ray Creations have come up with a comprehensive guide to WordPress Security.
By following this comprehensive guide, you will be more protected against the security risks out there. We at Ray Creations believe that the confidence that you will gain by knowing that you are protected will help you come up with a better website as compared to when you are afraid that you are at risk.
But First, Why Is WordPress Security Important?
This question is actually a reminder for all website owners who are not particular with their website’s security. Without a high level of security for your site, a lot of chaos can happen to your files, your database, your business, and your image.
By being lax when it comes to security, you are opening the doors for hackers to steal information from your site, your site’s visitors, and if you are engaged in ecommerce, to your customers. You are giving them the chance to take ownership of your site, and cause all sorts of mayhem to it, and to your site’s users and guests.
If you are a running a blog, the worst things that can happen is that your visitors will get malware that will infect your visitors, or when the hackers ruin your image by posting malicious blogs. And websites that do this are often banned. Do you know that Google blacklists more or less 20,000 websites per week because of malware, and more or less 50,000 other for phishing?
Worst things can happen if you are an online business owner, where you will risk losing your sales and exposing your customers to fraud and identity theft.
With all the security hazards out there and the ill effects that can happen because of them, WordPress security should never be taken lightly.
Tips For WordPress Security
Now you know why WordPress security is important. But how do you keep it secure? Here are a few tips from us which will help you keep your WordPress site secure:
Tip # 1: Update WordPress
From time to time, WordPress is updated. Aside from additional plugins and themes, new features, and fixes, updates are also made for the security of WordPress. The makers understand that threats are evolving, so they also make efforts in trying to suppress them.
So when you get a prompt for an update, please do not ignore it. Better yet, proceed with the installation at the earliest possible time.
However, keeping WordPress up-to-date will not eliminate threats 100%. Complement this by doing our other tips below.
Tip # 2: Use Strong Passwords And Only Give It To Designated People
Hacking is primarily done by guessing the password. A lot of people prefer simple passwords that are easy to remember. Its simplicity is also what makes the password very easy to guess. It is recommended that you use passwords that would be hard to crack.
Also, don’t give your password out to anyone. Unless of course, there are multiple users for the WordPress site. If that’s the case, limit the password of the administrator account to those who really need that level of access only.
Furthermore, you should use a password manager plugin. This kind of plugins is especially good for multi-user WordPress sites.
Tip # 3: Ensure Security With Your WordPress Hosting
Your WordPress hosting should take security very seriously because it plays a significant role in keeping your WordPress site protected. Good WordPress hosting providers would employ ways to deter threats, especially considering that it is easier to infiltrate sites that share server resources i.e. those that get the hosting service of one and the same provider.
An ideal WordPress hosting service provider should put its clients on a secured platform. And at the same time, employ a good hosting management service – one that provides automatic backups, automatic updates, and a high level of security.
Also, if your site runs on WordPress as most sites do, then most probably your web server is also Apache. It powers almost 80 million websites on the net today. Therefore, it is imperative that your web host follows the apache security best practices to secure your site further.
Tip # 4: To Ensure Survival, Remember To Backup!
Don’t ever forget to backup and do this regularly. We’ll never know when a hacking genius will wreak havoc and cause mass destruction to WordPress sites. To ensure that your site will survive at the worst case scenario, keep your site backed up so that you can shrug it off and start anew.
In backing your site up, it is smart to do a full-site backup on a remote location, away from the risks of failing to set you up again. It is advisable to store your backup on a cloud service, especially private ones.
Tip # 5: Install Security Plugins
There are a number of security plugins available out there to help in keeping your WordPress site secure.
Some of the best that you should consider are WordFence, Sucuri, and All in One WP Security.
WordFence checks whether your site is already infected, and after which, it conducts a deep scan on of your site’s source code and compares it against that of the official WordPress repository.
MalCare helps with early Malware detection. Also, helps detect hard to find malware. It provides login protection and a web application firewall. And it does all these without slowing down your site.
Sucuri scans for malware, audits security activity, monitors blacklist and file integrity, and enables a website firewall.
All in One WP Security & Firewall checks for your WordPress site’s vulnerabilities and implements security measures to address it. It also has a user-friendly interface that is great for beginners.
Tip# 6: Do Not Retain The Default Admin Username
WordPress used to have “admin” as the default username for WordPress site administrators. This has made it easy for hackers to infiltrate sites. That is why WordPress now requires a customized username upon installation.
However, there are still some 1-click WordPress installers that still set the default admin user as “admin”. If you have made your site through that, change your admin username right now.
There are three ways for you to change your admin username:
- Use the Username changer plugin
- Create a new admin with a customized username and delete the old one
- Update the username from phpMyAdmin.
Tip # 7: Disallow File Editing
It is recommended that you turn off the built-in code editor of WordPress which can edit your theme and plugin files from your WordPress admin area.
To do this, add the following code to your wp-config.php file:
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
Tip # 8: Disable File Execution From Certain Directories
PHP file execution should be disabled in directories where it is not needed.
To do this, open a text editor and paste the following code:
<Files *.php> deny from all </Files>
Save the file as .htaccess and upload it to /wp-content/uploads/ folders on your website through an FTP client.
Tip # 9: Limit Login Attempts:
WordPress allows you, by default, to try to log in as much as you need to get the password right. However, this also allows hackers to guess your password until they get it right. It is, therefore, a good idea to limit login attempts.
The Login LockDown plugin can help you with this. But if you have the web application firewall already, then you don’t need to worry about this anymore.
Tip # 10: Change Your Database Prefix
The default prefix for your WordPress database is “wp_”. It is easy for hackers to guess the names of your tables if you don’t change this, so please do.
WARNING: Improper execution of this step may break your site. Proceed with caution. Consider this step only with a coding professional.
Tip # 11: Protect Your WordPress Admin and Login Page With Password
Hackers can request, without restriction, for your wp-admin folder and login page. To counter this, protect them with a password.
Tip # 12: Log Out Idle Users Automatically
A user can leave your WordPress site unattended, and expose the session to hacking opportunities. It is wise to automatically log out idle users to eliminate this risk.
To do this, install and activate the Idle User logout plugin, and set up your preferences.
Tip # 13: Add Security Questions To Your Login Screen
Using the WP Security questions plugin, you can add another layer of security before a user can login to your WordPress site. It will be harder for hackers to get in when you do so.
Follow This Guide To Keep Your WordPress Site Secured
By following our tips above, you are putting your WordPress site in a safe position, away from the security threats that abound. With our comprehensive guide, you are a lot safer and significantly more secure. Whether you’re wondering what to do after starting an online clothing boutique, installing SEO plugins, or setting up your own blog, it’s time to fortify your WordPress site’s defenses whether there’s an imminent threat or none.
With the confidence that security brings, we know that you can do so much better with your WordPress site. For more information on how to protect your WordPress site, refer to the codex at Hardening WordPress. If you’re not confident on doing this on your own, your developer can help you with this guide.
All the best for your site!