Anyone will agree that keeping your house or office secure from thieves is of key importance. Your website requires the same and your WordPress security is important. Since digital thieves are invisible. You won’t see anyone “entering” the premises, yet, just in a few seconds you can loose all your data, even access rights to your own site.
Cyber attacks are always painful and stressful, however, if you own a website that collects various user information (especially credit card details) you have a legal obligation to protect this data. The best way to do it, is to prevent it. And also, there are numerous tools, apps and tricks that you can use for your WordPress security and to make your website more secure. Here’s a few important ones.
I propose a continuation of step to secure your WordPress website. This article will discuss steps for your WordPress security.
Be careful you do not need to apply a point anywhere but all aspects to improve your WordPress security. Some point is without impact if others do not complete them.
How to Improve Your WordPress Security?
1. Update Everything
You wouldn’t want to eat a meal prepared out of old, spoiled ingredients, right? Why would you do that to your website then? Running your website on outdated software, plugins and themes compromises it greatly. Since most hacks these days are fully automated, ran with bots that keep scanning the web, searching for vulnerabilities to break in – we recommend updating your CMS (WordPress for Flothemes users), themes and plugins as soon as updates are released. Just make sure to back up your site before any updates in case an error occurs during the process.
2. Frequently Backup
Keeping backups for your website is extremely important. Getting hacked is painful, but losing your entire website is a nightmare, and the list of reasons why that may occur is long. In case the worst happens, keep everything backed up, on-site and off-site. Trust us, it’s a lot easier to restore a recent, non-corrupted version of your website, than build everything from scratch. Luckily, if you’ve invested into a good hosting provider, such as WP Engine or Siteground. They do regular automated backups of your site. Otherwise, you can opt for a manual alternative.
3. User Name and Password
Truth be told, “admin” and “123456” or even your mom’s birthday are not secure username and passwords to be used for your site. Also, if you find your password among this list of Most Common Passwords of 2016 or this one prepared by WP Engine be sure that you can be hacked any day now by malicious hackers.
There are a few simple rules to keep in mind when coming up with a password:
- It has to be complex – using names of your pets, favorite sports teams, nicknames, etc isn’t good enough. Sometimes even using random real words isn’t good enough either. It has to be a string of random letters and digits. And there’s plenty of password generating tools available on the web for you to get help from.
- It has to be unique – never reuse passwords. it needs to be unique every time, for every platform. Even if somebody hacks your email account – it shouldn’t provide them access to your site, FTP, Facebook account and many more.
- It has to be long – it’s recommended to set up passwords which are at least 12 characters long. This also helps when there’s a limited number of times you can fail to login to your site. The longer your password is, the lower risk of being hacked.
Also, it’s recommended changing your passwords every 3-6 months – including your login credentials for your hosting and FTP.
4. Limited Login Attacks
Generally, WordPress doesn’t have any limits on the amount of times you can try to login into your site. Therefore providing hackers with plenty of options to try out different username / password combinations and force their way into your admin panel. Luckily, you can easily change this and set a fixed number of login attempts. To do so, you’ll need to download and activate a plugin called Login LockDown. Then, via your Settings tab, access the Login LockDown plugin and fill in your preferences – Max Login Retries, Retry Time Period, Lockout Length, etc. It’s all fairly simple and straightforward. We suggest setting up to 5 retries, not more.
5. Security Applications
While these are not 100% hacker proof, life is definitely a lot better with them. No matter if you opt for a free or paid security plugin, both types will provide an additional layer of protection to your site. Security plugins will make you more resilient to automated cyber attacks, which usually scan the web looking for loops and vulnerabilities.
A few plugins to consider are here
- WordFence – one of the most popular WordPress security plugins. It checks your website daily for malware infections. It will scan all the files of your WordPress core, theme and plugins. If it finds any kind of infection, you’ll get a notification via email. Its great from preventing brute force attacks and malware infections.
- iThemes Security – with one click installation, you can stop automated attacks and protect your website. It will also fix various common security holes in your website. It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things.
- MalCare – a WordPress Malware Scan and Protection Solution from BlogVault, with an easy setup process, automated scan & removal features. MalCare scans the website on its own servers and hence, there is no load on your server resources, and your website keeps running fast & smooth.
- BulletProof Security – another plug-in with one-click installation. It adds firewall security, database security, login security and more. A great all rounder for monitoring your site security.
- Sucuri – a globally recognized authority in all matters related to website security, with specialization in WordPress Security. They offer both, help services for those who have been hacked already, as well as protection against cyber attacks, both paid but incredibly valuable products. You can also try their free WP security scanner for a full audit of your site’s current security state.
These are just a few great tools available out there for you to test. There’s plenty more. Just remember the advice mentioned above in the “Plugins” section about downloading from trustworthy sources, and paying attention to the number of installs and updates history.
6. Use HTTPS (SSL Certificate)
Before we dive deeper into this one, lets us state clearly two facts: 1. The SSL certificate will not make your website more secure against hacking attempts. 2. Unless you have a payment system or a user database incorporated on your site (meaning users have an account and share any time of personal information on your site, especially card/financial details) you don’t really need a SSL certificate.
An SSL Certificate ensures a secure encrypted connection between a browser (your site visitor) and a server (your website). Therefore protecting important details exchanged during each session. Such as credit card or passport details, etc. Thus, if your users do not share any sensitive data with your site, the need of using HTTPS is rather minimal.
7. Hide Your Admin Page
Change the url for your login page. To hack your website, a hacker needs to find your login page first. If you choose to hide it from search engines and not index it, those with malicious intentions will have a hard time trying to find a potential entry point. One way to do it, is to simply modify your login page url. You can do it with the help of the WPS Hide Login plugin or by using Protect WP-Admin plugin.
8. WP Date Prefix Should be Changed
Most likely, your WordPress site uses the default wp_ prefix for all tables in your database – making it easy accessible for hackers. To strengthen your site’s security, we recommend changing this, though if not performed properly – you risk breaking your site.
The Bottom Line
You’ve understood it just by reading the above different steps for your WordPress security is not as easy as setting up backups and updating it. There are indeed many more steps to realize and to which you will have to pay attention to all the life of your WordPress site.
But you also see it is not impossible to secure, however, 100% absolute security does not exist and it will never exist that it is for a website or anything else in the world. If you have any problem, you can share it in the comment section below. We are all ears!