Over 100,000 websites are targeted by hackers each day! Because of that, it is crucial to keep your WordPress site safe. Your website could be one of those websites at any given time. WordPress is pretty secure. However, many WordPress sites are the victim of hacking. This is less to do with WordPress itself and more to do with how you, as a webmaster, look after your site and set up your security.
Even if you made sure your site was secure when you launched it, keeping up with security maintenance will ensure that your site is appropriately protected at all times.
Before we start, it’s a good idea to get grips with some of the common security issues WordPress sites have:
- Brute Force Attacks – Brute Force Attacks are the reason that having a strong password is important. An attacker will enter login information over and over until they get the right login combination to access your WordPress site.
- Malware – Short for malicious software, malware is code that is used to gain unauthorized access to a website to collect sensitive data belonging to the business owner and their customers or contacts.
- File Inclusion Exploits – File Inclusion Exploits happen when unsecure code is used to load remote files, which will give hackers access to your website. This will also provide them with access to your wp-config.php file, which is essentially the backbone of your WordPress installation. If this file is compromised, hackers can access database login information and encryption security.
- SQL Injections – SQL injections are an attack on your WordPress database, whereby the attacker gains access to your database and, therefore your data. When this happens the attacker will be able to add and change the data, which may include malicious links and spam.
What Happens When Your Security Is Compromised?
Hackers can steal your data and any data belonging to your customers, leaving this data exposed. Malware could be distributed from your site to your visitors which can damage your SEO ranking as well as your brand reputation. And finally, your whole site could be wiped, which, if it isn’t backed up could cause you some serious problems.
Now, the big question is, how can you make your site safe from hackers? For WordPress sites there are a number of ways you can make your website more secure. In this guide I am going to show you some of the basic security changes you can make, all the way through to the more in-depth WordPress security features. Let’s dive in.
What Are Basic Security Settings?
Most sites don’t even have the basics covered, and that makes for pretty sloppy protection. Here we will cover the basic things you can do to tighten up your WordPress security.
1. Strong Credentials
It may sound silly, but making sure you have a strong password is your first line of defense. Today people are still using passwords like Password123 which offers very little protection. It may be tempting to use your username or even email address as your password, but don’t!
A strong password will be different to your username and/or email and include capital letters as well as lowercase letters, numbers, and special characters (e.g. !,*,%).
Similarly, you might be surprised to learn that many people are using admin as a username. If you are, it’s time to change it.
2. Secure hosting that uses a secure connection
Web hosts are responsible for the security of your website just as much as you are. Nowadays hosting is provided via cloud hosting or shared hosting (check best cheap WordPress hosting options). Cloud hosting hosts multiple websites across multiple servers whereas shared hosting will host multiple websites over one server.
Cloud hosting is valued for its higher level of reliability and security because it doesn’t require sharing limited resources across multiple sites. That’s the issue with shared hosting starts and when hosts pile more websites than the server can handle, this leaves sites vulnerable.
That’s not to say that shared hosting is bad. Responsible hosts will always use a secure connection and never give a server more than it can handle. Now might be a good time to check on your host and find out whether you need to make a switch.
3. Two-Factor Authentication
A simple security fix is to enable two-factor authentication upon logging into your dashboard. This will add an extra layer of security to your website and is very easy to enable in your settings.
Authentication is usually a code via SMS or email. Some find it annoying to have to go through an extra step to log in but it’s worth it for the extra protection.
3. SSL Certificates
Not sure if your site has an SSL certificate? A site that has an SSL will feature https:/ at the start of their web address and often your browser will say that the site is insecure. SSL certificates let web visitors know that your site is secure so their data is protected when using your site.
Most hosting providers now include SSL certificates in their subscription costs but if you haven’t got one you can pay for one via your host or you can use free Let’s Encrypt certificate (see how to manually add free SSL to WordPress site).
As a website owner, you should check for different SSL types while selecting an SSL certificate for your website.For example, if an ecommerce website has multiple subdomains then, you should think of getting wildcard SSL certificate.
There are many reputed certificate brands available which can help you to establish the trust on the site like AlphaSSL, Comodo, GlobalSign, DigiCert. You can choose anyone as all are reputed brands serve authenticated SSL certificates.
4. Backup Your Site
No matter how strong your site security is, it will never be 100% bullet-proof. It’s for this reason that backing up your site (see WordPress backup plugins compared) is one of the absolute musts in website security. Should the inevitable arise, you can be assured that you won’t have to start your website from scratch.
You can use a backup plugin like Duplicator (see how to migrate WordPress site using Duplicator), BackupBuddy (check BackupBuddy review), WPvivid (see WPvivid review), 10Web backup (check 10Web review), etc.
Another way you can backup your data is by syncing up any apps or software you use the same data. For example, you can backup your contacts by syncing Mailchimp and Office 365, this will allow you to keep contact data safe and secure.
5. Plugins and Themes
WordPress sites function on themes and a lot of plug-ins which also require updates. These updates are imperative for keeping your site working smoothly but also to fix any bugs or issues within their software. So many businesses have websites that are running on older versions of software, and they don’t even know it.
Another issue is using nulled themes and plugins, these contain modified code and aren’t trusted. Using nulled plugins can put your site at risk.
6. Update Your PHP Version
Any site that runs a very old version of PHP is exposed to security risks. An out of date PHP can leave your WordPress site vulnerable. It’s a good idea to check that yours is running on the latest PHP version. You can find your version by checking the header request on your site, using a various plugin, or via your cPanel if your hosting uses it.
7. Tightening up your admin area
The WordPress admin area essentially gives the user the ability to access and perform certain tasks on your site and is often left unprotected. For this reason it is the most commonly targeted area of a WordPress site.
You can tighten up the security on this by adding extra authentication measures to your admin directory. You can add two-factor authentication and put a limit on login attempts to add another layer of security and deter hackers.
You can go a step further and change the WordPress login URL. The default URL for WordPress sites is domain.com/wp-admin or /login.php which makes it easier for hackers to attempt brute force attacks on your admin login.
Although it isn’t a huge security fix, changing the URL does make it difficult for attackers to access the site. You can change your login URL using a plugin like iThemes Security (see iThemes Security vs WordFence comparison), Hide My WP (check Swift Performance vs Hide My WP comparison), etc.
How To Implement Stronger Security?
Here are some recommendations for a higher level of security for WordPress site.
1. Install a WordPress Security Plugin
You might be wondering if there’s a nifty plugin you can install to help make security a weight off your shoulders and the good news is that there are many. The benefit of using these plugins is their various features all well as the option to scan your WordPress installation for any modified files which may indicate a hacking attempt. These plugins also feature:
- WHOIS information on site visitors
- Two-Factor Authentication
- Malware Scanning
- Password expiry – forcing you to reset your password after a set amount of time.
- WordPress Security Firewalls
While they may not solve all of your security problems, a plugin can help add another layer of defense and prevent hacking attempts. I recommend considering the following plugins: Sucuri, Jetpack Security, iThemes Security Pro, BulletProof Security, Wordfence, MalCare (see MalCare review), etc.
2. Hide Your Version of WordPress
The less information is available about you and your website configuration, the harder it is for hackers to target you. Hiding your site version will prevent hackers from identifying your site as running on an older version.
A simpler solution is to ensure that your website is always up to date but if you want to take precautions you can hide your WordPress version by adding code to your theme’s functions.php file.
3. File Permissions
File permissions are a set of rules used by your webserver to control access to the files on your site. Having the wrong permissions can stop your site functioning but they can also allow hackers to access and rewrite and change these files.
The recommended values for file permissions are as follows: All files should be set at 644 and all directories should be set at 755 or 750. Directories should never be set at 777.
4. Database Security
Your database will be named whatever your website is named. So if your site is called richie rich, your database will be named wp_richierich. By changing this to something unrelated it stops hackers from being able to guess your database name.
Another way you can tighten security is by changing the default WordPress table prefix. By default, WordPress used wp_ as the prefix it uses to create your database. During installation you can change this prefix and it is recommended you do so to make it harder for hackers to guess your database names.
5. DDoS Prevention
DDoS is a type of denial of service attack which doesn’t harm your website but does take your site down for hours or even days. While this might not cause any harm to your website, it can damage your business if you rely on your website being fully operational at all times. You can prevent a DDoS attack by using third-party security such as Securi or Cloudflare.
6. Protect your wp-config.php file
As I mentioned before, the wp-config.php file is the most important file in your WordPress installation. If compromised the hacker can obtain your database login which will give them complete access to your website.
This might sound scary but don’t worry, you can tighten up security on your wp-config.php file by changing the file permissions. Files in the root directory are usually set to 644 which allows the owner to read and write the files and is readable by users in the group owner and everyone else.
If you want to deny access to other uses the files should be set to 440 or 400. It is worth keeping in mind that certain hosting platforms will have different permissions. This is because the user doesn’t have permission to write the files. In this case it’s a good idea to contact your hosting provider to be sure what the permissions are.
Keeping Your WordPress Site Safe
There are many reasons why WordPress sites get hacked. Cleaning up a hacked WordPress site isn’t impossible but by taking preventative measures, you can decrease your chances of having a hacked site so you don’t have to worry about cleaning up your site or, worst-case scenario, building a whole new website.
Jordan Garvey is a freelance content writer and website designed based in the UK, with seven years of experience in the field. When she isn’t writing for clients, you can find her writing short stories.
DISCLOSURE: Posts may contain affiliate links. If you buy something through one of those links, I might get a small commission, without any extra cost to you. Read more about it here.