Did you know there are over 90,978 attacks on WordPress websites every minute? Luckily, even though this number sounds huge, if you follow the basic security rules, you can prevent the majority of potential attacks and make your website attack proof.
Or at least make it so hard to break in that hackers would rather target one of the thousands of poorly secured ones. Which is not that hard to do, especially if you consider that many attacks are performed after automated vulnerability scanners find potential ways in. So, how to skyrocket your WordPress site security? Here are the 6 Essential Tips.
1. Keep Your WP Installation, Themes and Plugins Updated
A no-brainer but a frequently ignored one. According to WordPress.org, 1/3rd of all WordPress websites hasn’t been updated to the latest version. On top of that, almost 2/3 of all web hosts use PHP older than 7.0. Outdated WordPress installation and server frameworks pose a great threat to your site and increase the risk of a successful breach as hackers will try to access your website using non-patched vulnerabilities.
In fact, if you keep all your themes, plugins, as well as WordPress up-to-date, you will be more secure than 75% of all legitimate sites – as it’s estimated that three in four sites contain unpatched vulnerabilities. Luckily, getting the latest versions of your WP plugins, themes, and WP itself is pretty straightforward – all you need is a few clicks of a button.
At the same time, ensuring that your server is running the latest PHP version can be a bit more time-consuming. That’s why it’s best to just reach out to your hosting support and ask them to point you to a guide on how you can upgrade it yourself or even ask them to upgrade it for you.
2. Install a Malware Scanner and Firewall
If you thought that only your PC can get affected by malware, viruses, and brute force attacks, you could not be more wrong. Not only can WordPress be affected, but it’s, in fact, the most infected website CMS, which most likely has a lot to do with its popularity.
The good news is, there are many free and paid firewalls and malware scanners for WordPress. One of the most popular ones is Wordfence Security, which offers both malware scanning and firewall, and comes in both free and paid versions.
3. Get a VPS and Turn It into a Fortress
Compared to a shared hosting, a VPS allows you to control every aspect of its configuration. Thanks to that you can not only make your website faster but also ensure that its hosting environment – the server – is properly secured.
On an unmanaged VPS, it’s up to you to choose the OS (for example, CentOS is considered more secure compared to Ubuntu), the firewall and other software that you install, such as malware scanners (which you should install both on WordPress and the server itself).
Moreover, by installing your WordPress on a VPS where you have a root access, it’s easy to change things such as MySQL passwords or rename WordPress folders and reconfigure its files to reduce the chance of a potential attack. Although some of that can also be done using security plugins
Naturally, to reap all the benefits of a virtual private server (speed, flexibility, and scalability to name a few), you should rent a server from a company that offers different pricing packages that are easy to upgrade should you need more resources. You can see a great example of such an offer here.
4. Hide /wp-admin and your WordPress installation
Why tell the world you are running on WordPress in the first place? While it’s a great content management system, you don’t necessarily have to boast about running it. Especially that it provides the potential intruder with valuable information. For example, unless you hide WordPress, websites such as What WordPress Theme is That? disclose information not only about the theme that you use but also about some of the plugins. It’s like telling the hacker hey, this is how you can get inside:
So, how do you hide your WP site information from the prying eyes of potential intruders? Fortunately, you don’t need any technical skills at all. Where there is demand, there are WordPress plugins, which you can use to do that – the most popular being Hide My WP by the wave, which can hide your login page, and make the details about your WordPress website invisible (unfortunately, there is no free version).
Alternatively, you can get the free version of iThemes Security, which doesn’t provide you with as many hiding options (although it allows you to hide the login page), but comes with many other security perks.
5. Change Your WP Username and Keep It Hidden
Just like you shouldn’t use the word password as your actual password, leaving the default WordPress username admin can have dire consequences. In the end, it’s probably the first thing any potential intruder would try to guess, so by using it, you make it incredibly easy for them to figure out the details of your admin account.
How to change it? There are two ways in which you can do that. You could look for a plugin which can do it for you or go the manual way. Personally, I prefer the latter – as it’s just as quick and easy, and anyone can do that. But, because WordPress doesn’t give you an out-of-the-box option to change it, you need to use a small workaround. First, log into your site and go to Users > Add New.
Once there, insert the username of your new admin account and make sure that you set the user role to Administrator. Once that’s done, click Show password and change or copy the default (secure) password.
After the user is created, log out of the site, and log in using the new user. Go to Users > All Users and remove the old WordPress admin account. But, that’s not all. You need an account to publish your posts with, right? Instead of publishing them using an administrator which, due to permalinks, makes its username easy to guess, (unless you play around with them), go ahead and create a separate account. This time, instead of setting its role to an administrator, set it to one that doesn’t have administrator capabilities (such as that of an author or an editor).
Once done, go ahead and set the author of all existing posts to the new user (you can do that in All Posts > Quick Edit under each article).
6. Secure Existing WordPress User Accounts
Do you work with virtual assistants or have employees who can access your WordPress website? In this case, it’s best not to give them access to all plugins and data. In the end, they probably don’t have to be able to configure all the plugins on your site. And, unless they are a trusted developer, they most definitely shouldn’t have the access to the theme editor. How to restrict their access? One of the ways is to create their accounts and set their roles to one of the default ones of the contributor, author or editor.
But what if you want to block them from more than these roles restrict while giving them access to parts of the website the default settings don’t provide them with? In this case, you can use a free plugin such as User Role Editor, which allows you to create new roles, and set which elements of the website can be accessed by them.
7. Monitor Activity Through Audit Log
And what if you can’t just restrict your users from accessing the majority of vulnerable elements on your website, but would like to at least know who changed or edited what, in case anything goes wrong? To get an overview in the form of a comprehensive audit log, you can install the WP Security Audit Log. Its free version is more than enough to give you a convenient overview of the activity of your employees and VAs:
8. Make Login More Secure Using Google Authenticator
Speaking of users, there is one more thing you can do to make your site even more secure. Imagine having your WordPress credentials (or that of your employees) stolen. In this case, depending on the user role of your employee, an intruder could get access to the whole WP website. To prevent that from happening, consider adding a two-factor authentication on login. The easiest way to do that is the Google Authenticator plugin. Once that’s done, even if someone gets your username and password, they won’t be able to log in without the code provided by the Google Authenticator app.
As you can see, even though WordPress is considered the most vulnerable content management system out of all the popular ones, it’s not that hard to minimize or even completely get rid of the most common risks and secure the most endangered elements on your website.
If you follow the above tips, stay cautious when giving access to your site to others, and keep the elements of your site up to date, your website, and with it, your business will be safe from any potential intruders. Not to mention how much you can save only prevented the security breach.