How to Secure your WordPress Site?

How to secure your WordPress site 1

For many years now, we have heard of many WordPress site owners expressing their concerns towards the security of WordPress site. The fact is that open-source scripts are vulnerable to attacks. Is it true? And if it is, then how can we secure our WordPress websites?

Many people presume that WordPress site doesn’t have inbuilt security. Luckily for us, this is not true. We have had a closer look at it. I must say it’s just the opposite – WordPress sites are all very secure compared to other websites.

Today, we’ll discuss a couple of tricks that you can use. It will assist you in giving your WordPress site that additional security. 

Upon implementation of the tactics that we discuss and follow up with WordPress site’s security checks. You can be assured that your WordPress site will be safe and secure. 

So, let’s begin.  

A) Always Secure your WordPress Site by Ensuring your Host is Safe 

Today every host you come across in the market assures their customers of offering an environment that is optimized for WordPress site. Is it so?

Working with Reliable Hosts 

Always make sure that you are working with a high-quality, safe, and reliable host. I’m sure you have already considered this advice from the beginning, right?

Website owners begin confidently thinking that the hosting solution they are using is excellent. But this notion tends to last until something happens. Let’s look at the facts. Not every host offers quality hosting. 

Suppose you have read our reviews and surveys in the past. You would have noticed the difference between various hosts and the experiences regarding the overall quality of hosting. The individual aspects of hosting like speed, reliability, security, and more also tend to vary. 

Certain hosts are all just not at par, and they do not perform well when put under pressure. The worst part is that many of us didn’t realize that the host with whom we are working doesn’t prioritize security.

This tends to put your website at risk by exposing it to attacks from hackers, low performance, and frequent downtime. These are all signs that your host lacks adequate mechanisms for strong security.

It is not up to us to fix the host. So, in this case, the best and the easiest way is to move to a secure host. In my experience, if you invest a little more in a new host, you can be sure to get better service.

However, we have also seen hosts that offer quality service at economical prices. This is for the ones who are on a tight budget.

If you would like to check out the various premium and budgeted hosts, you can always read our reviews and surveys. However, I have a few recommendations for some of you that are in a rush.

  • Kinsta – Great Power Setup: They offer packages that can help you host five websites and entertain 100,000 visitors per month. You can avail of this pack at a monthly price of $100.
  • Flywheel – Managed Host for Entry Level: They offer packages that can help you host a single website and entertain 5,000 visitors per month. You can avail of this package at a monthly price of $13.00.
  • SiteGround – Economic Plans: With their economic plans, you are able to host a single website. It is available at a monthly price of $4.99.

Secure your wp-config.php File

This File has crucial data about the WordPress installation. It is the most vital File in the root directory of your site. When we speak about protection, it involves securing your WordPress site’s core.

This makes it extremely difficult for your site security to be breached by hackers. This is because this File is not accessible to them.

In addition, the entire process is very simple. All you need to do is take the File and place it at a level higher than the root directory.

Many of you might be wondering that if it is saved elsewhere, then how will the web server have access to it? The WordPress site’s architecture has the setting of the file of configuration to high priority. So, if you store the folder a level higher than the root directory, WP will still be able to see it.

Editing of File

If admin access is permitted to a user, then the WP dashboard will be accessible to them. They can now edit all files that have been a part of the WordPress installation. It also includes all themes and plugins. 

If file editing is restricted, then no one can modify your files. Suppose a hacker manages to get admin access. They would still not be able to edit or have access to the WP dashboard.

It sounds like a good idea, and if you wish to use it, you could follow the process.

  • Add; define (‘DISALLOW_FILE_EDIT’,true) to wp-config.php file (to be added at the end)  

Directory Permissions 

Incorrect permissions of the directory can prove to be deadly, especially if you are at present working in an environment of shared hosting.

In these cases, changing directory permissions and files is indeed an excellent move. It will help you to protect the site at a hosting level.

You need to set the files and directory permissions to “644” and “755”. Accordingly, it will protect the entire file system – individual files, directories, and subdirectories.

You can complete this step manually through the File Manager that is inside the control panel. You can even use the terminal that is connected with the SSH – utilize the command “chmod”. 

Disabling Directory Listing 

If a fresh directory is created as a part of the website and you do not add the File – index.html. Then you’ll be surprised when you realize that the visitors will receive a complete listing of the directory.

For instance, you have created a directory known as ‘data’. You will be able to view all that is in the directory by entering the following in the browser; You will not require any password for this.

This can also be prevented by simply adding the below line to the File (.htaccess): 

“Options All-Indexes” 

Stop All Hotlinking 

Suppose you find an image that is online, and you would want to display it on the website. To begin with, you would require permission, or maybe you would need to buy the image. If not, I guess it could be a possibility that it’s illegal to display it.

However, when you do receive permission, you may take the URL of the image. Then utilize it in order to display that image on the website.

The major issue that you would face is, the picture is being displayed on your website. However, it is hosted on a different website server. 

In such a case, you will not have any control over whether the image remains or not on the server. However, it is vital to know that there are people who may do this sort of thing to your site.

I must say that hotlinking is nothing but a random person using your image and stealing the bandwidth of your web server.

This is done to display the photo on their personal website. When this happens, you will experience very slow loading speeds. Also, you will also be at risk of very high server charges.

There are a couple of manual techniques that will help you prevent hotlinking. But the easiest way is to get a WordPress security plugin to get the job done.

The WordPress website’s web application firewall and security is an all-in-one plugin that includes tools that are built-in, especially for stopping all hotlinking.

DDoS Attacks 

This is a very common attack on the server bandwidth. The attacker utilizes various systems and programs in order to overload the server.

Such an attack does not really jeopardize the site files. This attack will crash the site for an extended time if it is not resolved.

We generally hear of such sort of attacks happening mostly to huge companies. These attacks are made by cyber terrorists that have a sole motive to create havoc.

With that being said, not just the fortune 500s are in danger. If this warrants you, then we suggest you sign up for CloudFlare or Sucuri premium plans.

They offer solutions with web application firewalls that analyze bandwidth that is used and also block DDoS attacks completely.

B) Always Secure the WordPress Website by Blocking Brute Force Strikes and Protecting your Login Page 

We all know the URL for the WP login page. From here, the back end of your site is accessed. That’s the reason people attempt to brute force into the site. All you need to do is add “/wp-admin/” or “/wp-login.php” to the end of the name of the domain, and you’re all set.

We suggest that you customize your URL to the page of login and the page interaction too. This is the first step that we take when we begin securing a website. 

You ask why? This is because it is mostly the fault of the user that the site gets hacked. The user must take a few responsibilities, especially as the owner of a website.

Now the main question remains. What is it that you are doing to save your website from falling prey to hackers? Stopping brute force strikes and securing your login page are the first things you must consider getting done.

We have a couple of suggestions that would help you secure your WordPress site login page. 

Features for Website Lockdown as well as Banning Users 

The feature to lock down the site in the event login attempts get failed can be a major problem solver. Especially for persistent brute force strikes.

So if ever there are any hacking attempts with repetitive incorrect passwords, the website will get locked. Also, immediately you will be notified of the unauthorized activity. 

We got to know that the plugin – iThemes Security is by far the best you can get. We have also been utilizing it for some time now. This plugin has plenty to offer.

They also offer more than 30 amazing WordPress security measures. It allows you to set the failed number of login attempts prior to the attacker’s IP address is banned.

Two-factor Authentication (2FA) 

Introducing the 2FA module to your page of login is an amazing security measure. Here, the user enters the login details into two separate components. The site owner will decide which two components to use.

You can use a password along with a secret question or code. You could also use sets of characters, which are all Google Authenticator apps. This allows you to send a confidential code to the device of your choice (your phone).

So the person that has your phone, which is almost certainly you, can use this Code to access the website.

We prefer to use a confidential code while we are deploying 2FA onto any of our websites. Google Authenticator helps us and makes it very convenient with just a couple of clicks. 

Utilizing Email in Order to Log-in 

It is by default; you are asked to enter your username in order to log in to WordPress website. Utilizing your email ID is a very secure approach instead of utilizing a username. I’m sure you know why. Usernames are extremely predictable, and email IDs aren’t.

Suppose a WP account is made by utilizing an email address that is unique. It makes it a reasonable identifier to log in.

Various security plugins by WordPress website permit the setup of login pages. It ensures that users utilize their unique email addresses in order to log in.

Renaming the Login URL 

Changing your URL is a very simple process. You can, by default, access your WP login page through wp-admin or wp-login.php file that is added to your website’s main URL.

If a hacker knows the URL of the login page, he will try his best to brute force into the website. He will try logging in by using GWDs.

This means they utilize a database that is filled with guest usernames as well as passwords. For instance, username: administration and password: passcode. Like this, they have zillions of combinations.

So here, we’ve already limited the login attempts as well as we have also changed the usernames to email IDs. You can now switch your login URL and avoid up to 99% of brute force strikes.

This trick may seem small however it is very useful to block unauthorized users from entering your login page. Now only the person that has the correct URL can access the login page.

This is one of the simplest methods available. If you wish to change the login URL WPS hide login plugin can be utilized.

The name says it all, and it is extremely straightforward. All you need to do is enter the new URL and the changes made need to be saved. The URL can be set to your preference. 

Adjusting Password

You can use various combinations of passwords. Make sure that you change them on a regular basis in order to secure the WordPress website. You can also improve the strength of your password by adding a couple of additional words that make the passwords longer.

We do advise that you add lowercase and uppercase letters, special characters, and numbers to the passwords. We have also noticed that many people add lengthy passphrases.

They feel that the hackers would not be able to predict such long passphrases. However, it is much easily remembered compared to random letters and numbers.

Utilizing complicated phrases is, most of the time, safer, and they are also much easier to recollect.

Utilizing Password Manager 

We are all aware that we must change the passwords as often as possible. These passwords should be nearly impossible to crack. Knowing what must be done does not necessarily mean that we get it done. And this is because we do not have the time for it. 

Utilizing a password manager of quality is essential. These managers generate secure passwords on your behalf and also save them within our protected vault. This saves you from the stress of remembering the password.

Removing Idle Users Automatically

It can be a severe WordPress security threat if certain users leave while keeping open the WP – Admin panel on their screens. A passerby can easily change the information on the site, tweak a user account and even break the site altogether.

This may be avoided. Just ensure that users who are idling for an extended time period are logged out of the site.

To do this, you can utilize a plugin. There are a couple of plugins available for the same. However, we use BulletProof Security.

It is an amazing plugin that enables you to customize and set a limit on time for all idle users. The app will automatically log out these inactive users after the specified time limit.

C) Always Secure the WordPress Website via Admin Dashboard 

Hackers find the admin dashboard as an intriguing part of your website. This happens to be one of the most secured and protected segments of all. Now when they plan to attack the strongest segment, it is indeed a great challenge.

If they manage to succeed. The hacker gets a sense of moral victory as well as access to damage plenty of things.

There are a couple of things that you could do in order to secure the admin dashboard of your WordPress website: 

WP – Admin Directory Must be Protected

This is unquestionably the most important part of the WordPress website. Hence, if it gets hacked, then your entire website is at high risk of getting damaged.

In order to avoid this type of situation, you can password protect your directory. With this WordPress security measure, owners of websites can access their dashboards by simply providing 2 passwords. One password protects your login page, while the second password secures the WP admin area.

To set this up generally involves various adjustments that need to be made to the hosting setup by using the cPanel. This entire process is not difficult, and you can follow the correct steps.

Encrypt your Data by Using SSL 

Using an SSL certificate is definitely a wise move in order to protect your admin panel. An SSL certificate protects all data transfers that happen between the server and user browsers.

This makes it extremely difficult for attackers to breach your connection or even spoof your information. 

To get an SSL is extremely simple. Today many hosts offer this certificate absolutely free. But in case your host doesn’t offer you an SSL, you can buy it from any third-party firm.

We use Let’s Encrypt, and it is open-source and offers a free SSL certificate on all sites. All great hosting companies offer free SSL certificates along with their hosting plans – for instance, SiteGround.

An SSL also has an effect on a site’s Google ranking. Google ranks websites that have SSL certificates a bit higher in comparison to the ones that do not have an SSL.

This means that websites that have an SSL certificate will receive more traffic. This increases their chances of potential customers. I don’t know of a single person who wouldn’t want to be in this situation. 

To enable an SSL on the WordPress website is extremely simple. Mostly, you would have to install a plugin like Really Simple SSL and click to activate it. This is all that is required. You don’t have any hassles of any other settings.

Adding User Accounts 

Suppose you have a WP blog or a blog that is multi-author. You would find yourself dealing with various people who would require admin panel access. This can definitely make the website very vulnerable to WordPress security threats.

There are various plugins available; however, we use Force Strong Passwords. With this, you can ensure that the passwords made by these users are extremely secure. This works as an additional precautionary measure. However, this is way better than being at risk with various users having weak passwords.

Changing of the Administrator Username 

While installing your WordPress website, we suggest that you avoid selecting ‘admin’ as your username for the administrator account. This sort of username can be easily guessed and is probably the first approach by many hackers.

Once they get your username, they are one step away from entering your website. They would run various combinations of passwords. If any of them match your username, you can be sure that your website will be in the wrong hands.

Let me tell you; there are plenty of times that we have gone through our website logs. We realized there were plenty of attempts to log in with ‘admin’ as a username.

The plugin “iThemes Security” is very helpful to block such attempts. They immediately ban the IP address that was trying to log in by using that particular username. 

File Monitoring 

If you ever feel that your site requires additional WordPress security plugins. You can use plugins to make the necessary adjustments to the WP files. You can use Wordfence or like I mentioned, our favorite iThemes Security.

D) Always Secure the WP Site via the Database 

Your website information and data is saved in your database. Protecting this is vital. There are a couple of things that you may do in order to increase the security:

Changing the Prefix of the Database Table 

For some of you who have installed WP, I’m sure you know about WP table prefixes. It is utilized by the WP database. We suggest that you change this to something that is more unique.

When you utilize the prefix that is set by default, your website database becomes more prone to attacks like SQL injection. These attacks are avoidable by simply changing the “WP” to more unique terms. Like you can change it to wpnew or mywp. 

If your WP website is already set up with a default prefix, you can utilize a couple of plugins to modify it. You can choose to use iThemes Security or WP- DBManager. It will assist you in getting the job done with just a couple of clicks.

Note: Always make sure that you have backed up your website before you can begin to do anything to your database. 

Regular Backups 

You may consider your WP website to be extremely secure. However, there can always be room for more improvements. We feel that having a backup offsite is one of the best antidotes in case if the unexpected happens. 

Now, if your site has a backup, it gets very easy. This is because you can always restore the WP website quickly to its working state with absolutely no hassles. There are a few plugins that would assist you with regard to this. 

But if you want such a solution that is premium, then we suggest VaultPress. This plugin is simply amazing. I say this through experience as we are currently using it.

It generates backups for us every week. If something goes wrong, we’ll be able to restore the entire site with a couple of clicks and with much ease. 

We know a couple of large websites that even run hourly backups. However, many organizations find this excessive and just not required. Not forgetting, you would also have to make sure that your backups are deleted, especially after making a new one.

This needs to be done because the backup files do take up a lot of space on the drive. With that being said, we always suggest monthly backups. However, if your business requires more frequent backups, then you could always go in for the weekly ones.

In addition to these backups, VaultPress checks our website for malware. If anything is found, it alerts us, especially if they feel something shady is happening.

Setting Strong Passwords 

A password that is strong is very important, especially if it is for your main database. This box would be utilized by WP users in order to get access to the database.

Follow the standard drill that most of us do by using special characters, numbers, lowercase, and uppercase for passwords. As we have discussed earlier, passphrases are also an excellent option. On account of them being lengthy, hackers may find it difficult to crack the password.

We would like to once again suggest LastPass for storage and generation of random passwords. You can also utilize one more tool that is very quick and free as well. This tool will help you to make strong passwords, that is, Secure Password Generator.

Monitoring Audit Logs 

Suppose you are running and managing multi-author sites or WP multi-sites. Then it is extremely important that you are aware of the various types of activities going on by multiple users. All your contributors and writers can be changing the passwords. However, there are various other things you definitely want to avoid.

For example, widgets and theme tweaks are just for admins. So when you inspect the log, you’ll be able to ensure that none of your contributors and admins are making any major changes to your website without your permission.

WordPress Security Audit Log is a plugin that offers a complete list of all the activities. It also provides reports and email notifications.

The log will also help you to find out whenever a contributor or writer is facing issues logging in. However, this plugin, at times, will also display any and all malicious activities conducted by any of your visitors.

E) Always Secure the WP Website via Plugins and Themes 

Plugins and themes are very important for your WP website. But at times, they can pose certain security threats. Let’s take a look at how you can protect your WP plugins and themes in the correct manner: 

Regularly Updating the WordPress Security 

The developers of any good software always support their product offering regular updates to their users. Now, these updates that are sent to the users mainly focus on fixing bugs. Many a time, they also offer essential security patches. In a similar manner, WordPress website and all its plugins offer updates.

If you fail to update your plugins and your themes, it means that you can be in trouble. Most of these hackers actually depend on you ignoring to update your software. They thrive on people that are negligent towards such updates.

We have also seen that many times these hackers tend to exploit the bugs that are already fixed. 

Suppose you plan to utilize any WP product in the future or in the present. Make sure to update their themes, plugins, and everything else on a regular basis.

We are glad to announce that WP sends out updates automatically to their users. So you will receive a notification through email informing you about all the latest updates—also any information on fixes for your dashboard. 

With regard to plugins, they need to be manually updated. This can be done by accessing plugins from your dashboard.

As soon as a plugin gets the latest version, you will be notified. A link will be sent to you that would help you update that plugin immediately.

You can also go in for the other option of choosing a managed WP hosting plan. These plans offer multiple features along with various improvements that can be used for your WordPress security. A great quality hosting plan provides updates that are automatic for every aspect of the WP site.

There are various companies that offer managed hosting plans that include, SiteGround, Kinsta, and Flywheel.

Removal of the WP Version Number 

At the moment, your WP version number is easily trackable, and it is sitting on your website’s source view. It is also possible to view it on the lower part of your dashboard. It doesn’t really matter while securing the WP website. 

If a hacker knows the version of your WP that you utilize, it’s a piece of cake for them. They can custom-build a perfect attack on your website.

Now the version number can be hidden with most WordPress security plugins that we have mentioned above. If you would like to take a manual approach, you could consider adding certain functions to the functions.php File. 

Final Thoughts 

All the information shared so far must be much to sink in, especially if you’re a newcomer. But everything that we have mentioned so far is definitely appropriate steps that one could take to secure their WP website. You can also check our article on Reselling Hosting: Reseller Account vs. Dedicated Server.

We’ve been in the business for a long time. This entire article has been written to benefit those who are just getting started. Every information shared comes through multiple years of experience.

To be honest, initially, we’ve had our own share of good and bad. However, through the years, and after numerous lessons being learned, we have now realized the trick of the trade.

We are glad that we could share our experience with our readers. I am sure each one of you does care a lot about the security of your WordPress sites. The higher the security level, the more difficult it becomes for hackers to attack your website.

I agree that the security of your website is of utmost importance. However, I must add that, in addition to website security, you must also pay great attention to its performance.

So, if you have a website that does not load as quickly as required, the visitors will not wait to view the content. In every review, we always emphasize how people don’t have the time to wait around for a website to load.

The statistics show users will leave the website if it takes more than two seconds to load.

I would like to point out certain resources that could prove to be very helpful to all of you. It will help you in terms of performance, considering that the website always loads at lightning-fast speeds: 

  • Always make sure to utilize a good quality CDN. If you look closely, there are a couple of them that are available for free.
  • Try and tune up a couple of things on your website that would help you to speed things up. 

We have shared every trick that we have used towards increasing the security of our websites. We are glad to share these tips with you guys too. That’s all for now! Do share your thoughts with us; thanks.

Leave a Comment