Security is typically something that most of us don’t give a second’s thought to until it is too late. Website security is often a top concern for WordPress site owners. While some 35% (and growing) of all websites on the Internet are powered by WordPress, because of its popularity the CMS is often targeted by hackers. However, that doesn’t mean your site has to fall victim to malicious behaviour.
While no system is 100% hack-proof, there are certain measures you can take to prevent a hacked WordPress site. To reduce your chances of being affected by a disastrous brute-force or DDoS attack, read below for the most important WordPress security tasks you should implement to secure a WordPress website and become more proactive against potential threats.
Why is Website Security Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.
To compound matters, you may find yourself being held at ransom by hackers just to regain access to your website.
In 2016, Google reported that over 50 million website users have been warned about a website they’re visiting may contain malware or steal information.
Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
If your website is a business, then you need to pay extra attention to your WordPress security.
Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.
Always keep WordPress updated!
WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.
Strong Password and Permission
The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique to your website. Not just for the WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your email addresses.
The top reason why people don’t like using strong passwords is that they’re hard to remember. So either write down your password in a secure location or use a password manager.
Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.
Your WordPress hosting service plays the most important role in the security of your WordPress site.
On shared hosting, you share the server resources with other customers. This opens the risk of cross-site contamination where a hacker can use a neighbouring site to attack your website.
Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website
WordPress Security in Easy Steps
We understand that improving having to secure a WordPress website can be a terrifying thought for beginners. Especially if you’re not the techy type.
Backups are your first defence against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress site in case something bad was to happen.
There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account) Plugins such as Updraft Plus can save your full site to Dropbox or a file location of your choosing.
After backups, the next thing we need to do is set up an auditing and monitoring system that keeps track of everything that happens on your website.
This includes file integrity monitoring, failed login attempts, malware scanning, etc.
Change the Default “admin” username
In the old days, the default WordPress admin username was “admin”. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.
However, some 1-click WordPress installers still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.
Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.
Create a new admin username and delete the old one.
Use the Username Changer plugin
Update username from phpMyAdmin
Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
Limit Login Attempts
By default, WordPress allows users to try to log in as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to log in with different combinations.
This can be easily fixed by installing a plugin that will restrict a number of login attempts. There are many plugins available for this feature located here
Password Protect WordPress Admin and Login Page
Normally, hackers can request your wp-admin folder and login page without any restriction. This allows hackers to try their hacking tricks or run DDoS attacks.
You can add additional password protection server-side which will effectively block those requests.
Disable Directory Indexing and Browsing
Hackers use directory browsing to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.
Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. It’s highly recommended that you turn off directory indexing and browsing.
Add Security Questions to WordPress Login Screen
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorised access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.
Wordfence is a very useful plugin with well over 2 million installs. Available in a free and paid version it is a great plugin that offers many excellent security features such as Firewall, Malware scan, blocking, live traffic, login security & more and is well worth a look. (Installation details to be added shortly)