Looking ways to secure WordPress website?
If you are not confident about your WordPress website security, this post will help you understand security threats and how you can make your site more secure.
To begin with, you should know that WordPress’s core software is itself is very secure as hundreds of developers work on it with security being their primary focus.
Still google blacklists 20,000 websites for malware and around 50,000 for phishing each week. Now why is that?
WordPress is one of the worlds most popular content management system powering more than 43% of the world’s websites.
WordPress’s popularity is why it is so prone to security and malware threats.
The WordPress Security team works tirelessly to prevent & neutralize any threat or vulnerability in the WordPress Core software secure by rolling out regular updates.
Still there are things that you can do to further ensure that your website remains safe and out of harm’s way.
In this guide, you will find the best practices & tips on how you can make your WordPress website secure.
A Secure WordPress Websites -Why is it Important?
When a Website is hacked, it is blacklisted by
Hackers can harm in a variety of ways:
- Steal user information
- Steal/change your password
- Install or distribute malicious and harmful content on your website
- Corrupt your files
- Decrease the speed of your website
You need to be careful or you might end up negotiating
Types of Threats & What They Mean
Before we jump into secure WordPress, we need to understand the different types of security threats first.
Below are the common WordPress security threats:
Backdoor: The attacker uses loophole instead of following the authentic way to access your website, without the owner finding out about this breach.
Hackers leave the backdoor so that they can regain access after they have been once removed.
Malware: are malicious software purposely designed to harm your website, there is a vast variety of malware out there all differing in their potential to harm your website.
Spam: These are messages that are sent to a large number of websites. They often contain links that lead to other websites (ads) or even illegal and harmful pages.
Hacktools: Exploit or DDOS tools used to attack other sites.
Phishing: Used in phishing lures in which attackers attempt to trick users into sharing sensitive information (i.e login information, credit card data, etc.)
Broadly at WordPress Support Desk, we categorize WordPress security measures into the following two things:
1- Use SSL to Encrypt Data
SSL stands for Security socket layer, Which is a very effective and useful way to secure your WordPress admin panel.
An SSL certificate ensures that your website’s data is safely being transferred between browsers and web servers. This helps your website against hackers in the following way.
- Difficulty of breach
- Problem gaining access
- Trouble make a
connection with your website
Now search engines like G
2- The Role of WordPress Hosting
WordPress hosting plays an important role to secure WordPress. You should choose your hosting service provider very carefully depending on your website needs.
There are four types of WordPress hosting:
- Shared WordPress hosting
- Managed WordPress hosting
- Dedicated WordPress hosting
- Cloud WordPress hosting
If you are serious about your website and about its security, the first thing that you need to do is invest in your website hosting.
It doesn’t really matter what type of hosting you choose just make sure that you choose a company that comes with a good reputation.
One thing is for sure that investing in your WordPress websites hosting with a good company is something that you would not regret later.
3- Best WordPress Security Plugin
Since WordPress powers such a large chunk of websites in the world, this leaves it vulnerable to all sorts of threats.
In order to keep your website out of harm’s way, you need to take as many steps as you can & installing good security plugins is one of them.
You will find hundreds of security plugins in the WordPress repository. We have a list of our top 3 security plugins.
1- Sucuri – Website Firewall
2- iThemes Security
3- Word Fence
Plugins like Sucuri are a blessing. They add an extra protective layer around your website, filtering all the traffic before it gets to you allowing only authentic visitors to get to you.
There are other plugins that you can install to scan your website for viruses, infected files, spams, brute force attacks, etc. They can prove to be incredibly helpful when your website gets attacked. See our Ultimate list of tried and tested plugins.
4- Keep Regular Backups:
This is another vital step you need to take in order to secure your WordPress website. Keep regular backups of your website.
Now to state the obvious, backs ups are as important to your website as insurance is to your car. If you have regular backups of your website, it means that all of your data is stored safely.
So in case of breach of security or hacking, in which you end up losing access to your website or lose your website entirely, you can recover all your data and start again.
There are three ways in which you can take backup:
- Backup WordPress via Plugins
- Backup WordPress Manually
- Backup WordPress Through WordPress Maintenance Services
5- Keeping WordPress Regularly Updated
WordPress is a software that has a lot of world-class developers behind it. So every now and then they come up with an update, fixing bugs, improvements and even core updates that fill out security patches. In other
You should keep your website regularly updated. Luckily, updates can be done automatically and if not, you can manually do them in just a couple of clicks. Keeping your WordPress core up-to-date would apply all the new security patches that have been released to your website.
We are not sure why but users are generally not very found of updates. Hackers use this to their advantage, they exploit it to their benefit by using already solved bugs to hack websites that
Only about 49% of the WordPress websites are up to date which puts them all at risk of being hacked.
To check your if there are any new updates
Dashboard >> Updates
The best and the easiest thing that you can do is to regularly update your website’s theme and plugins. WordPress automatically roles out updates for its users.
But we would suggest that you keep an eye on it as risk reduction, you never know when things may go wrong.
Whenever there is an update in the core software of WordPress it appears like this.
And as for the
If you have a huge website or are using
6- Disable File Editing
WordPress themes and plugins can be edited easily from your WordPress admin area which is a really cool feature until your website falls into the wrong hands and they are able to do the same.
They can mess with your file by changing them or injecting your files with malicious code or links.
We would suggest that you disable this feature as it is a potential threat in a secure WordPress website.
And for
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );7- Strong Password & User Permission
According to a report by Panda S
Once a hacker gets hold of your password, all they have to do is login and change it. And there your website has been hacked!
To avoid this here is a list of does and don’t you should consider while deciding upon a password.
- Use at least 12 characters in your password (perhaps mix it up a little with Upper & lower caps letters and symbols)
- Use two factor authentication
- Regularly update/change your passwords
- Do not keep the same password of everything
- Don’t keep
you account logged in all the time (especially in office settings where anyone can use your computer) - Install this plugin, limit login attempts reloaded. This will protect you from brute force attack.
- Brute force attack is when a hacker opens your login page and starts trying out different passwords with different combinations. According to a
report 8% of the websites are hacked because of weak passwords.
8- Use 2-factor Authentication
Two-factor authentication means that instead of you log into your account with your password only, you add an additional step. Now that step could be any of the following steps:
- Something that you are.
- What only you know.
- Something that you have.
The problem with the generally used single factor (password) authentication is the single step, the passwords, that can easily get leaked, stolen & even guessed.
And once your password is gone consider your entire website gone.
You can add your bio-metric (something that you are) details like you thumbprint & face recognition (like iPhones).
In this case, even if someone has your password they won’t be able to log into your website without you personally being there.
Another thing that you can do like Gmail and Facebook is to use something that you have. Like your mobile phone on which you get a code or your email address on which you receive
The third could be something that you know, like a question. That only you know the answer too.
The WordPress Team once said that weakest link to your WordPress security is your Password. Two-factor authentication can help you prevent situation, where your password is stolen and you end up losing access to your website.
9- Rename Your Login URL to Secure Your WordPress Website
By default all the WordPress database have this:
Normally people don’t change this. But we would suggest that you change this prefix to something else due to the following security reasons.
Firstly if you have a different database prefix it would protect you from these obnoxious SQL injections and later from brute force attack.
Hackers generally follow the standard queries when they attack a website. Now if your database details are different they will face an error.
Otherwise, it becomes one less piece of information they need to hack your website. You can simply change it to your name or anything that you feel like but not
10- Change the Default “admin” Username
Often hackers try their luck out by brute force attacks, they open your login page and try out random usernames and passwords.
The default username that you get is ‘Admin’. You can change it to your name or your email address or something that is less obvious. Which we would suggest you do.
So the first thing they need is to guess the right username. And if you haven’t changed your username from the default one, it becomes one less thing that they need in order to succeed at hacking your website.
How do I change my username?
There are basically three ways to change your username,
You have no direct option in WordPress to change your username but there is a way around it.
You need to open USERS from your dashboard navigation menu.
Dashboard > > Users > > Add New
Fill in the required information. You are going to have to add a different email address for this new user. (you can change it back to the original one once this process is complete).
It goes without saying but make sure that you add a strong password. And give this user administrative role.
Once you have completed this process you can change the email address of the new user to the one that you used in the other account.
Changing the user name alone does not mean that you are completely out of harm’s way. But its a small strategic action in your battle against hackers.
It’s better to take the fate of your website in your own hands rather than leaving at the mercy of hackers and luck.
Once this new user has been added. You have to login using this new username and delete the default user by hovering over its name like this:
Once you click on delete user you will see this page, transfer all the data from this account to the new one you made by checking the box that says ‘attribute all the content to the new user’ that you made.
11- Hide Your WordPress Version Number
WordPress’s software leaves a footprint of its version on your site, which tells the outside world information about the version of WordPress being used on your website.
Now for normal traffic, it would mean nothing for prying eyes, this is valuable information that they can use and exploit in order to hack your website.
There are certain bugs that have already been taken care of in the update but you are still facing them since you haven’t updated yet. And this is exactly the lope hole that hackers are looking for. They will manipulate this bug to damage your website.
This is one of our risk reduction strategies as this is not solely strong enough for the elimination of threats.
There are three places on your website where the version number appears:
- The generator meta tag in the header
- Query strings on scripts and styles
- The generator tag in RSS feeds
You just need to add this one code by developer Frankie Jarrett in your functions.php file and all the WordPress version on your website will be hidden from public eye.
<pre><code><?php
/* Hide WP version meta tag from header and generator tag from feeds * @return null * @filter the_generator */
function fjarrett_remove_wp_version_tag() { return null;
}
add_filter( 'the_generator', 'fjarrett_remove_wp_version_tag' ); /* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */
function fjarrett_remove_wp_version_strings( $src ) { global $wp_version; $parts = explode( '?', $src ); if ( $parts[1] === 'ver=' . $wp_version ) { return $parts[0]; } else { return $src; }
}
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );
</code></pre>Conclusion:
We have acknowledged two facts in this guide if you want to secure WordPress:
- The importance of having a secure WordPress website.
- The constant security threats to a website
Keeping in view these two facts our advice would be that you keep regular backups of your website as well as the
Applying Murphy’s law, Anything that can go wrong, will go wrong. So, worst case scenario a hacker gets into your website, at least you’ll have a clean copy of your website to reinstall.
Keep an eye on your WordPress site health score and contact your website hosting provider who will help in making your website more secure.
Want to Learn More?
Here is the list of few other guides that will help you master WordPress.
- How to Build a Website – Start With Why
- What is WordPress? All You Need to Know
- How to Decide the Best Hosting for WordPress
- What is WordPress Management? All You Need to Know
- Best WordPress Plugins – Ultimate List
- 15 Best WordPress Themes for Blogs, Business & Ecommerce
- 65 Types of WordPress Help Requests
- WordPress Website Launch Checklist – Updated 2020
- Image Optimization for WordPress in 2020: Everything You Need to Know
Source: https://wpsupportdesk.com/blog/secure-wordpress/
