Technology WordPress

14 Pro Tips to Secure a WordPress Website

WordPress is, without a doubt, the most dominant content management system (CMS).

It powers most of the websites out there, and for a good reason. It’s fast, user-friendly, functional, and, let’s be honest, pretty good-looking.

Wordpress-Security

These might be the reasons why you’ve chosen it to start your blog, too.

Yet being on the top isn’t as glamorous as it sounds. The leader is always subject to an avalanche of criticism from both demanding users and notorious competitors. While many claims have no solid evidence, some are certainly worth consideration.

Vulnerability tops the list of such claims. Quite often, WordPress can be insecure to hackers trying to get sensitive data of users. On many occasions, the users themselves are at fault for hacking incidents; for example, more than 36 percent of hacked WordPress sites in 2018 had an outdated version.

Source: ZDNet

There’s good news, though: you can make your WordPress website 99.9 percent secure by doing simple things. Here are 14 things that professionals do to minimize the vulnerability of the CMS.

1. Updates are Good for You

Just imagine the frustration of people whose WordPress sites were hacked simply because they didn’t update the CMS. 36 percent is a huge number that translates into thousands of websites, which means that the problem of outdated WordPress use is widespread.

Hackers know about this, of course.

That’s why always update your WordPress after backing up your data. This is a basic requirement that can save your website and business plus it’s easy to do (the system typically sends an update message which you must click on to begin). The whole process can even be done in one click.

Here are the official instructions on how to update WordPress for you if you need some help; but keep in mind that you can also choose a web hosting provider that takes care of updates for you.

2. Always Update Plugins

WordPress users often ask, “Why do I need to update plugins if they work perfectly?”

While this might make some sense to them, there are at least three excellent reasons why you should always use the latest plugin versions:

  • Prevent security issues. An outdated plugin might have a security flaw that makes it vulnerable to hacking, which would make breaking a website easier
  • Fix bugs. One reason why plugin developers release updates is to fix errors and bugs that either they or users discovered
  • Update functionality. Updates often contain new features that allow you to do more, so why not use this opportunity to make your site better?

Go to Plugins in the sidebar menu and always check if some of them have updates available.

3. Prevent Brute Force Attacks with 2-Factor Authentication (AFA)

2FA has been adopted by many leading tech companies, including Google, to help their users secure accounts. This method is effective because it involves sending a unique code to an account owner’s device to “unlock” the access. As a result, breaking through becomes more difficult for hackers and bots, as they don’t have access to your smartphone, etc.

SEMrush

Check out Google Authenticator or Wordfence Security – Firewall & Malware Scan, they’re considered the best in the business.

4. Limit Login Attempts

A brute force attack is the most common type of hacker attack.

According to Bruce Rowe, a WordPress security expert at WowGrade, a brute force attack tries to break into a website by launching countless login attempts.

“By default, WordPress doesn’t have any limits for them, so you need to set a fixed number of login attempts,” adds Bruce.

There’s a great dedicated plugin called WP Limit Login Attempts, and you can set your own limit for logins and ban users who exceed it.

5. No One Needs to Know Your Admin’s Page URL

One of the first steps made by cybercriminals to break into a website is to find the admin’s login page. To prevent them from finding it, you need to hide it from search engines. Simply change the URL using a dedicated plugin such as WPS Hide Login (but keep in mind that this function comes as a part of many others, too), into anything you like.

6. Force Strong Passwords

Weak passwords are among the top three reasons why websites get hacked. People love to use ridiculously simple passwords; in fact, 23.2 million online accounts were hacked in 2018 because they had “123456” for a password).

Thankfully, you can force users on your WordPress website to come up with complex passwords with plugins like Force Strong Passwords.

7. Set Password Expiration Date

This is another tip to make account owners on your website to care more about security. With a plugin like iThemes Security, you can set a password expiration date and force users to create new ones on a regular basis. There’s also an option to force an immediate password change.

8. Add Google reCAPTCHA

You probably saw reCaptcha countless times before, and it can help against bots, spammers, and hackers. Most of the popular WordPress plugins, including the abovementioned iThemes Security, has this option, so look for this option when choosing a security plugin for your website.

9. Install an SSL Certificate

Skip this section if your website deals with sensitive financial information of users such as credit card details. In case if this data is present, e.g., you sell online, install an SSL certificate to protect this data. This tool establishes a secure connection between the website user and your website, making it harder for hackers to get their hands on it.

There sites like SSL For Free, offering the certificate for free, but also keep in mind that they come as a part of the package in most reliable WordPress security plugins.

10. Check if Your Theme is Secure

Many themes used by WordPress websites could be a source of problems because of outdated code, a lack of security, etc. Besides, they can come from hackers, already infected or made vulnerable.

To make sure that the theme you’re using complies with the latest security standards, always download them from trusted sources or use a plugin like Theme Check.

11. Remove WordPress Version Information

As mentioned, a lot of WordPress websites run on an outdated version, and hackers know it after taking a look at the HTML code.

If they detect an old version, it could be easier for them to launch a successful attack. To avoid making their hacking job easier, place the following code into functions.php file:

function remove_wp_version() {

return ”;

}

<span style=”line-height: 1.8em;”>add_filter( ‘the_generator’, ‘remove_wp_version’ );

12. Stick with One Administrator

If possible, use only one administrator account to manage your website. Having multiple accounts increases the risk of someone doing things behind your back or something that could make the website vulnerable.

In case if you absolutely need to have multiple accounts, make sure to use Simple History, a plugin that tracks changes made within the CMS. If an admin is doing something bad, you’ll see it.

13. Block Others from Browsing Directory Content

If someone can view the content of your website’s directory, then they can make unwanted changes that leave the content more accessible. To block the public access to the directory and prevent hackers from getting information about your website, make sure to do this:

  • Open .htaccess file
  • Place this code at the bottom of the code:

Options -Indexes

And that’s it, the access to the directory will be blocked when you save the document.

14. Back Up, Back Up, Back Up

Backing up saves not only your data, but the entire website even in the worst possible scenario. Set up regular backups and please, please stick to the schedule, and you’ll never have to build everything from the start.

Here’s the collection of 10 best WordPress backup plugins to check out the options.

Protect Your Office

The best way to think about your WordPress website is to imagine that it’s your office.

You’d want to keep thieves away from it, don’t you?

So make sure to protect it. No office, i.e., website, is “too small” and “too unimportant” to be hacked.  

Suggested –

Don't miss out!
Learn How to 10X Your Blog Traffic
Invalid email address
Give it a try. You can unsubscribe at any time.

About the author

Rahul Setia

Rahul Setia was born and raised in the Kaithal, Haryana. He worked at brands like Jabong, ProProfs etc. He was also in the List of Top 100 Social Media Influencer's 2019 by Status Brew. He lives in Delhi/NCR and is a Digital Gig & Founder of Websites i.e TechBlogCorner.com, ViralMasalla.com, DealorCoupons.com.
Follow me on: LinkedIn, @rahulsetia007 and Facebook.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.