10 simple tips for a secure WordPress website
We are pleased to present Tony Messer, co-founder of the British web hosting company pickaweb.co.uk, as a guest author. Mr. Messer co-founded the company with Pilar Torres Wahlberg and they have been providing high quality hosting services to thousands of small and medium sized businesses ever since.
Do you use WordPress? If so, then you have made a good choice. Thanks to simple user guidance, many great features and strong SEO, it is no wonder that WordPress is the world’s leading content management system (CMS).
But this encouragement also creates risks. Just like other popular software, WordPress attracts hackers who try to abuse your site in various ways. And you definitely want to avoid having your website hacked, taken down for malware, or sent phishing emails.
The cost of restoring your reputation is extremely high, not to mention the cost of remediating the attack and getting your site back to a safe level. It can also take a long time to regain customer trust. And all this apart from the worse search engine ranking if Google classifies your website as too insecure.
But no need to worry. You can secure your WordPress site with a few simple steps and prevent the majority of hacking attempts.
Here are ten simple steps you can take to secure your WordPress site.
Two-factor authentication (2FA) when logging in is one of the simplest, but also most effective ways to protect against brute force attacks. They add an extra level of security at login by asking for an ID, such as a phone-generated code or a secret question.
The WP Google Authentication Plugin is an excellent example of a 2FA plugin that can be quickly installed to secure your website.
To prevent stubborn hackers and unauthorized manual login attempts, the number of possible login attempts can be limited.
The WP Limit Login plugin prevents attempted brute force attacks on your login page by blocking IP addresses that exceed the allowed number of failed logins in a given time.
Most users leave the WordPress admin login at the default URL, which usually ends with either wp-admin or wp-login.php.
By changing this to a less predictable suffix like /wp-login.php? or change my_login.php etc, make your site more secure.
This simple step alone prevents most of the automated brute force attacks targeting standard admin URL pages. The iThemes Security Plugin is a comprehensive security plugin that allows you to change the URL.
Sometimes the simplest options are the most effective. A new password is a basic requirement for good security.
Let’s face it, if your password is as simple as abcd123, then it’s only a matter of time before someone hacks your site. Ideally, your password should consist of a combination of lower and upper case letters, special characters and numbers, and be at least 10 characters long.
If you need help creating strong passwords, you can use this password generator tool.
The most important directory of your WordPress website is the WP Admin Directory. It therefore makes sense to protect this with a password to add another security step – one at login and one for the WordPress admin area. The AskApache password protection plugin helps with this.
Of course, an administrator often has to access certain directories in WP-Admin. It simplifies administrative processes when these directories are released and the rest are locked.
If your blog has multiple users, e.g. B. other blog authors or external contributors, it is best to force them to use strong passwords.
A plugin like Force Strong Passwords secures your admin area. The plugin forces users to use strong, hard-to-crack passwords that follow the guidelines for good passwords, such as different characters (upper and lower case), numbers, and special characters.
In a man-in-the-middle attack (MITM), data between two parties is intercepted by an eavesdropper monitoring the data being sent.
The easiest way to prevent this is to switch from insecure http to secure HTTPs with an SSL certificate. This creates an encrypted, impenetrable link between the browser and the web server.
In addition to stronger security, HTTPs also help improve your Google ranking. So you not only benefit from better security, but also from a better ranking!
If your WordPress files are being tampered with by a hacker, it’s important that you know about it as soon as possible to minimize the damage. With plugins like Acunetix WP Security or Wordfence you can monitor your WordPress files, keep track of changes and get notified.
In fact, Wordfence is one of the most installed security plugins on WordPress. It consists of live security scanning, monitoring, attack detection and mitigation features. So, if you are looking for outstanding, all-around security, then you should definitely consider this plugin.
If you follow the tips in this blog, hopefully your site will not be hacked. However, if this does happen, you certainly don’t want to start over from scratch or figure out how to remove the infected files and make your site safe again.
It is best to make regular backups of your side. This allows you to access a secure, working version later if necessary. There are a number of WordPress plugins that can help you with this, such as Vaultpress, Backup Buddy or blogVault.
Some of these are paid, but when compared to the price of a hacked website with no backup, it’s worth the money.
As a hosting company, we see security issues most often when WordPress or other CMS systems like Joomla use an outdated version or plugin.
The most common way hackers gain access to your WordPress site is when it is not patched or updated to the latest version. But many plugins automatically download new updates, and it’s worth considering introducing them.
From version 3.7 WordPress has an automatic update functionality. If you are not sure if you are using the latest version, you can check on the official WordPress site.
Tip: Only download plugins from the official WordPress website. This is a great way to make sure you don’t accidentally download malware onto your website.
As you can see, there are many simple things you can do to prevent your website from being hacked. Some are simple operations, like complex passwords, but there are also many plugins designed just to make your website more secure.
Remember, often it’s the simple things that keep your website from being hacked.
Mr. Messer is passionate about helping his customers get the best out of their online presence. He is the author of the book ‘The Lazy Website Syndrome’ which has a 5 star rating on Amazon. It gives the reader a simple 3-step approach to grow the business thanks to online marketing. Mr. Messer currently resides in southern Spain.
Pickaweb offers a range of services for small and medium businesses, including domain names, web hosting, reseller hosting, virtual and private servers, cloud servers, dedicated servers, SSL certificates and basic website builders.