How to Secure your WordPress Website in 8 Easy Steps
I am sure you love WordPress framework, I do. It’s the only CMS framework powering more than 58% of total CMS market share.
But do you know WordPress websites are the soft targets of hackers? Sucuri research reports say more than 75% of WordPress websites are infected in their 11k+ website scans!
Isn’t that a damn high ratio? You need to pay attention to this security concern before your website becomes a victim of such attacks.
Don’t panic it’s not that every WordPress website get hacked. But you may need to be active and follow some security precaution to save your website from hack.
This article will help you secure your WordPress website in the easiest way possible. The steps mentioned here will make hacking your website a tough job.
So, let’s start our journey of securing your WordPress website:
Update everything; update your themes, plugins and the WordPress framework. Be on the latest version of everything.
WordPress is ever evolving open-source and community driven CMS framework. It’s actively development and maintained framework. The community regularly releases framework updates.
There are two kind of updates; the first one minor update these are security patch to existing framework version. The other one is major update these are major framework releases.
Its suggested that you keep your WordPress website updated regularly. The minors updates takes place automatically whereas you manually need to update your WordPress framework for major updates.
You will get a notification on your WordPress dashboard when there is a major update available. You just need to hit the update button and update will take place. It’s that easy.
WordPress plugins are one of the sources of hack attacks. Security research suggests that the poorly coded plugins have the highest possibility of vulnerability.
The improper implementation and poor code left the back doors, which is an easy way for a hacker to get into your website.
Keep a habit of installing and activating only those plugin which you actually use. Uninstall all or any plugins that you are no longer using.
Install only those plugins which has a regular update cycle and offer timely updates. Update your plugin as and when the update is available.
It’s always a good idea that you keep your themes and plugins up to date. And please make sure you delete all unused plugins on regular basis.
Any good theme will offer updates. Keep your themes up to date. It’s safe to update your themes although there are lower possibilities of hack attack due to a theme.
Like I said for plugins it’s always a good idea to remove all unnecessary third party themes on your website. Keep the latest default WordPress theme and the existing theme you are using on your website.
Limiting the number of themes and plugins will make your website maintenance task really easy and fast.
Limit login attempts
Do you know you can try any number of times you want with your WordPress admin login? Yes you can, try login into the admin with fake credentials for some time.
Now consider a case when someone knows your username, they can try multiple password combination until they login to your system!
You need to focus on two things. First you need to use a strong password, a password that is hard to predict and large enough to make automated password cracker job even harder.
The second thing is, we limit the number of login attempts. What if you have you have my username but I limit the fake login attempts to five attempts. And after that the account gets locked for some time?
Well, it would probably put those automated login attacks away from your website. You need to install the wp-limit-login-attempts plugin for this task. Set the false login attempts threshold and you are good to go.
Specific IPs to access admin area
Let’s now make your admin area access more secure. Do you have a public static IP address for your internet connection?
If your answer is yes, then there is good news for you. We can place a filter that allows only your IP address to login and access the admin area.
Create .htaccess file on your web server’s public_html root and add following code to it. Please replace the 192.168.1.1 with your actual IP address.
deny from all
#Your 1st IP address
allow from 192.168.1.1
#Your 2nd IP address
allow from 192.168.1.1
Change default users
Using admin as a user name is poor choice and using the admin as the password as well is like sending hacker an open invitation to hack your site.
There are many WordPress installation where there is an admin user account exists. Please add another user and remove the admin user.
If you have multiple users registered with your WordPress website, please force them to use a stronger password for their account. It even strengthens your website.
Two step authentication
You must be familiar with two step authentication system. It’s there in all majority of banking and financial transaction. We better knew this process as OTP.
How if we deploy the two step verification on your website? It’s easy you need to install the JetPack plugin and configure the two-step verification under settings.
This will also help you stay secure against those fake login attempts.
Google webmaster is one of the essential tools for webmasters. It shows you the health, index and spam status of your website.
Google webmaster gives you an alert in case your website is under malware attacks. There is a section for your site’s health where you can see those details.
Additionally, you can submit a sitemap.xml file on webmaster to help Google find your website and index it. If you have a Google account you can easily sign up for Webmaster account.
Add an extra security layer
WordPress has some nice collection of security plugins you can add to your website. These plugins help you make your website secure and malware free.
Wordfence is one such plugin. The free version of this plugin is worth the installation. It helps you keep the bad boats away, forces strong password, and performs security scans. They also make you aware of latest security vulnerabilities.
It’s always a good idea to check your website for malwares. Malwares are the malicious code injected by a hacker that changes the behavior of your website.
It affects your search ranking and if your business depends on search and rankings you should probably focus on this.
WordPress indeed a very popular CMS framework but it’s a soft and easy target for hackers. We showed you the eight easy ways you can make your WordPress website secure.
Darshan is the founder of AlphansoTech a WordPress Development Company. He loves to write detailed and action oriented WordPress guides that helps WordPress owners manage their websites better. He is a web and WordPress developer by profession. You can connect with him on LinkedIn and Twitter.