10 Ways to Secure your WordPress site
Many are using WordPress as their website due to its ease of use, lots of great features and having powerful SEO means it’s no surprise that WordPress is the number one Content Management System (CMS).
But with that popularity, comes a risk. As with any popular software, WordPress attracts hackers who will try a number of ways to exploit your site. The last thing you want is to wake up to find your site hacked, suspended for hosting malware or sending phishing emails.
The cost to your reputation, let alone the cost of fixing the hack and restoring your site to a safe and secure level, could be extremely high. It’ll also take a long time to recover the lost trust from your clients. And that’s without factoring in any damage to your search ranking if Google deems your site to be high risk.
But don’t despair. You can easily secure your WordPress site and prevent hacking attempts with some simple security housekeeping.
So here are ten simple ways you can secure your WordPress site.
Simple Tip 1 – Two-Factor Authentication Login
Implementing two-factor authentication (2FA) for logging in is one of the simplest but most effective ways of preventing brute force attacks. It works by adding an extra layer of login security by requesting additional proof of ID, such as a mobile generated code or secret questions.
WP Google Authentication plugin is an excellent example of a 2FA plugin that can easily be installed to secure your site’s login.
Simple Tip 2 – Implementing Login Limits
Reducing the number of login attempts is a simple but effective way of preventing determined hackers and unauthorized manual login attempts. All that’s involved is a locking mechanism in the login retry of your WordPress login page.
The WP limit login plugin lets you prevent any attempted brute force attack to your login page by blocking any IP addresses that cross the threshold of failed login attempts in any given time period.
Simple Tip 3 – Change Admin Login URL
Most people will leave their WordPress admin login set to the default one, which will usually end in either wp-admin or wp-login.php.
You can make your site more secure simply by changing this to something less predictable such as /wp-login.php? or my_login.php etc.
This simple step alone will stop most automated brute force attacks which are set up to attack the default admin URL page. The iThemes security plugin is a comprehensive security plugin that allows you to do this.
Simple Tip 4 – Make Your Passwords Secure
Sometimes the simplest options are amongst the most effective and changing passwords is just good, basic security.
Let’s face it, if your password is as simple as abcd123 then it’s just a matter of time before someone breaks into your site. Best practice is to make sure you use a combination of lowercase, uppercase, special characters and numbers for your password. Try to make your password at least 10 characters long using the above combination and you’ll definitely make your life lot easier.
If you need help with generating a secure password then use this password generator tool.
Simple Tip 5 – Password Protect the WP-Admin Directory
The most important directory of your WordPress website is wp-admin directory. Therefore, it makes sense to password protect it to add an extra level of login security – one for logging in and one for WordPress admin area. This can be achieved using the AskApache Password Protect plugin.
Of course, an administrator will often need to visit a certain directory of wp-admin, so unblocking those directories can make administration easier while locking the rest of the directory.
Simple Tip 6 – Forcing Strong User Account Passwords
If your blog has multiple users, say from other members of your blog or external contributors, then it would be best to ensure that they are forced to use strong passwords.
Using a plugin like Force Strong Passwords will make sure your admin area is secure. This plugin will make sure that your users are forced to choose secure, difficult to break passwords which incorporate good password protocols, such as using a mix of characters (upper and lower case), numbers and symbols.
Simple Tip 7 – Switch to HTTPs (SSL/TLS)
Switch from insecure HTTP to secure HTTPsby using an SSL Certificate. This creates an encrypted, impenetrable link between the browser and the web server. Aside from the benefit of extra security, HTTPs is actually a stated Google Ranking Factor. So as well as better security, you get a better ranking!
Simple Tip 8 – Always Monitor WordPress Files
If your WordPress files are tampered with by a hacker, you’ll want to know about it as quickly as possible to minimize any damage. Plugins like Acunetix WP security or Wordfence can monitor your WordPress files to track any changes made to them and notify you.
In fact, the Wordfence plugin is one of the most installed security plugins in WordPress. It has live security scanning, monitoring, intrusion detection and prevention features all built in so if you’re looking for an excellent security all-rounder then this plugin is definitely worth considering.
Simple Tip 9 – Perform Regular Back-Ups
If you follow the tips in this post, then hopefully your site won’t get hacked. However, if you do get hacked, the last thing you want is to have to start from scratch or try to work out how to remove any infected files and make your site safe again.
The best way to address this is to ensure that you take regular back-ups of your site. Backing up your sites will allow you to restore your websites from previous working copies if required. There are a number of WordPress plugins that can help you do this such as Vaultpress, Backup Buddy or blogVault.
There is a cost involved with some of these but when compared to the alternative of having a hacked website with no back-up, it is a price worth paying.
Simple Tip 10 – Keep WordPress and Its Plugins Updated
One of the most common security issues with WordPress is having an out of date version or an out of date plugin.
In fact, one of the most common ways hackers can hack into your WordPress website is through plugins that haven’t not been patched or updated to the latest versions. However, many plugins have automatic update options so you should consider configuring them to make use of this feature.
WordPress has an automatic update feature from version 3.7 onwards. If you are unsure that you have the latest version, you can check at the official WordPress site.
TIP: Download only plugins that are from the official WordPress website. This will make sure you aren’t being tricked into downloading malware to your site.
These tips are simple but very important in keeping your site hack-free. If all these seems a daunting task, don’t worry as we are here to help you, as your WordPress Support partner.