20% Discount on WPMU Dev
For this article, we’ll be using WPMU DEV hosting and tools. You can get 20% off WPMU DEV on the membership.
WordPress security is huge topic. There are several things you can take to secure your WordPress site and prevent hackers and vulnerabilities from damaging your ecommerce site or blog.
While the WordPress core software is quite secure, and it is frequently reviewed by hundreds of engineers, there is still a lot you can do to keep your site safe.
You don’t want to wake up one morning to find your website in disarray. So, today, we’ll cover a variety of methods, tactics, and approaches that you can utilize to improve your WordPress security and remain safe.
Why Website Security is Important?
Any compromised WordPress website can significantly harm your cash flow and credibility. Attacker can obtain customer data, password, inject malicious programs, or even infect your users with malware.
Terrible case scenario, companies may be made to spend ransomware to attackers in order to recover access to the website. Over 50 million website users have been warned that a webpage they’re visiting may contain malware or steal data, according to Google.
This is an live stats websites gets hacked in a day.
Moreover, each week, Google blacklists approximately 20,000 websites for malware and approximately 50,000 websites for phishing. If you’re running a company page, you’ll want to give importance to Website security.
It’s indeed your job, as an online business owner, to secure your business website in the same way that it is your responsibility to protect your real store facility.
Is WordPress a safe platform?
Is WordPress safe?
That’s probably the first question on your mind. Yes, for the most part.
WordPress is safe as long as website owners take security seriously and adhere to recommended practices. Employing safe plugins and themes, maintaining responsible login processes, using security plugins to monitor your site, and updating periodically are all good practices.
WordPress, on the other hand, has a reputation for being prone to security flaws and thus not being a secure platform to utilize for a business. The majority of the time, this is due to users continuing to follow industry-proven security worst-practices.
Hackers stay on top of their cybercrime game by using old WordPress software, nulled plugins, poor system administration, credential management, and a lack of necessary Web and security expertise among non-techie WordPress users. Even the finest practices aren’t always followed by industry leaders. Because they were utilizing an older version of WordPress, Reuters was hacked.
This isn’t to argue that vulnerabilities aren’t present. WordPress continues to dominate the infected websites Sucuri, a multi-platform security business, worked on in a Q3 2017 survey (at 83 percent ). This is an increase over the previous year’s figure of 74%.
With WordPress powering over 42% of all websites on the internet and hundreds of thousands of theme and plugin combinations to choose from, it’s no surprise that vulnerabilities exist and are continuously being identified. However, there is a strong community surrounding the WordPress platform, which ensures that these issues are addressed as soon as possible. As of 2021, the WordPress security team consists of roughly 50 specialists, including lead developers and security researchers (up from 25 in 2017); about half are Automattic employees, and a few work in the web security area.
Get started with Proper Hosting
Using a host that provides multiple layers of security is the easiest way to keep your website secure.
Saving money on website hosting means you can spend the money elsewhere within your organization, so it can be tempting to sign up with a cheap hosting provider. But you should resist this temptation.
A cheap host can cause headaches in the future. The data associated with your URL could be deleted completely and your URL could begin redirecting to somewhere else. Just a few examples, there are several more reasons why you should avoid settling for cheap hosting that is not worthy of your business.
The extra security provided by a quality host is automatically attributed to your website if you pay a little bit more. Furthermore, you can improve your WordPress site’s performance by using a good WordPress hosting service.
Create a Site backup
To begin, make a backup of your WordPress backup before making any modifications to your website.
There are numerous WordPress backup plugins available that can be used to accomplish the same goal.
There are both free and paid ones accessible. however, just a few of the suggested ones are free.
I’m assuming you’ve installed and used one of the backup WordPress plugins. Now you’re ready to go on to the next step.
I recommend that backups be scheduled once each post is published. After making any modifications to the posts or the blog database.
Create Strong Passwords
You can do a lot to safeguard your WordPress website, but few people pay attention to the basics. 🙂
Creating secure passwords is something you should do for all of your social media sites and email accounts.
Similarly, because WordPress sites get hacked like everything else, it’s critical to adopt the same precautions for your WordPress site. It no longer matters how big your blog is. All pique the curiosity of hackers. LOL!
Using a strong password meant not using anything that was personal to you. Almost everything should be avoided, including your name, birthdate, employee ID, girlfriend’s name, and anything else that may be guessed.
Time takes to crack a passwords
Are you having problems coming up with creative password ideas? To establish a safe password, you may always utilize any online password generator tools. I use LastPass Password Generator.
Change WP-Login URL
“yoursite.com/wp-admin” is the default URL for logging into WordPress.
If you leave it as is, you risk becoming the victim of a brute force assault aimed at cracking your username/password combination.
You may receive a large number of spam registrations if you allow users to register for subscription accounts. Change the admin login URL or add a security question to the register and login page to avoid this.
You can install a plugin like custom Login URL or WPS Hide Login to change the wp-login URL.
Change WordPress username
When you create a blog, you will be given the choice of entering a username, which will be used to log into your blog or website.
The majority of people leave it as “admin” by default and forget to change it afterwards.
Consider how simple it would be for even a poor hacker to predict that. haha! I noticed a grin on your face.
You need to make it one-of-a-kind and impossible to guess. If you’re not sure how to accomplish it, I’ve put up a simple tutorial on changing your WordPress username.
Have you used two-factor authentication for your Gmail accounts before? If you’re familiar with it, you’ve probably figured out what I’m talking about.
Two-factor authentication is a simple technique to keep your WordPress site safe from hackers.
You will receive an OTP while logging in if you connect your blog to your cell phone for two-factor authentication. You would be able to log in by entering that number.
This takes security to a new level and adds another layer to the mix. A brief lesson on WordPress Two-factor Authentication may be found here.
Password Protect WordPress Admin and Login Page
Generally, hackers have unrestricted access to your wp-admin folder and login page. This gives them the opportunity to test their hacking skills or launch DDoS attacks.
On the server side, you can implement further password protection, which will essentially stop those requests.
Follow our step-by-step steps to secure your WordPress wp-admin with a password.
Limit Login Attempts
In WordPress, by default, users are allowed to try to login as many times as they like. If you often forget which letters are capital, this may help, but it also opens you up to brute force attacks.
You can limit the number of login attempts until users are temporarily blocked. It reduces your chances of being attacked by brute force since the hacker is locked out before their attack is completed.
Using a WordPress login limit attempts plugin, you can easily enable this feature.
Using Settings > Login Limit Attempts, you can change the number of login attempts once you’ve installed the plugin.
Log out Idle Users in WordPress
Users who are logged in may occasionally stray away from their screens, posing a security risk. Someone can take control of their session, change their passwords, and modify their account.
This is why many banking and financial websites lock off idle users automatically. Similar functionality can be implemented on your WordPress site as well.
The Inactive Logout plugin must be installed and activated. To configure plugin settings, click to Settings » Inactive Logout after activation.
Set the timer and a logout message and you’re done. Don’t forget to save your changes by clicking the Save Changes button.
Add security Question in WordPress Login Screen
Adding a security question to your WordPress login screen makes gaining unauthorised access much more difficult.
Installing the WP Security Questions plugin will allow you to add security questions. To configure the plugin settings, go to Settings » Security Questions after it’s been activated.
See our tutorial on how to add security questions to WordPress for more information.
Disable Directory browsing
Another stage that a webmaster examines is this. When it comes to website security, this is a little-known fact.
However, if browsing of your root directory is enabled. The files such as themes, plugins, images, and much more can be accessed by a reader, visitor, or hacker.
Here’s how to prevent directory browsing in WordPress using the .htaccess file.
Disable File Editing
In your WordPress dashboard, there is a code editor tool that allows you to change your theme and plugins as you’re setting up your site.
Appearance>Editor is where you’ll find it. You may also access the plugin editor by heading to Plugins>Editor.
We recommend that you disable this functionality once your site is online. Hackers can introduce subtle, harmful code into your theme and plugin if they obtain access to your WordPress admin panel.
The coding is often so subtle that you won’t realize anything is wrong until it’s too late.
Simply enter the following code into your wp-config.php file.
This process will help you prevent the ability to alter plugins and theme files from dashboard.
Disable XML-RPC in WordPress
Since WordPress 3.5, XML-RPC has been enabled by default to help you connect your WordPress site with mobile apps and web services.
A brute-force attack can be significantly amplified by XML-RPC due to its powerful nature.
In the past, if a hacker wanted to try 500 different passwords on your site, they would have to log in 500 times. Login lockdown plugin would catch and block these attempts.
However, with XML-RPC, a hacker can use the system.multicall function to try thousands of passwords with just 20 or 50 requests.
Therefore, if you do not use XML-RPC, then you should disable it. This can be handled by a firewall if you’re using the web-application firewall mentioned above.
Hide wp-config.php and .htaccess files
While hiding your site’s .htaccess and wp-config.php files to prevent hackers from accessing them is a sophisticated method for boosting your site’s security, it’s a smart practice if you’re serious about your security.
We strongly advise experienced developers to adopt this option, since it’s critical to take a backup of your site first and continue with caution. Any error might render your website unavailable.
After you’ve made a backup, there are two things you need to perform to hide the files:
To begin, add the following code to your wp-config.php file:
<Files wp-config.php> order allow,deny deny from all </Files>
You’ll add the following code to your .htaccess file in a similar manner.
<Files .htaccess> order allow,deny deny from all </Files>
Although the procedure is straightforward, you should make sure you have a backup in case something goes wrong.
Remove WP version
We’ve previously discussed the WordPress upgrades. It’s now also logical to keep your WordPress version hidden from hackers.
I’m curious as to how they can see the WordPress version you’re on, given that you have the login credentials.
Hackers may easily check the WordPress version by looking at the source page. All they have to do now is
CTRL F – right-click (on the webpage) – View Page Source (Search for Version). It will resemble the tag seen below.
Enable a Web Application Firewall
You’re probably aware with the concept of a firewall, which is a programme that helps to protect your computer from various types of malicious attacks. You almost certainly have a firewall installed on your PC.
A Web Application Firewall (WAF) is a type of firewall that is specifically designed to protect websites. Servers, particular websites, or large groups of websites can all be protected.
A web application firewall (WAF) on your WordPress site will act as a firewall between your site and the rest of the internet. A firewall watches for suspicious behaviour, detects assaults, viruses, and other unwelcome occurrences, and blocks anything it deems dangerous.
Install SSL Certificate
SSL, or Secure Sockets Layer, is now widely used for all types of websites. Initially, SSL was required to make a website safe for specific processes, such as payment processing. Today, however, Google has realised its significance and gives SSL-enabled websites a higher ranking in its search results.
SSL is required for any site that handles sensitive data, such as passwords or credit card numbers. All data between the user’s web browser and your web server is transferred in plain text if you don’t have an SSL certificate.
Hackers may be able to read this. Using an SSL encrypts important information before it is sent between their browser and your server, making it more difficult to read and increasing the security of your site.
The average SSL pricing for websites that accept sensitive information is roughly $70-$199 per year. You don’t need to pay for an SSL certificate if you don’t accept any sensitive data. Almost every hosting provider provides a free Let’s Encrypt SSL certificate that you can use to secure your website.
Say No to Nulled Themes
A premium WordPress theme looks more professional and offers more customization options than a free theme. Regardless, it is difficult to argue you get what you pay for with a free theme.
All premium themes are designed by highly experienced developers and are tested before they are published. If something does go wrong with your site, you can get full support. There are no restrictions on customizing a theme. Furthermore, updating a theme is regular.
There are some sites that offer nulled or cracked themes as well. Nulled themes are versions of premium themes that have been hacked, and are available illegally. This can put your site at risk. Malicious codes hidden within these themes could wreck your website and database or steal your login credentials.
Although one might be able to save a bit of money, it is important that any website owner avoids using those nulled WordPress themes.
Regular Updating the WordPress Version
The most effective way to keep your WordPress website secure is to keep it up to date. A few changes are often made with every update, including security updates. Updating your software regularly can prevent you from becoming a target for exploits and loopholes hackers are known to take advantage of to get access to your site.
The same reasons apply to updating plugins and themes.
Minor updates are automatically downloaded by WordPress by default. Updates that require major changes, however, have to be done directly through your WordPress admin dashboard.
Change Database Table Prefix
You may have noticed a dialogue window asking for a certain prefix to begin something like wp_ while installing WordPress on your servers. That is what it implies. This is the database for your WordPress site. The name of the folder is wp_.
It’s no surprise that whatever is common may be deduced by so-called hackers. It’s also a good idea to modify the prefix of anything you’ve created. Anything goes in mywpsite_, friendswp_, and so forth.
I can simply achieve this by accessing your website’s database. However, if you are unfamiliar with all of the technical details, plugins are always available.
Install Best WordPress Security Plugin
There are several security plugins for WordPress, both free and premium. And it’s a great choice to install one of the plugin for your WordPress website.
In this guide, we will see how we can create a rock solid security environment around our WordPress site through Defender Pro built by WPMU DEV.
Defender Pro highlight features
Defender’s powerful WordPress security barriers and cloaking technologies against hackers, brute forcers, and harmful bots.
- Security checks on a regular basis
- Geolocation IP lockout
- Masking and safeguarding of logins
- Logging of Audits
- Authentication using two factors
- Monitoring of the Blocklist
- Reports on vulnerabilities
- Restoring and repairing changed files
Install Defender Pro WordPress plugin
After installing Defender Pro, you will find categorized option available, which is easy to understand even for the beginner.
Dashboard, Recommendations, Malware Scanning, Audit Logging, Firewall, WAF, 2FA Tools, Settings, Tutorials.
Once you complete the scan, you will see a screen like this in Defender Pro Dashboard.
When the site finds a security issue, the plugin provides an advice on how to proceed with the remedy. That’s interesting one.
Defender Pro takes things a step further by providing thorough, actionable suggestions that are tailored to the site and address current and future risks.
What makes these suggestions stand out is that you can fine-tune the action you take.
If you accidentally enabled “update old security keys,” you may still disable or change the reminder frequency. This maintains the site secure and up to date.
Conclusion – WordPress Security
A method for securing your WordPress site may take some time, but it will be worth it in the end. Instead of ending up saying my WordPress website hacked.
I have showed you both the methods for DIY users and also the plugin one. Either way, you opt for, security a WordPress website is crucial for any users.