Majority of the website on the Internet are powered by WordPress. Knowing WordPress security best practices makes a huge impact on every website owner. Every week, Google blacklists around 20,000 websites from all over the web. The reasons can be malware or any other serious violation. To be able to keep your website up and running, and away from security threats, one must know how to secure a WordPress site.
Even if you are not a website developer or have little knowledge of the technical aspects of running a website, you can still make some substantial changes to improve the security of your site. There are many plugins and other practices that can get the job done. There are many WordPress security vulnerabilities that make this a seriously important issue.
WordPress as software is highly secure in itself, but it needs to be regularly audited for loopholes. There is a lot that one can do to protect your WordPress website and reduce the risk of getting flagged by search engines like Google.
Importance of Website Security
If your website gets hacked, it can get you into some serious financial trouble. The personal information like credit card numbers of your customers, or your confidential material can get stolen. The website can go down for a significant number of hours, which can hurt your business.
In worst cases, you can also find yourself in a ransom situation, where hackers regain access to your website on a frequent basis.
In the year of 2006, Google reported more than 50 million website users that were warned about their website being visited by a malicious virus that can steal information. Later the same year, Google also blacklisted around 20,000 websites for malware violation.
If your website runs your business and you depend on it financially, then you should pay special attention to your website security. It is the responsibility of the business owner to protect their physical store building and for an online business this responsibility gets even more important..
Even a basic WordPress website comes with thousands and thousands of plugins and themes. Every theme you install on your website will come with compatibility with many themes. They usually come from third-party developers, which means that they are regularly updated and released. Keeping your website and its plugins updated will also keep the security of your website updated.
User Permissions and Strong Passwords
One of the most common and popular WordPress hacking attempts that hackers make from around the world are using stolen passwords. One can make things difficult for the hackers by making use of strong passwords, which are unique for your website and is not used on any other accounts of yours. You should keep your cpanel passwords unique from your FTP accounts, WordPress hosting account, database, and other professional accounts like email addresses.
Beginners like to use easy and repetitive passwords, as they don’t find it hard to remember or usually don’t think about the hacking situation that often. You don’t have to remember strong passwords anymore. As there are plenty of professional password managers available that will help make this job easier. You can opt for Keychain Access if you are using iOS operating system, or other paid and reliable versions for other devices.
It is also a good practice to avoid giving people your backend passwords unless you have too. If you have a team or guest authors with access to your website, you can change their user roles and abilities to act on the WordPress backend.
Role of WordPress Hosting
The most important role played by your WordPress site is by its hosting service. You can pick reputed and shared hosting providers like BlueHost or SiteGround. They take special measures to protect their servers against common threats.
If you are opting for shared hosting, you basically share server resources with other customers. This means that you are at risk of cross-site contamination, which indicates that a hacker that hacks a neighboring site can access yours too.
You can opt for managed WordPress hosting providers that are a more secure platform for your website. They also offer automatic backups, WordPress updates, and more advanced configurations for security.
Easy No-Coding Steps for WordPress Security
If you are thinking about improving your WordPress site’s security manually, it can get tricky and scary. But, there are simpler ways to make your site more secure without being a techie. Here are some of the easy ways to improve the security of your website with simpler solutions.
Installing a Backup Solution
Backups are the best defense against any WordPress attack on your site. Even if nothing is 100% secure, you can get your site 100% restored after being attacked. Backups allow you to easily restore your site in case something severely bad happens.
There are multiple paid and free versions of WordPress backup plugins that you can install. You can go for automatic or manual backup programs.Cloud services from Amazon, Dropbox, and Stash are highly recommended for real-time backups. You can also install plugins like BackupBuddy and VaultPress, as they are both reliable and easy to use without coding.
Top WordPress Security Plugin
After you have done backups, the next important thing to do is to set up an auditing and monitoring system that will keep you on track with everything happening to your site. This also includes features like failed login attempts, malware scanning, and integrity monitoring. You can also install and activate various free plugins like Sucuri Security.
Activate your Sucuri in the menu available in your WordPress admin.
Generate a free API key that enables you to audit, log, integrity checking, and other necessary features. The next thing you will be required to do is to click on the hardening tab, by going to “Harden Button” and go through every option.
You can lock down the key areas that hackers might attach more often. You can also buy a paid upgrade to Web Application Firewall that is explained in the next section.
This default alert settings are cluttered your inbox with emails, so it is recommended that you customize the Email Alerts. You will receive alerts for key actions like changes in plugins, new user registration, etc. You can configure alerts from Succuro Settings and Alerts.
WordPress security plugin is a powerful tool, which you can browse through all the tabs and settings to see like Malware Scanning, Failed Login Attempts, etc.
Activating Web Application Firewall
This is the easiest way to safeguard your website with WordPress security by using WAF. All the firewall blocks all malicious traffic even before they can reach your website. You can also use Sucuri as your website firewall for WordPress.
Changing “admin” Username
A WordPress admin username is called “admin” by default and majority of users fail to change this name, as they don’t think it can pose a security threat. A hacker can take this as a sign and make hacking attempts more aggressive.
Now you can create a new admin username and delete the old one, username changer plugin, update username from phpMyAdmin.
Disabling File Editing
A Built-in code editor is available in WordPress that will allow you to edit the theme and use plugin files from your admin area. If this gets into the wrong hands, it can pose a security risk and so turning off is recommended.
Disabling PHP File Execution in Directories
This is also another way to harden your WordPress security is to disable PHP file execution in some particular directories.
Paste the following code in the text editor:
deny from all
Save this file as .htaccess and upload it to wp-content/uploads/folders on your site while using FTP client.
Limiting Login Attempts
WordPress allows users to try and login for a given number of times. This leaves the site vulnerable to several repetitive attacks, where hackers constantly try to crack passwords by logging with different combinations.
This error can be easily fixed by limiting the number of failed login attempts that a user can make. If you are using a firewall, it will automatically consider such attacks.
To limit the number of login attempts, you have to install and activate the Login LockDown plugin. Once activated, you can visit the Settings and then Login LockDown to setup the plugin.
Changing Database Prefix
WordPress uses wp_ as a default prefix for all the tables in a database. If a WordPress site is using the default database as a prefix, then hackers can easily guess the table name and hack their agendas. Changing this is recommended.
WordPress Admin and Login Page Protected by Password
The very common action taken by hackers is that they can request your wp-admin folder and login page without any restrictions. This allows the hackers to run DDoS attacks. Now you can add additional password protections on the server side, which will effectively block such requests.
Disabling Directory Indexing
Directory browsing is a common gateway used by hackers to know more about the files and their vulnerabilities. Other people to take a peep into your files and even copy images can also use it. To avoid this, you need to connect to your website via FTP and locate the .htaccess file in your root directory.
Add the following given line at the end of a .htaccess file.
When XML-RPC is enabled by default, the connecting WordPress site with web and mobile apps can get connected. It is a powerful feature in WordPress and can also imply that it is a brute-force.
Let’s say a hacker wants to attempt an access to your backend. They will try 500 different passwords, with 500 unique login attempts. At some point the login plugin will lockdown the attempts and block the hacker.
If XML-RPC is enabled, system.multicall function can be used to try 1000s of unique passwords in just 50 requests.
If you are not using XML-RPC, then disabling it is recommended.
Keeping your website’s security fully checked and in the best condition is necessary to keep your business up and running. With these simple hacks, you can easily protect your site from aggressive hacking attempts.