Published on February 18, 2019
As soon as you launch your WordPress website, you need to take basic steps to protect it from hackers. Most people don’t think that ensuring the website’s security is a high-priority task. They remember about it only after their website or online store gets hacked.
Next thing you know, you go to your URL, and nothing shows up. Google flags your website as a phishing scam, and you’re losing money by the second.
If you don’t want to be one of those people and you are a novice in WordPress website security, fear not – today, we’ll cover how to secure WordPress website.
How to Secure Your WordPress Website
Improving your website security is always important. So, let’s find out how to improve WordPress site security – we’ve prepared a whole lot of tips to help you get one step closer to better security.
|Install SSL and set up HTTPS on your website||Most likely, users will enter their personal data using your website. To ensure their privacy, you need to comply with reliable security standards using, at the very least, Secure Sockets Layer (SSL or TLS) and Hypertext Transfer Protocol Secure (HTTPS).
Let’s suppose you already have an SSL certificate for your website. As soon as you’ve acquired it, you just need to configure WordPress to use HTTPS. You can do it in the dashboard, Settings -> General.
You’ll find two fields there: WordPress Address (URL) and Site Address (URL). At this point, your website address should be identical in both fields and use HTTP. The only thing you need to do is change the HTTP prefix to HTTPS in each field and save the changes.
|Create backups of the databases and files regularly and keep them in the cloud storage||In case something happens to your website, you can either panic or restore it from backups.
You can create backups manually, by means of hosting provider services, or use WordPress plugins. VaultPress and UpdraftPlus are some of the most convenient plugins for this purpose, in our humble opinion. They serve as a full-fledged solution for backups and security used by thousands of developers. In particular, they will help you create daily backups fast and easily and save them in secure storage.
|Always use the latest version of PHP||If your website is based on WordPress, you must have already installed PHP. However, to protect yourself and your users from hacker attacks, you need to update your version of PHP regularly.
In order to do that, log into your account on cPanel. There, you can easily update your PHP – but ensure that your WordPress version is compatible with the latest PHP version before updating.
|Change your passwords for accounts and servers at least once per every three to six months||There are three simple reasons why you should change your passwords.
When it comes to employees’ user passwords, changing them will prevent undesirable outcomes after one employee told their password to another employee before the sick leave or vacation. It may lead to all employees knowing one another passwords – and it’s a huge security risk.
As users have a habit to use the same password everywhere, a hack of another website may endanger your accounts as well.
If you don’t change the password for a long time, it can be revealed by hackers using brute force software (unless, of course, you use 20-30 random characters as a password – but this is a rare case).
|Use secure passwords||A secure password should consist of no less than 8 random characters (not connected with your personal data, such as your birthday, etc.). It should contain capital and lowercase letters, numbers, and at least one special character. Combinations like 12345, qwerty, 1q2w3e4r5t6y, etc. are not safe, as well as the username with some characters added, geographical names and words from a dictionary. WordPress recommends using the Force Strong Passwords plugin to prevent users from entering weak passwords.|
|Don’t store your passwords in an open and unencrypted format||It’s not recommended to store your passwords in notebooks, Microsoft Office documents, Google Docs or Dropbox. Your passwords should be encrypted. You can do it using such password managers as KeePass, Roboform, LastPass, 1Passwords, and similar.|
|Update WordPress and plugins every week or month||Regular updates will allow you to mitigate the risk of hackers exploiting your website’s vulnerabilities revealed in the old versions of WordPress or plugins and gaining access to your website data. Don’t forget to create a backup before updating – it’s better to be safe than sorry.|
|Avoid installing unreliable or outdated plugins||When downloading new plugins, pay attention to their rating (which reflect their reliability) and the latest update date. In case the rating is not high and the latest update took place a year ago, it’s a clear sign this plugin shouldn’t be installed.|
|Use as few plugins as possible||Minimizing the number of used plugins allows mitigating the risk of hackers gaining access to your website by exploiting their vulnerabilities. The WordPress platform itself is considered more secure than third-party plugins.|
|Avoid using several plugins for the same purpose||Take a look at the previous recommendation one more time – the best practice is minimizing the number of plugins you use. A plugin you install can be incompatible with your themes and tools, slow down your site and damage its security.|
|Never take screenshots of your passwords||Screenshots taken with the help of online services are automatically uploaded to its servers. If a hacker manages to write a short script, he or she will be able to download all screenshots stored there, including the ones owned by you.|
|Avoid sharing your screen during a video call||As some cybersecurity experts state, Skype is the biggest hole in your computer’s security. The more data you transfer using it, the more likely it is that it will be intercepted by someone else. The most damage can be done if you share your screen during the video call while entering passwords and sensitive data.|
|Avoid using public passwordless Wi-Fi networks||Using a public Wi-Fi network to log into and use personal accounts online is not safe at all. Public Wi-Fi hotspots can be used by hackers to get access to all of the data you transfer using that network. We recommend limiting your activity to web browsing and using a virtual private network (VPN) tunnel, which encrypts your connection.|
|Use a reliable antivirus||Even if you don’t store any documents or sensitive files on the device, viruses can disrupt the work of your OS. Most of them are created with one aim – to cause some damage to the user. Often enough, after your device gets infected with a virus, it becomes unusable. Besides, viruses can be keyloggers – so they will record everything you type.|
|Be careful when using third-party scripts||Websites created by true professionals that pay particular attention to security don’t use third-party scripts at all. Cybersecurity specialists recommend sticking to this rule if you don’t want to expose user data to hackers.|
|Limit the administrator’s access to the admin panel based on the IP address||Managing access based on the IP address allows you to determine which devices and/or networks can have access to your account. This feature, located in the security settings in your account, allows seeing currently allowed IP addresses and adding new ones. Thus, no unauthorized devices can get access to your dashboard.|
|Set up two-factor authentication||You can secure the login process by enabling two-factor authentication (TFA). Users that have it enabled will be asked to enter a one-time passcode before logging in.|
|Use ModSecurity||ModSecurity can help you prevent unauthorized, brute force logins in your WordPress accounts of private importance. To operate this tool, you’ll need to grant it the server root level access as well as some input from your web host.|
|Use blocklists||You block IP-addresses by countries and regions. Just download any blocklists online with some shell-scripting and load blockrules with iptables afterwards. Keep in mind that you are blocking legitimate users as well as attackers. Always use these opportunities reasonably.
There are also readymade blocklists with the IP-addresses of renowned spammers. Remember to also update such lists regularly.
Again, root access is required for the operation of blocklists and iptables.
|Use Fail2Ban||A Python daemon, Fail2Ban runs in the background and checks the Apache-generated logfiles; it adds firewall rules upon specific events. A so-called regular expression filter is used for that. If that regular expression takes place 5 times within 5 minutes, the respective IP-address can be blocked for 60 minutes or any other time period.
This is another solution the requires root access.
|Explore cloud & proxy solutions||CloudFlare, Sucuri CloudProxy, and others are services that simply block the unwanted IPs, preventing them from reaching your servers at all. This is a very useful security measure you can use to your own benefit.|
FAQ for WordPress Users
Now, it’s time to answer the six most common questions that concern new WordPress users.
Any platform can be hacked provided you have enough determination and skills. You can protect yourself from amateur hackers by following general WordPress website security tips, but preventing more experienced hackers gaining access to your website is not a piece of cake. For instance, a DDoS attack can target any website, no matter whether it’s WordPress-based or not. Securing your website from such attacks requires the help of professional cybersecurity specialists.
WordPress can’t identify security threats itself; it is designed to prevent them rather than identify. If you need tools for identifying threats (such as vulnerabilities, unusual behavior, etc.), you can use special security plugins like Cerber Security, iThemes Security, Acunetix WP Security, BulletProof Security, Anti-Malware Security and Brute-Force Firewall, Wordfence and Sucuri Security.
As for this, to make logging into your WordPress account as secure as possible, follow our recommendations above (such as IP address limit, secure passwords, two-factor authentication).
Secure Sockets Layer (SSL) is a technology that created a secure connection between the website and user browser. Users trust websites using SSL more as it is a clear indication that the personal data is safe every time you browse such a website.
The easiest and obvious way to do so is to follow the WordPress security tips we’ve described above.
WordPress does have several security issues (just like any other CMS), and this is why sometimes it’s considered ‘unsafe’. In fact, a WordPress website becomes insecure if you don’t update the system.
‘How to improve WordPress security’ is a question asked by many WordPress users. We recommend using our basic tips that will be a good starting point for improving security on most WordPress websites. Do not hesitate to reach out in case you need help or consultation. Meanwhile, use the list below as a quick summary of our tips.
WordPress website security checklist:
- Install SSL and set up HTTPS on your website.
- Use strong passwords.
- Reset passwords every 3-6 months.
- Enable two-factor authentication.
- Keep WordPress plugins and environment updated.
- Do not use unreliable plugins.
- Limit access to admin panel by IP.
- Enable WordPress backup solutions.
- Use antivirus scanners.
- Do not share private data and passwords via untrusted channels.
- Explore cloud & proxy solutions.
- Use blocklists.
In case you need help or expert consultation, do not hesitate to contact ReliablePSD WordPress development team.
This post was last updated on August 21, 2021