Do you know that 34% of all websites on the Internet use WordPress? Well, we can all agree that it's a spectacular percentage and WordPress has been proving during the years that these numbers aren't achieved by chance.
The most preferred CMS platform is offering its users a quick and easy way to create a website and a wide range of options in terms of design and functionalities.
Unfortunately, as the CMS leader, WordPress websites are regularly being attacked by cybercriminals. Hackers are extremely aware of the platform's popularity, and they direct their attention to WordPress users, as the pool is quite large.
If you are a website owner or you are about to be, accepting this notion as soon as possible allows you to take action in advance. In this article, we've collected some valuable tips that will help you protect your site and ensure it runs smoothly.
So, without further ado, let's dive into the different ways you can easily protect your WordPress site with just a few simple steps.
1. Choose a Good Hosting Provider
Before focusing on any other security steps, building your website on a solid foundation is probably the best thing you can do in the long run.
Working with a good hosting provider that can offer you multiple layers of security is the simplest way to protect your website from future cyber-attacks.
Understandably, when you plan your new website, you have all kind of different ideas and want to grow and expand your business in different directions.
Small business owners are often tempted to save some money and redirect that budget on "more important things" things than web hosting. While going down this road might not have an immediate negative impact on your business, free hosting, or very low-budget one can seriously cost you.
Like most things in life, good quality hosting will cost a bit more than its cheaper counterpart. In the long run, paying a little bit more for quality hosting services is a very wise investment.
Great hosting providers offer plenty of security features like DDoS protection, SSL certificate, Web Application Firewalls, etc. They also have excellent support, and in the best-case scenario, it's 24/7 so you can reach them anytime you have a problem.
Usually, top companies also offer a very important feature - a complete backup of your website. Many people find out how crucial this is the hard way; when the site suffers some damage, it turns out that the hosting provider they use offers only partial backup or none at all. So before you select your hosting plan, make sure it includes backups, and that they cover both the files and database of your website.
RECOMMENDED READ: What is DDoS Protected Shared hosting?
2. Update Your WordPress Site and Plugins
Let's continue with something straightforward yet often neglected by the vast majority of WordPress site owners.
WordPress (as a platform) release regular updates, and that's also the case with most of the themes and plugins developed for WP. These updates include patches for the vulnerabilities in the code (which means there are holes in the code, and they allow hackers to get through). The updates also include new features, of course!
If you aren't regularly updating your WordPress and the respective plugins, you don't get the patches we just mentioned, and you expose yourself to a severe risk of getting hacked!
Important: Before making any updates or changes on your site, you should create a backup. You could use a backup plugin or your hosting feature ( for example, we offer WordPress Manager, which is included in all of our web hosting plans).
In order to update, you can use WordPress Update feature, which is a tool that will update the version of your WordPress, plugins, and themes automatically.
Some hosting providers will automatically update your WordPress site - if you are unsure whether that's the case, ask the support about it.
3. Increase The strength of Your Login Details
The most common WordPress hacking attempts include either using stolen login details or just trying to break in, by randomly guessing your login details - a method called Brute Force attack.
- Use Stronger Passwords – Let's be honest; we've all been using weak passwords more often than not since they're easier to remember. While most places requiring a password these days will not allow you to do so, you should consider creating strong passwords either way. Most complicated password will include several types of symbols, like digits, special characters, capitalization, etc. You can still use your name or domain, just be more creative; an example of such password would be Hostpulse*123
- Limit Login Attempts – Regrettably, the default WordPress setting allows users to login unlimited times. To add a layer of protection to your WP site, limit the login attempts and lockout users after a few failed ones. Whether you use the very popular plugin like "Limit login attempts" or a security plugin that offers such option, our recommendation is to use it
- Implement CAPTCHA – Captcha (abbreviation for Completely Automated Public Turing test to tell Cmputers and Humans Apart ) is a standard method that was developed to tell whether the user is human. That became necessary when bots started being used online and therefore spam became a significant problem. A straightforward solution is the Google reCAPTCHA
- Use multi-factor authentication – Multi-factor authentication is a technology that will add a second layer of security to your login forms. After you insert username and password, you are going to receive a unique code to your device. This way, even if your forms have been brute-forced successfully, a hacker won't be granted access to your system.
4. Learn About User Roles and Permissions
Another way to reduce the risk of being hacked is not to give anyone access to your WordPress admin account unless you have to.
f course, if you are working with a large team or having guest bloggers writing articles for your company, that might be a little tricky. If that's the case, then you have to be sure that you understand WordPress user roles correctly.
If you are new to this topic, then we will help you catch up by going through every user role and their permissions:
The administrator is the most powerful user role and is reserved for the site owner because it gives the full control over the WordPress site. However, if we have to be more specific, as an Administrator, you can add, edit, and delete your posts as well as the ones added by other users.
You can install, edit, and delete plugins and themes. As far as the security of your website and the permission of other users are concerned, you can add new ones, change information about the existing ones, and delete anyone!
The name speaks for itself. If you are an editor, then you have full control over the content on the site. You will be able to add, edit, publish, and delete any posts, including the ones written by others. Also, as an editor, you can moderate, edit, and delete comments.
As an author, you can write, edit, publish, and delete your own content. Also, you can add tags, but you won't be able to add new categories.
Unlike Editors and Authors, Contributors cannot publish their own posts. They can add and edit them, but that's it. Also, they can add tags, but cannot create new categories.
Users with subscriber role have control only on their own accounts. They can log in to your site and update their profiles, but they don't have any permissions to write posts, view comments, or do anything else inside your admin area.
5. Install Security Plugins
At the time of writing this article, there are more than 50,000,000 plugins available, both free and paid. It would be wise to take advantage of this broad base of plugins that could protect your installation from malicious attacks.
If you are starting with WordPress, it might be a little overwhelming to figure out which security plugin to install. To narrow down your number of choices, we have selected the best 3:
· Sucuri Security (https://wordpress.org/plugins/sucuri-scanner/) – It's a free WordPress security plugin which allows you to run security auditing, monitoring, and scanning. It has several different features that will enhance your website's security, like malware scanner, login attempts limitation etc.
· WP Security Audit Log (https://wordpress.org/plugins/wp-security-audit-log/) – It allows you to keep track of everything that happens on your WordPress site by providing a detailed log of the acitivites. You will be able to manage all of your users, and you will know everything they are doing in real-time.
· WPS Hide Login (https://wordpress.org/plugins/wps-hide-login/) – It lets you easily and safely change the URL of the login form page to anything you want to make your wp-admin directory and wp-login.php inaccessible.
6. Activate WAF (Web Application Firewall)
Activating a web application firewall (https://en.wikipedia.org/wiki/Webapplicationfirewall) on your website is one of the best ways to protect your site.
Although there are plenty of WAF plugins out there, it will be far better if you pick a web hosting provider that can offer you this option - for example, we offer such feature under the name of ActiveWAF.
ActiveWAF is a web application firewall that we have integrated into our systems to offer our customers the most secure hosting services. Unlike the regular firewalls, ActiveWAF can filter the traffic and blocks only the one that can harm the work of the server.
7. Install SSL Certificate
Not having an SSL certificate on your site is a major no no these days. A few years ago, an SSL was required for websites that needed to be secure for specific transactions like payments. Today, however, it doesn't matter whether you are processing payments on your website or not.
SSL is mandatory for any website that is processing sensitive information like passwords, credit card details, names, addresses, etc.
Without an SSL on your website, all of the data that is transferred between the user's web browser and your web server is delivered in plain text which can be read by hackers. Once you install an SSL the sensitive information is encrypted before being transferred between the two parties – user's web browser and your server, protecting it from third parties with malicious intents!
Also, Google recognizes the importance of an SSL certificate and save its top search results for websites that could offer an encrypted transfer of information.
Furthermore, in 2018, Google warned all website owners that every site that doesn't have active SSL would be displayed as "Not Secure" in the URL bar which could be bad for your company's image if you decide to postpone the installation of one!
8. Change the Default Username
We've already mentioned how the Brute Force attacks work – a computer tries different combinations of usernames and passwords until it finds the right one.
When you install your WordPress, the default username of your admin panel is "admin," so we recommend to change that. Trying that username is like step 1 for hacker attacks, so don't make their work easier. Choose a unique username (yet one that can look good when appears as an author on your blog, if you're planning to run one - and you should!)
Bear in mind that some 1-click Wordpress installers still set the default admin username to "admin."
9. Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugins files from your admin panel. If the wrong person gets access to your admin panel that might be a huge security risk.
That's why we recommend disabling this feature. You can do it by adding a piece of code to your wp-config.php filе: 1 2 // Disallow file edit define( 'DISALLOWFILEEDIT', true );
If you don't know how to access the wp-config.php file, follow the instructions here (https://www.wpbeginner.com/beginners-guide/how-to-edit-wp-config-php-file-in-wordpress/).
Important note: Since this is a very sensitive file on which depends the correct functioning of your WordPress, always take a backup before modifying it!
10. Automatically Log out Idle Users
You have probably visited financial or banking websites, and you might have seen that if you become inactive for some time they log out you automatically.
It's for security reasons because during the time that you have been away from the screen someone could hijack your session, change your password or something on your account.
You can add this feature to your website by installing the Inactive Logout (https://wordpress.org/plugins/inactive-logout/) plugin. It has all kind of different features like:
- Configuration of the idle timeout
- Count down of 10 seconds before actual logout
- Add custom popup message
WordPress may have its fair share of security issues, but with the steps mentioned above, you can ensure a much smoother and secure run of your site.
Remember to backup regularly, monitor your site's performance every day and if anything goes wrong, contact your developer or your hosting provider support line.