WordPress remains the most widely used open-source tool for any type of website design. Its popularity is based on nothing but its versatile approach and user-friendliness. For years it has helped to promote millions of businesses making them flourish in every single way. At the same time, the platform has also been among the prime target for hackers and never-do-wells.
As long as we continue to have websites, hackers will always exist for reasons best known to them. According to a report released in 2017, over 1.5 million WordPress websites were hacked mainly due to easily avoidable security gaps. Talking from experience, I have also had my website hacked. Honestly, it was a pain in the butt. But I kept a good attitude and see it as a time to have my WordPress website redesigned. Not only that, I added different security measures to further keep it safe from hackers.
A lot of WordPress websites lack the best security, which makes it easier for hackers to infiltrate into them. Consequently, they steal web traffic and valuable information from those sites. Even though the WordPress development team is working tirelessly on different security scripts to our advantage, none of these is any use if you can’t take some precautions to keep your WordPress website secure and safe from hackers.
To do this, bestvpn says there are various steps you can take. While some require common sense for any website, like choosing a strong password and secure web hosting, some are specific to WordPress sites.
Why Is WordPress website Security So Important?
A hacked website can give a serious blowback to your business as well as online reputation. Hackers can easily steal your personal information and passwords, send spam emails in your name, install malicious software on your WordPress website, etc rendering it useless.
If you want to maintain your website and business, securing your WordPress website against possible attacks is the best as you are likely to be on the safe side.
So Now, How Can You Secure Your WordPress Website Against All Unauthorized Access?
In no particular order, here are some things you can do right away to keep your WordPress website safe and secure:
Choose the right Web Hosting and Server
A well-secured server protects your integrity and confidentiality. To ensure optimum web security, where you choose to host your WordPress website means a lot. Make sure your choice of website server is secure, and that your web hosting can perfectly take care of all vulnerabilities.
If you are on a shared server, ensure to ask for security and safety measures to your web host. Furthermore, look for a Web host that offers unswerving backup systems and will restore your WordPress site should it be hacked.
There are weekly and monthly backups at a minimum. Some hosts also provide night and incremental hourly backups. For instance, if you are hosted on an incremental backup, it means you can easily roll back to what your website looked like a few hours before without losing much.
Be Careful with User Uploads
There is nothing bad in allowing your website users to upload pictures, avatar, and other files. But these are easy ways for malicious scripts to be uploaded on your server. Thus, make sure you have a security measure in place that will check any submitted items for safety before loading them on your service.
Secure your computer against viruses and malware
Malware, Spyware and other viruses can be downloaded or through any other means, get into your computer. They are disastrous and can open up your website for hacking. Thus, ensure that your computer is free from them by confirming your computer security with a security software suite, a firewall, etc. Use a secure web browser. Install an updated anti-virus.
Secure your admin access
When you install cPanel and FTP, you will be given “admin” as the default username. While some people do not bother to change this, I will suggest you set up a new admin username and delete the old, generic “admin” user account. If, on the other hand, you are using Fantastico, you will have the choice to pick a unique username and password. In addition, Fantastico is easier than an installation with cPanel and FTP. Either way, NEVER use “admin” for your admin username and “password” for your admin password. This is because hackers can easily get these default login details and infiltrate your account. It can as well be a great security tip to mask your username by changing it frequently.
Protect Your Web Forms
Hackers in disguise can go as far as filling out a contact form on your WordPress website and then place the malicious code into the email and/or name fields. Hiring an expert to evaluate your site and web forms can safeguard you from leaving the opportunity open to hackers.
Create a strong password
While some people are gradually learning the need for strong passwords, some still set simple passwords like ‘mypassword’ or use a single password for all their online accounts. Since hackers are constantly trying to break into Websites and access virtually everything from emails to online banking records, they have different algorithms they can use to easily detect username IDs and/or passwords when they are very simple.
How then can you stop them from easily gaining access to your WordPress website? One vital step will be to create a strong, secure password that cannot be easily cracked by their scripts. Passwords that combine numbers, small and capital letters, spaces and special characters are harder to guess.
Here are tips on how to create a secure password:
- Do not use common dictionary words, dates, name or phone numbers
- Ensure your password has a minimum of eight (8) characters
- Make sure you combine numbers and letters
- Use an online random password generator.
- Although it can be a pain, I will also suggest you change your passwords regularly for your hosting account.
Never share your Website login details…
Make sure you do not share your admin login details with anyone. In the case you shared a password with someone who is no longer on your team, see to it that the password is updated. The risk of not doing so is not that they could use the login details to do something bad since I believe your team members are reliable. The big risk is that if their computer is hacked, any passwords on it could be compromised. This is a general form of password theft and very difficult to track down.
Protect your email
Make sure no one has access to your email account. Of what good is it to have a secure WordPress password but a weak email password? Hackers are extremely smart and can easily gain access to your WordPress website using the “lost password tool”. With access to your email account, they can simply use the lost password tool to reset your WordPress password and permanently gain access to your site. As said earlier, make sure you change your password regularly and be very careful about whose computer you use to check your email.
Restrict users from browsing in your WordPress directories
Add “Options –Indexes” to the “.htaccess file” in the directory you installed your WordPress. This will deactivate directory browsing. In other words, it will be difficult for anyone to get the file listings available in your directories without the index.php or index.html file.
Keep up with WordPress updates
Keeping WordPress updated is one simple thing that people hardly take seriously. Software is updated for several reasons: to enhance compatibility, fix bugs, introduce new features, and to patch the security holes. If not for any other reason, you need to be more concerned with the software update for security reasons. Keeping your WordPress up to date is very vital to your security.
WordPress will notify you in the admin area as to whether or not updates are available. When there is an update, you will always see a listing of what changed. If vulnerability fixes and security enhancements are included, make sure you apply the update to your website immediately. On the left menu of your admin page, select “Tools” then “Upgrade”. In just a few clicks, you are already done with updating your WordPress installations.
Keep Your Plugins and theme Up to Date
One amazing thing about using WordPress is the plugins. While they significantly boost your website’s capabilities, plugins remain the largest risk to a website attack. This is because they also contain certain vulnerabilities and bugs that are utilized by hackers. With millions of WordPress plugins available, it is unfortunate that many of them have a “back door” into your website. The first thing to do to keep your plugins safe is to update them the moment latest updates are available. It is also a vital step towards maintaining the security of your WordPress website.
How do I know if any plugin updates are available?
Login to your admin area, you will see a number in a bright orange-red circle next to the “Plug-ins” link on the left. Click “Plug-ins” and it will show you the ones with an available update. Follow the steps to automatically update your plugin(s) when required.
There are lots of important plugins you should consider installing. Here are some of them:
WordPress is loaded with lots of security plug-ins that are mainly concerned about your website’s security. Some of these plugins that I run on my WordPress websites (and suggest that you install) include:
- Secure WordPress: wordpress.org/extend/plugins/secure-wordpress/
- WP Security Scan: wordpress.org/extend/plugins/wp-security-scan/
- Login Lockdown: wordpress.org/extend/plugins/wp-security-scan/Login-lockdown/
For instance, the login LockDown adds extra security to your WordPress website by defending you against password-crack attacks. It limits the rate at which failed logins are re-attempted from a given IP address range. With this, you don’t have to worry about Password guessers.
WordPress Firewall Plugin
This plugin inspects WordPress web requests in an attempt to recognize and block those requests that are clear attacks to your website. It also white-and-blacklists pathological-looking phrases based on what field they appear in a page request.
Use AN SSL Certificate
If your WordPress website features a membership component, a shopping cart system, or collects sensitive information via online forms, it is always wise to install an SSL certificate. An SSL (Secure Sockets Layer) certificate protects the information that is submitted to your site through encryption it as it travels between a web browser and your web server, making it a harder for hackers to catch and malign. Apart from this, an SSL also invokes a sense of security for your customers when they patronize you. You will probably lose sales to your competitors if you don’t have an SSL installed.
Delete Unnecessary Files
Always delete any deactivated plugins that you are not using. This is because the plugin files will still beon your host server and any flaw in the plugin canallow hackers to make a breaking. Make sure you successfully delete those plugins from your hosting server to prevent any chance for hackers.
Avoid access from public wireless networks
Hackers are always a step behind you. They may use automated password-harvesting software in public wireless networks. To get rid of it, avoid accessing your WordPress website from public wireless networks.
Protect your wp-config.php file
“wp-config.php” contains some vital configuration settings. Most importantly it contains your database username and password. Therefore it is vital for the security of your WordPress website that nobody has access to the file’s contents. Under normal circumstances, the contents of that file are not accessible to the public. But it is a good idea to add an extra layer of protection by moving it one directory up from the WordPress root. WordPress will definitely search for it if it does not find it in the root directory. Similarly, no one will be able to read the file unless they have SSH or FTP access to your server.
Lock down your directory and restrict your File permissions
It is vital for you (or a technical expert) to evaluate your hosting server directories to ensure the read, write, and execute permissions are set up in a way that allows for maximum security. Although they vary base on requirements, you can follow the permissions below to allow write access plus create specific folders with lesser restrictions.
- The WordPress administration area (/wp-admin/): Only writable for the user account.
- The bulk of WordPress application logic (https://pureresiduals.com/wp-includes/): Only writable for the user account.
- Plugin files (https://pureresiduals.com/wp-content/plugins/): Only writable for the user account.
- User-supplied content (https://pureresiduals.com/wp-content/): Writable by all owner, group, users, and the public.
- Theme files (https://pureresiduals.com/wp-content/themes/): Depends on requirement. To use a built-in theme editor, you need group writable. Otherwise, only user account.
This is the most important tip. It may happen that suddenly your website crashed or hackers gain access and remove all the files from your host. Do not lose your heart. If you have a backup of your Database, files, Plugins, Media uploads, etc. it will be easier to restore your website by simply reverting to your site like before. Therefore, make it a point to backup your WordPress website regularly. Another important thing that you need to know to increase your WordPress Security is to back up all your web contents. If you have a successful site, you need to back all of its contents for safety measures. Keep a copy of your site contents to your computer or off-site storage.
WARNING!!! Make sure you backup your website before attempting any upgrades, including plug-ins and themes. If you don’t feel comfortable applying the updates and want to troubleshoot your website to be sure everything still works as it should, you can reach out to your web developer and ask them to handle this for you. Outdated software is one of the most common ways that hackers compromise websites.
Keeping your website secure does not involve much work. It only requires you taking a few simple steps and some safety measures to ensure you don’t have problems in the future. Applying all the tips mentioned above will take no time and will definitely help to keep your website safe and secure. And if you noticed that your website security has been compromised, make sure you contact an expert right away who will use special web security software to secure your site.
Did I miss some security measures? I’d be glad to know via comments.
About the Author
John Lewis is the community manager at bestvpn.uk.com, he has a passion for computing and web design, and when not in the gym enjoys cycling, swimming and rugby.