WordPress is the most used Content Management System (CMS) with more than 30% of all websites using it. However as it becomes more popular, hackers are finding more ways to target and breach the CMS. No matter the type of security or anti-malware your host provides, you’re at risk. If you don’t prepare and secure your WordPress website, your website could be next.
In this guide, we’ll provide you with 10 simple tips to secure and protect your WordPress Website.
1. Choose a Secure Hosting Service
The easiest way to protect your website is to choose a hosting service that provides in-built security.
It may seem easier going with a well-known business such as GoDaddy or NetRegistry, however these providers don’t offer the attention to detail and security options for free. These are usually the easiest website hosts to breach.
Paying slightly more and choosing a hosting company that provides guaranteed support can add additional levels of security that these companies don’t. Not only will another company provide that support you require but can also improve your speed, by using a good WordPress hosting you can significantly speed up your WordPress site.
While there are many hosting companies out there we recommend My Webhost. We provide multiple layers of security and support, including virus scans and access to premium support provided by a qualified website developer.
2. Don’t Use Ripped or Nulled Themes
WordPress paid themes are usually more functional and provide you with premium functions and style, these usually perform better than most free themes. If you have a premium theme you will receive regular updates and support as well as functions that are simply not available to the public. These usually come with a high price tag however, the fee is essentially to support the creator and ongoing updates.
Most popular themes usually end up on a nulled or warez website and a hacked version of a premium theme can be downloaded without paying. The thing that most web designers forget is that they aren’t technically free. The person that’s shared the theme usually places their own backdoor or advertising in the script to steal passwords or redirect your users to paid advertisements.
While it may be easier to download the theme for free, you’ll usually end up paying much more later down the track to clean your website.
3. Security Plugins
It’s usually quite complicated securing your website manually and without the assistance of a plugin. Most web-developers usually have a plugin that monitors and maintains the security of your website with scans and email notifications.
Wordfence is a great WordPress security plugin. They offer security activity auditing, file integrity monitoring, remote malware scanning, blacklist monitoring, effective security hardening, post-hack security actions, security notifications, and even website firewall. If you are already infected, download Wordfence to secure your website and run a deep scan. It gives you options on deleting known backdoors and replacing core files.
4. Password Strength
Passwords are usually the easiest way to breach your website. If you’re using a super simple password such as “Hello123” or “123456password”, you’ll need to update your password immediately. These passwords are commonly used, and when a hacker is using a brute-force attack your website will be breached first.
It’s important you use a password that is complex but also unique. The best technique in using a secure password would be to think of your favourite food, location, year and two characters. For example I usually set passwords like this: “ChickenMelbourne2012*%”.
5. Disable All File Editing
When you are initially setting up your WordPress installation there’s a quick menu option to edit the source code of your website. To access it you just need to go to Appearance>Editor. If you want to edit the source of a plugin you go to Plugins>Editor.
If you’ve finished editing your website and it’s ready to go live, it’s best to disable this option as it’s the easiest way to edit the source code of your website. This is a common way hackers place backdoor code or other malicious code in your website.
To disable both plugin and theme editing, paste the following code in your wp-config.php file through your cPanel file manager.
6. Install a SSL Certificate
A Single Sockets Layer Certificate (SSL) is beneficial for all kinds of websites. Initially an SSL was purely created to benefit online transactions to prevent information from being obtained by a third party during processing. However, now Google recognises an SSL as a requirement to increase SEO and protect all users visiting the website.
SSL is required for any website that handles passwords, credit card information or even Paypal logins. If you don’t have an SSL the data that is sent to the server is sent as plain text and can be breached by anyone wanting to gather that information. When you have an active SSL certificate the information is encrypted before it is transferred between their form and your server, making it impossible to read and making your site secure.
SSL certificates come in all different shapes and sizes and depending on the level of security you require, are sold at a higher price. If you don’t accept any sensitive information you don’t need to pay for SSL certificate but it well benefit your trust and SEO score. Almost all hosting companies offer a Let’s Encrypt SSL certificate which you can install on your site or you can purchase a certificate.
7. Change Base URL’s
All WordPress websites default the login area to “domain.com.au/wp-admin”. If you keep the login page url as provided to you, most hackers will focus all of their attention to the easy to access page. If you also leave the register section to your website open, bots will attack your registration in order to gain access. To prevent this you’ll want to change the login page using a plugin and also add reCAPTCHA to your form pages to prevent bots spamming the page.
Tip: Additional protection could be adding a 2-factor authentication plugin to your WordPress. When you try login they’ll be an additional requirement other than a password to gain access which hackers can’t simply guess or brute-force.
Tip 2: You can also add an IP blocker to your website using Wordfence – If you whitelist your IP and block all others, you’ll only be able to access the website.
8. Limit Login Attempts Plugin
As a default allowance, WordPress allows multiple attempts to login without any restriction on the amount of attempts. This can allow users that are brute-forcing, to try all the passwords in their list of possible passwords and will eventually gain access.
The best thing you can do is install WordPress login limit attempts plugin. After you’ve installed the plugin head to Settings> Login Limit Attempts and set the maximum amount of attempts to around 3 to 5. The full tutorial is here.
9. Hide Core Configuration and .Htaccess Files
While this may be a little more advanced and require some sort of coding knowledge, this is a must when protecting your WordPress as these are two crucial methods hackers use to breach your WordPress website.
We strongly recommend a web developer implements these fixes as it can break your website – My Webhost will implement these fixes free of charge if requested, saving you paying a third party developer.
To prevent access to these files, make sure you first back up your WordPress:
Login to your dashboard and cPanel and access your wp-config.php file and add the following code,
deny from all
Secondly, access your .htaccess file and add the following code:
deny from all
Although it does seem like a small task, a simple letter in the wrong place can break your website and stop visitors from accessing it, so be careful.
10. Update Plugins and WordPress Core Version
We would list this as the most important step in protecting your website. WordPress core files, themes and plugins are updated often when new vulnerabilities are discovered.
You should always check for new updates via Dashboard > Updates, most minor changes are automatically updated.
WordPress Security is essential and can make or break your website if not properly installed and configured. If you need any assistance, please contact us directly via our contact form.