WordPress is constantly updating to increase its security features, however it is still important to take your own initiative to help increase the speed and security of your own website.
In an article released in 2014, wpwhitesecurity.com reported the following statistics:
– 41% of hacked WordPress sites were hacked through a security vulnerability on their hosting platform
– 29% were hacked via a security issue in the WordPress Theme they were using
– 22% were hacked via a security issue in the WordPress Plugins they were using
– 8% were hacked because they had a weak password.
In this article you can find 13 simple ways to increase the security of your WordPress website, to help prevent any potential security risks.
1. Keep your website updated
Keeping your WordPress plugins and themes updated to the latest version is important. If you’re running an old version of WordPress or a plugin/theme, the security flaws in the old version you are using are made aware to the public. This means hackers have this info and can easily use it to attack your site.
Updating your website regularly is important, but can be time consuming. Minor WordPress updates happen automatically, however major updates need to be approved.
However, you can insert a snippet of code into your wp-config.php file to configure your site to install major core updates automatically. If you would like all major updates to be done automatically, simply add this code to your wp-config.php file:
define( 'WP_AUTO_UPDATE_CORE', true );
Occasionally, WordPress updates can cause problems or even break your website. This may be due to a plugin or a theme not being compatible with the latest version of WordPress. Therefore it is still important to check your website frequently for issues and keep it maintained.
2. Use plugins and themes you trust
Wherever possible, make sure you only install WordPress plugins and themes from a source you can trust. Downloading plugins and themes from WordPress.org is a good option, since most of these plugins have been scanned before being listed in the Theme Directory or Plugin Directory.
3. Don’t download premium plugins for free
If you are looking for a premium theme or plugin, you should only purchase and download them from respected sources like Themeforest.
Downloading a premium theme from an untrusted source could seriously effect the security of your website. Some untrusted sources may provide a free download of a premium version, but include malicious files within the download. Even if this isn’t the case, downloading a premium theme from anywhere other than the original source could result in your version being out of date and unsecure. You will also receive no updates. With Themeforest, you will always be alerted whenever there is an update with your premium theme or plugin.
4. Remove the plugin and theme editor
If a hacker manages to get into your website, the first place they will go to change your files is Appearance > Editor in WordPress.
To increase your security in case of a login breach, you could disable writing of these files via that editor. Simply add this code to your wp-config.php file:
If you need to edit your files, you still can via a secure FTP application or your control panel.
5. Don’t use ‘admin’ as a username
This is a very basic but effective step to make your WordPress website more secure.
When automatic brute force attacks occur on your website, the most common administrator login that will be used is ‘admin’, since this is the default username.
To help increase your security and limit the chance of a successful brute force attack, simply create a new user in WordPress at Users > New User with a more unique username and give it Administrator rights. Then just delete the old ‘admin’ user. When deleting the old admin account, you will be asked “What should be done with content owned by this user?”. You can select to transfer all the content such as posts and pages to your new admin account.
6. Secure passwords
Using a secure password for you administrator accounts is vital. By setting your password to something like ‘password’ or ‘123456’, you might as well just invite a hacker into your website.
You should always enter a password that is unique and has no close relations to your personal details.
To generate a strong random password, you can use www.strongpasswordgenerator.com
You can test how long it would take for a computer to crack a password at www.howsecureismypassword.net
Since WordPress 4.3, all passwords are generated to be strong by default.
7. Setup two step authentication
Although it might seem like a lot of hassle, two step authentication is a great way to keep your website safe from hackers. Two factor authentication is exactly what it says, two steps of verification before you can login. This is a very popular form of enhanced security on many websites such as PayPal, Google and more. Why not use it on your website?
The plugin Google Authenticator is a great plugin for setting up two step authentication on your website.
8. Limit login attempts
Attacks like a brute force attack, target the login area of your website multiple times to try gain access into your website admin section.
WP Limit Login Attempts is a great plugin for setting up Captcha Verification and limiting the number of login attempts. If a number of login attempts are failed, the IP address of the user/bot is blocked temporarily.
9. Keep track of dashboard activity
If your website is popular, it is a good idea to keep track of what users are doing.
WP Security Audit Log is a free plugin that logs everything that happens on your websites backend. This allows you to easily view both what users and hackers are doing. This plugin keeps track of everything within your WordPress admin dashboard. Everything from file management, to post creation
10. Hide wp-config.php and .htaccess
For increased WordPress security, adding the following code to your .htaccess file will protect your wp-config.php:
Similarly, you can restrict access to wp-login.php by inserting this code into .htaccess:
Replace ‘255.255.255.0’ with your own IP. This will prevent other IP addresses from being able to access your wp-login.php.
11. Choose the best hosting
Reports from wpwhitesecurity.com show that 41% of hacked WordPress sites were hacked through a security vulnerability on their hosting platform.
If you looking for the best hosting for your site, it’s not always advisable to go for the cheapest option. When choosing hosting for a WordPress website, using a managed hosting provider specialised in WordPress is likely to have server that’s designed for WordPress. Ontop of this, it will include WordPress specific firewall, up-to-date PHP and MySQL and malware scanning.
12. Keep your computer up to date and secure
Occasionally, a hacker could gain access to your site due to vulnerabilities on your computer. In order to prevent this, it is important to keep your computer up to date.
13. Install a WordPress security plugin
Installing a WordPress security plugin can help increase the overall security of your website.
Wordfence is the most downloaded free WordPress security plugin available. It offers a wide variety of great features to improve the overall performance and security of your WordPress site.
Alternatively, WP Defender is another great premium WordPress security plugin.
I hope this article has helped you learn some important steps that can be taken to increase your WordPress website security.
If you have any questions or suggestions for this article, feel free to get in touch.