How To Secure Your WordPress Website – 10 Easy Steps
Powering over one-third of all websites and with over 400 million users, WordPress is undoubtedly the world’s most popular website development platform. But this popularity comes with its own risks.
Why is WordPress Security Important?
The growing popularity of WordPress also attracts the undesirable attention of cybercriminals and hackers. Today, we are witnessing a growing variety of cyberattacks – malware, data breaches, and ransomware attacks on WordPress websites. Hackers can redirect online traffic from your website to their unsolicited websites and get paid for it. Besides the loss of incoming traffic, a successful cyberattack can result in loss of confidential data, impact your website performance, and even impact your revenue.
While there is no such thing as 100% website security against hackers, here is a list of ten security measures to safeguard your WordPress website. Let’s get started.
1. Update Your Website
Probably the most critical factor in compromising website security is the use of old or outdated WordPress versions. According to industry statistics, 60% of hacked WordPress websites are running an obsolete version.
So, the first step towards improving your WordPress security is by updating to the latest version.
In addition to the core WordPress, your website also contains plugins and themes that improve the overall functionality and look of your website. Hackers use vulnerabilities in outdated plugins/themes to exploit security issues. So, the second step would be to review all installed plugins/themes and update them to their latest available version.
How to perform this task:
- Login to your WordPress account and apply the latest update – as shown in the following screen.
- Enable the “auto-update” feature in your WordPress installation to automatically update the core whenever a new version is released.
2. Take a Backup of Your Website
A successful data breach or malware attack can result in businesses losing valuable data. This could include customer records, financial transactions, and confidential data. This can severely cripple your business operations for at least a few weeks and cause a loss of customer trust.
Website backups are the most effective solution to any data loss caused by data breaches or even human errors. Regular backups of your website will ensure that in the event of any website calamity, the latest data is available to be restored to your website.
How to perform this task:
- While manual backups are quite effective, they can be a time-consuming and exhaustive process to execute on a daily or weekly basis. Using a plugin to backup your WordPress site is the easiest and faster way of taking backups, even for novice users. Popular backup plugins include BlogVault, Updraftplus, and BackWPUp.
3. Restrict WordPress Dashboard Access
Hackers exploit weak user credentials to gain access to the WordPress dashboard. They do this so they can upload their malicious files, change account settings, and damage backend files. The best precaution against this to restrict user access to the dashboard. In short, you must only provide the highest privileges to users you trust.
Additionally, you could whitelist the company network’s IP address to ensure that external users (with a different IP address) are not able to access your dashboard, thus reducing the chances of a successful hack.
How to perform this task:
- For IP address whitelisting, create a .htaccess file in the “wp-admin” folder of your WordPress installation and add the following code:
order deny,
allow
allow from YOUR IP ADDRESS
deny from all
- Similarly, you can prevent unauthorized access and edits to your installed plugins/themes by adding the following code to the wp-config.php file of your WordPress installation:
define( ‘DISALLOW_FILE_EDIT’, true );
4. Strengthen Your Admin Credentials
Hackers exploit weak user credentials to gain illegal entry into WordPress accounts. As every account requires an administrator, hackers try to gain access into “admin” accounts to inflict the maximum damage to WordPress files. In most instances, users make this easier for hackers by using weak usernames and passwords. For example, WordPress installations continue to use usernames like “admin” and passwords such as “password” or “123456.”
To strengthen your admin credentials, change the default username from “admin” to one that is difficult for hackers to guess. Additionally, strengthen your admin password by using a password that is at least 8-10 characters long and comprises a combination of lowercase and uppercase characters, alphanumeric characters, and special characters.
How to perform this task:
- For your admin user, use the “Users Management” section of your WordPress dashboard to configure a strong username and password.
- Use password management tools like LastPass and Dashlane to generate and store account passwords.
- In addition to admin users, ensure that all your WordPress users have unique usernames and strong passwords.
- In case you lost your password, you can reset it from the WordPress Dashboard.
5. Uninstall Abandoned Plugins/Themes
As mentioned in the first point, WordPress owners must keep their installed plugins/themes updated to the latest version. But, what about those abandoned or no longer being upgraded by their respective developers? Hackers can exploit this situation by gaining control through old or unused plugins/themes on a WordPress installation.
As a safety measure, remove all abandoned plugins/themes from your installation or replace them with trusted plugins or themes. Retain only those from trusted sources and with recent updates.
How to perform this task:
- Download and install trusted WordPress plugins/themes only from sources like the official WordPress repository.
- Use a WordPress Management plugin like BlogVault or MainWP to review and remove all unused plugins/themes.
6. Restrict the Number of Failed Logins.
Hackers deploy automated bots to attempt to log in to WordPress accounts by trying out various combinations of user credentials. These are called brute force attacks. To prevent them, it’s a good practice to restrict the number of failed login attempts. The best guard against unlawful logins is the use of the CAPTCHA tool that is displayed after 3 failed logins.
How to perform this task:
- You can either use a WordPress Captcha Plugin or make sure that your security plugin has a built-in CAPTCHA protection tool that is effective in preventing brute force attacks.
7. Activate Two-Factor Authentication.
An industry-standard in website security, Two-Factor Authentication (or 2FA) is effective in preventing unauthorized logins. It ensures that users have to go through a 2-step process, the first, entering the right user credentials, and the second, entering a unique validation code sent to their mobile phone. This simple security measure makes it very hard for hackers to gain access through the login page.
How to perform this task:
- Implement two-factor authentication by downloading and installing the “Google Authenticator” plugin on your WordPress installation.
8. Remove WordPress Version Information
Hackers often try to find the WordPress version of a site so they can exploit known vulnerabilities. Common WordPress themes automatically store the version information in the <head> tag of the WordPress website. While this can be useful, it can also be a security issue as it makes it easier for hackers to find the required information.
The only solution to this problem is to remove (or hide) all WordPress version-related data.
How to perform this task:
- To hide version information from the installed theme, add the following code to functions.php file on your themes folder:
function remove_wp_version() {
return ”;
}
<span style=”line-height: 1.8em;”>add_filter( ‘the_generator’, ‘remove_wp_version’ );
9. Add HTTP Security Headers to your Website
Among a common type of cyberattacks, hackers use Cross-Site Scripting (or XSS) attacks to hijack user sessions and execute malicious code. It is commonly deployed by inserting malicious code in the “Comments” section of a website.
Adding an HTTP Security Header to your WordPress website is the best defense against XSS attacks and can work as a website hardening measure.
How to perform this task:
- If you do not have HTTP security headers on your website, you can ask your web host provider to install this safety tool on your WordPress website.
10. Install a WordPress Security Plugin
The final step towards securing your WordPress website is installing a comprehensive security plugin. It offers automatic protection against a variety of malware and online attacks and can be installed just like any other plugin.
Opt for a security plugin like MalCare that takes care of malware scanning, malware removal, and continuous protection through an inbuilt WordPress firewall.
How to perform this task:
- Evaluate the best WordPress security plugins in the market and choose the one that is best suited for your website.
In Conclusion
That completes the list of ten security measures that you can take to protect your WordPress website. While we can never be assured of complete and absolute website security, it’s always better to be safe than sorry!
These measures can give you some much-needed peace of mind while improving your website’s security. Have any other suggestions? Let us know in the comments below!
