You may have heard scare-stories about how WordPress is vulnerable to hackers.
But the fact that millions of websites around the world use WordPress means that they are more likely to be targeted than any other platform.
And that includes your site.
If you solely depend on the team at WordPress and crossing your fingers to sort out your security issues, then you have another thing coming.
You are responsible for your own site’s security. Below we look at some of the most popular ways to secure your WordPress site.
- Use 2-Factor Authentication
- Use a Password Manager
- Stay Up-To-Date
- Keep Your Computer Up-To-Date Too
- Add New Users With Care
- Understand User Roles & Capabilities
- Install or Enforce SSL
- Download Plugins & Themes With Care
- Delete Unwanted Plugins & Themes
- Use VPN on Public WiFi
- The Role of Your Hosting
- Use Web Application Firewall (WAF)
- Use Security Plugins
- Limit Number of Login Attempts
- Remove “admin” Username
- Rename Your Login Page URL
- Change File Permissions
- Backup Your Site
2-factor authentication, which is also known as two-step authentication, adding 2FA may sound like a hassle, but it can act as a strong key for your site’s front door, and it is one of the most important things you can do to protect your site from getting hacked.
It doesn’t matter if someone has managed to find out your login details – without your 2FA passcodes, they can’t log in.
Frankly, you should use this, not just for your site, but also for any other sites where you have to logins such as your emails and shopping.
One of the most common reasons for website owners having their site hacked is simply because of the poor use of passwords.
This could be anything from using simple and common passwords, to using the same passwords across many sites.
Having unique and complex passwords for every single login detail is crucial, and the best way to do that is to use a password manager.
You might argue that it is too risky to have all of your passwords under one roof.
But I would argue that 1) it is impossible for your brains to create and remember complex passwords, 2) you are more at a risk if you use simple and/or duplicate passwords.
So use a password manager. But whatever you do, don’t use a book.
— Ahmed Khalifa (@IamAhmedKhalifa) April 4, 2017
The security team behind WordPress are continually working on neutralising any vulnerabilities within the core system.
Why do you think you see new WordPress updates released all the time?
Yes, it could be to add new features or fix bugs.
But a huge number of times it’s because they are patching up security loopholes.
And this applies to everything – the core, the plugins and the themes.
Hackers take advantage of the fact that many website owners forget, ignore or are complacent when it comes to carrying out an update.
This is a reason why many brands out there can look after your updates and other security errands because not everyone keeps on top of it.
But if you are doing it yourself, stay up-to-date with your updates.
It is also your responsibility to make sure that your computer and laptop are up-to-date too.
Hackers can very easily gain access to your site (and your clients’) if there are vulnerabilities on your computer.
So make sure you install those updates and use anti-virus software on a regular basis too.
If there are more than one of you running a site, i.e. with a team, or you have guest authors, this will mean that you have to give them access to your site.
And with that, comes great responsibility; not just from each user but also for you too.
It is up to you to enforce all users to use strong passwords and 2FA.
For example, iThemes adds a section within ‘Add New Users’ where you enforce strong passwords and 2FA.
Another part of your responsibility when adding new users is to understand what their roles are and their capabilities on your site.
As in, whether they are the admin, author, subscriber, editor, etc.
To understand the differences between the two, WordPress.org has explained it thoroughly on their site.
So only give admin access to those you know and trust.
This is not necessarily to prevent hackers from attacking your site, but so that your visitors are also protected from hackers when they are inputting private information on your site.
For example, credit card or login details.
Using SSL certificate will help to encrypt data to prevent the “man in the middle” attack.
It used to be an expensive feature to add, but most host providers can install an SSL certificate for you.
If not, you can use Let’s Encrypt to get a free SSL certificate of your own.
Even though there is the added incentive of improving your Google ranking by a small factor, it is still vital to ensure that you do whatever you can to protect your visitors.
Anyone can create plugins and themes should they want to.
The problem is that there are too many out there which are poorly put-together, not maintained regularly and ignored after a time.
And using these plugins and themes will put your site at risk from hackers as there is a potential backdoor to your site as the makers do not deal with them.
The official WordPress repository may seem like a harmless place to do all your downloads, but be aware of factors such as the recent reviews and last update.
If you happen to find plugins or themes that are only available on the 3rd party’s site, make sure you do your research about its credibility.
It is very tempting to play around with the 50,000+ plugins within the repository by adding and testing them on your site.
And also experiment with new themes for your site.
But this may also mean that you have many unwanted plugins and themes downloaded in your dashboard.
If they are not wanted, just delete them.
This is not only for security purposes but also to lighten the load on your database and help to keep your dashboard and site as light as possible.
And by the way, deactivating plugins is not the same as deleting them.
With the abundance of free WiFi available everywhere you go, it’s tempting to connect and login to your site.
But using an unsecured internet connection or network is like allowing hackers to look over your shoulder while you are logging into your site.
If you must use public WiFi, never do so without using a reputable VPN (short for Virtual Private Network). This is a network of servers which allows you to secure your internet connection by putting you on a private network and preventing any prying eyes from seeing your activity.
If you don’t know the risk of using public WiFi, then this might scare you.
My current favourite VPN and a staple in my everyday use is NordVPN.
There is a reason why I keep shouting out about using a well-regarded managed WordPress Hosting for your site.
Among many other things, your hosting also plays an important role in the security of your WordPress site.
I have talked before about the risk of using shared hosting and the benefits of using managed WordPress hosting instead.
Not only are they built to handle your WordPress and tend to come with top-class support, but they also take security very seriously.
Along with automatic backups and updates, they also have advanced security configurations to protect your site, such as the host of this site is 34SP (get one month free hosting if you mention this site).
If you use cheap or free hosting for your domain, you have to ask whether they are securing their own server to help protect your site too.
One of the most popular ways of protecting your WordPress site is by a web application firewall (or WAF).
The purpose of the firewall is to block any malicious traffic from going anywhere near your site.
One of the best tools out there is Sucuri, which this site uses. They are one of the leading players in the online security space, where their cloud-based WAF stops hacks and attacks.
As well as their overall platform, their Firewall product starts from $9.99. A small price compared to potentially losing your site to attacks.
For those who do not want to touch the code or server admin, but who want that extra level of security, you should install (and pay) for WordPress security plugins.
There are many out there you can use, and one of my favourites is iThemes.
And by using security plugins within your dashboard, you can quickly sort the following issues and more:
Brute force attack is when hackers try to login to your site over and over again, and it is possibly the most common tactic used by hackers to enter your WordPress site.
It’s called “brute force” because it’s relentless. But you can limit the attack by limiting the number of login attempts from a specific IP within an allotted period of time.
As well as iThemes, there are many free plugins which allow you to do that.
Back in the day, the default username for the admin was of course “admin”.
Everybody knew that…including hackers. And this made it easier for them carry out their brute force attacks as they already knew part of login credentials.
Today, WordPress now forces you to choose a custom username instead of “admin”, but there are still some host providers who offer the 1-click install which still uses the old default name.
If that’s the case, you should either change your hosting (what other security issues should we be worried about if they still use this old tactic?) or create a new admin username and deleting the existing “admin”.
Another popular aspect of many WordPress sites which unfortunately still exists are /wp-admin and /wp-login.php
Unfortunately, there is a good chance that your WordPress site’s login page is yoursite.com/wp-admin
Again, this provides another opportunity for the hackers to know where to start with their brute force attack.
Even though you can ask a developer to deal with that, most of the security plugins give you the option of creating your own bespoke URL for your login page.
Many of the files within the core, plugins, themes, and database contain very sensitive information and play significant parts in the running of your site.
Therefore, it is important to make sure that only authorised parties have access to them.
By changing and setting the correct file permissions, you will ensure that these sensitive files are protected from any misuse, be it accidental or deliberate.
This is a must, but you need backup, and it needs to happen in the background at the very least every single day.
Backup allows you to quickly restore your site if you have had any types of serious problems on your site (though you should initiate a backup before making any changes on your site).
Your host will most likely offer daily backups, but it is also a good idea to use a 3rd party to also backup your site instead of depending on one source.
Picture the following scenarios:
Imagine if the front door of your home does not require a key (or you use weak passwords)
Or it’s very weak, and it can be opened with a simple shoulder barge (and you don’t use 2FA for your site)
Or perhaps you already have a very strong front door, but you gave everyone you know a spare key (or you give all users the admin role)
You wouldn’t do any of that for your home. So would you treat your website the same way?
You might think that the above suggestions are quite a lot to go through, but I could have gone on longer.
But at the end of the day, it is up to you to take the necessary actions to secure your WordPress site.
No site is ever 100% secure. But you can limit the risk of being hacked.
So start now!
Have I missed anything? Do you have any other recommendations?
Latest posts by Ahmed Khalifa (see all)
- ‘Tools of Titans’ by Tim Ferris – Book Review [Video] - 26th November 2019
- ‘Atomic Habit’ – Book Review on How to Create Good Habits & Remove Bad Habits - 5th October 2019
- Why is My WordPress Site So Slow & How Can I Fix it? - 1st October 2019