Even beginners can and should take these steps to protect their WordPress site from cyberattacks. Thus Protecting Your WordPress Site requires that you take a number of critical steps
WordPress already powers 30% of the internet’s websites, it’s the fastest growing content management system (CMS) in the world, and it’s not hard to see why: top-notch SEO Search with tons of custom code and plugins available Engine Optimization (SEO), as well as a high reputation in the blogging world, WordPress has won a high reputation.
With popularity comes some not-so-positive attention as well. WordPress is a common target for intruders, malware, and cyberattacks. In fact, it accounted for about 90 percent of the CMS hacked in 2019.
Whether you’re a newbie to WordPress or an experienced developer, here are some key steps you can take to protect your WordPress site. The following 6 key tips will help you get started.
1. Choose a Reliable Managed Host
Hosting is the invisible foundation of all websites. Without it, you cannot publish your website online. But the role of the host is much more than simply hosting your website. It is also responsible for your website speed, performance, and security.
The first thing to do is to check if the host includes the SSL security protocol in its package.
Whether you run a small blog or a large online store, the SSL protocol is a required security feature for all websites. If you’re doing online transactions, you’ll also need a premium SSL digital certificate, but for most websites, a basic free SSL certificate is fine.
Other safety features that require attention include the following:
- Daily automatic offline website backup
- Malware and Antivirus Scanning and Removal
- Distributed denial of service (DDOS) protection against distributed service attacks
- Real-time network monitoring
- Advanced Firewall Protection
In addition to these digital security features, it’s also worth considering your hosting provider’s physical security measures. These include restricting access to data centers with security guards, CCTV, and two-factor authentication or biometrics.
2. Use security plugins
One of the most effective and easy ways to secure your website is to install a security plugin, such as Sucuri, which is GPLv2 licensed open source software. Security plugins are critical because they automate security management, which means you can focus on running your website instead of spending hours battling online threats.
These plugins detect, block malicious attacks, and alert you to any issues that need your attention. In short, they keep running in the background to protect your website, which means you don’t have to stay awake 24/7 fighting against hackers, bugs, and other digital junk.
A reliable security plugin will give you all the necessary security features for free, but some advanced features require a paid subscription. For example, if you want to unblock Sucuri’s website firewall, you have to pay. Enabling the web application firewall (WAF) blocks common threats and adds an extra layer of security to your website, so when choosing a security plugin, it’s a wise idea to look for plugins with this feature.
3. Choose trusted plugins and themes
The joy of WordPress is that it is open source, so anyone and everyone can contribute the themes and plugins they develop. But this also throws up some problems when it comes to choosing high-quality themes and plugins.
When picking out free themes or plugins, there are some that are poorly designed or, more importantly, may hide malicious code.
To avoid this, always get free themes and plugins from reliable sources, such as the WordPress Theme Gallery. Read reviews for it, and research to see if the developers have built other programs.
Outdated or poorly designed themes and plugins can leave “back doors” or bugs for attackers to enter your site, which is why you should choose carefully. However, you should also beware of invalid or cracked themes. These hacked premium themes are sold illegally. You might buy an inactive theme that looks fine but will break your site by hiding malicious code.
To avoid dead themes, don’t be lured by discounted prices, and always stick to a reliable theme store like the official WordPress directory. If you’re looking elsewhere, stick to a large and trusted store like Themify, a theme, and plugin store that’s been around since 2010. “Themify” ensures that all of its WordPress themes pass the Google Mobile-Friendly test and are open-sourced under the GNU General Public License.
4. Run regular updates
Here are the basic rules of WordPress: Always keep your website up to date. However, not everyone sticks to this rule, with only 43% of WordPress sites running the latest version.
The problem is, that when your website is out of date, it’s vulnerable to glitches, bugs, intrusions, and crashes because it lags behind in security and performance fixes. Outdated websites cannot fix vulnerabilities like updated websites, and attackers can tell which websites are out of date. This means they can then search for the most vulnerable sites and hit them.
That’s why you should always be running the latest WordPress version. To keep your WordPress security at its strongest, you must update your plugins and themes, as well as your core WordPress software.
If you choose a managed WordPress hosting plan, you may find that your provider will check and run updates for you. This will enable you to see if software and plugin updates are available from your host. If not, you can install an open-source plugin manager. Consider the GPLv2 licensed Easy Updates Manager plugin as an alternative.
5. Strengthen your login
In addition to creating a secure WordPress site by carefully choosing a theme and installing security plugins, you also need to prevent unauthorized login access.
If you’re using easy-to-guess phrases like “123456” or “Qwerty”, the easiest first step to do to strengthen your login security is to change your password.
Try to use a long password instead of a single word so they are more difficult to crack. The most effective way is to combine them with a series of unrelated words that you can easily remember.
Here are some other tips:
- Never reuse passwords
- Passwords don’t include obvious words like family members’ names or your favorite team
- Do not share your login information with anyone
- Your password should include uppercase and lowercase letters and numbers for added complexity
- Do not write down or store your login information anywhere
- Use a password manager
Change your login address
It’s a wise idea to change the default login URL from the standard format yourdomain.com/wp-admin. This is because hackers also know this default login URL, so not changing it risks brute force.
To avoid this, change the login URL to a different URL. Use open-source plugins such as GPLv2 licensed WPS Hide Login to customize login addresses more securely, quickly, and easily.
Apply two-factor authentication
To provide more protection against unauthorized logins and brute force attacks, you should add two-factor authentication. This means that even if someone does get your login information, they still need a verification code sent directly to your phone to gain access to your WordPress site.
Adding two-factor authentication is very easy. Just install another plugin, search for “two-factor authentication” in the WordPress plugin directory, and select the plugin you want. One of the options is Two Factor, a popular GPLv2 licensed plugin with over 10,000 installs.
Limit login attempts
WordPress can help you log in by making you guess the login information multiple times. However, it is also helpful for hackers trying to gain unauthorized access to the WordPress site and publish malicious code.
To counter brute force, install a plugin to limit login attempts and set the number of guesses you allow.
6. Disable file editing
This is not a beginner-friendly step, unless you are a confident programmer, don’t try it. And be sure to back up your website first.
That said, disabling file editing is an absolutely necessary measure if you really want to protect your WordPress site. If you don’t hide your files, it means that anyone from the admin can edit your theme and plugin code, which is dangerous if an intruder gets in.
To deny unauthorized access, navigate to your .htaccess file and enter:copy
<Files wp-config.php> order allow,deny deny from all </Files>
Alternatively, to remove the editing option for themes and plugins directly from your WordPress admin, you can add editing to your wp-config.php file:copy
define( 'DISALLOW_FILE_EDIT', true );
Save and reload this file, and the plugin and theme editors will disappear from your WordPress admin menu, preventing anyone from editing your theme or plugin code, including yourself. If you need to restore access to your theme and plugin code, just delete the code you added in the wp-config.php file.
Whether you block unauthorized access or disable file editing altogether, it’s important to take action to protect your site’s code. Otherwise, it’s easy for unwanted visitors to edit your files and add new code. This means that attackers can use the editor to get data from your WordPress site, or even use your site to launch attacks on other sites.
An easier way to hide files is to utilize a security plugin that does it for you, such as Sucuri.
WordPress Security Summary
WordPress is an excellent open-source platform that beginners and developers alike should enjoy without fear of falling victim to an attack. Sadly, these threats aren’t going away anytime soon, so keeping your site safe is critical.
With the above measures, you can create a WordPress site with a more robust and secure level of protection, and give yourself a better experience.
Staying safe is an ongoing task, not a one-time checklist, so be sure to revisit these steps regularly and be vigilant as you build and use your CMS.