It comes as no surprise that having your website hacked can be a nightmare. But how can you avoid being hacked? Well, this is where WordPress security comes into play. Security is no joke. A hacked or compromised website can cost you money and hurt your business.
But what many people don’t know is that WordPress security is not only an essential part of setting up your website but it is an ongoing process. It is not something that you can set up and then forget. Everything from understanding and setting the right password, to regular back-ups are needed to ensure that your website is harder to hack into.
In this article, we will be covering tips to WordPress security, so that your website can stand a chance against the ever-evolving tricks of modern-day hackers.
Use secure web hosting
One of the most important things to think about when setting up a website is hosting. Where will your website be hosted? And let’s be honest, not all web hosting platforms are equal.
Rocket.net is the only all-in-one WordPress platform that’s optimized and delivered by Cloudflare Enterprise. With built-in CDN and WAF, every WordPress install is delivered as fast and secure as possible. WAF refers to their always-on website firewall, which includes not one but two firewalls that protect your website from attackers and bots. Rocket.net also includes malware protection and automatic updates.
Whether you are already considering Rocket.net or are shopping around, you should never choose the cheapest option. Your website is your window to the world, so don’t cut corners. Make sure that you do your research and opt for a well-established company that has strong security measures built into its platform.
Keep WordPress up-to-date
A common problem with many different websites is that once they are set up, they are rarely updated. Many small and medium business owners don’t even log into their WordPress back-end for weeks or months at a time. This makes your website extra vulnerable to hackers.
Why? Well, each new release of WordPress contains fixes and patches that address real or potential vulnerabilities. If you do not update your website with the latest version of WordPress, you are essentially leaving the door open for potential attacks.
Hackers have been known to target websites with older versions of WordPress.
But it isn’t enough to just update your website with the latest WordPress version, you should also be regularly logging into your website and making sure that your WordPress theme and also your plugins are all updated.
Use a strong password
According to this site, around 8% of hacked WordPress websites are caused by weak passwords.
It’s not a secret that passwords are vital to your WordPress security. And you’ve probably already realized that using the name of your childhood pet is not the best password option. Now more than ever, hackers are becoming smarter and more sophisticated, and so should your passwords.
We recommend that you use these simple rules when setting up your WordPress password:
- Avoid using words in it to prevent a dictionary attack
- Include capitals, numbers, and symbols
- Make sure that it is at least 8-9 characters long — but the longer the better.
Quick Tip: we know that it can become overwhelming trying to remember all of your different passwords. So instead of storing them in your mind, on your computer, or in your notebook, why not try LastPass? LastPass is a freemium password manager that stores encrypted passwords online.
Avoid using admin as your username
Back in the day, the default WordPress admin username was in fact “admin.” Since usernames make up half of the login credentials, this made it easier for brute-force hacker attacks. Thankfully, this has changed, and WordPress now allows you to choose your unique username when you install WordPress on your hosting platform.
Now, if your username is still “admin” then it’s time to change it. All you need to do is:
- Create a new administrator account for yourself using a different username and password
- Log in with your new administrator account
- Delete the original “admin” account.
If you are hesitating to delete your admin account because of existing posts, don’t worry, when you delete it, you can assign all the existing posts to your new user account.
Limit login attempts
Limiting your login attempts can be a pain if you’ve forgotten your password, but it is essential in preventing a brute-force attack.
The Limit Login Attempts WordPress plugin allows you to specify how many retries will be allowed and how long a specific IP address can be blocked once they’ve reached the number of failed login attempts.
Use 2 Factor Authentication (2FA)
2FA is a two-step process that requires two or three proofs of identity before granting access to your WordPress back-end. This means that even if your password is compromised, a password alone is not enough to pass the authentication check. WordPress websites using WooCommerce or course platform software like LearnDash should really consider adding this extra layer of security as they are dealing with personal information, unlike blog-only websites.
There are many 2FA plugins available for WordPress, which have different ways to authenticate your identity, including:
- A unique password (OTP) sent by SMS/e-mail
- A phone call
- A QR code
- A push notification
- Hardware-based key generators such as YubiKey, SolidPass, etc.
If you are still confused about how it works, let’s look at a quick example using the Google Authenticator app. First of all, you need to download the app onto your phone and sync it with the WordPress plugin. After it is all set up, every time you log into your WordPress admin account, after you’ve provided your password, you will also be asked to provide a six-digit number found in the Google Authenticator App. You’ll open the app, and type in the six digits that are displayed. These digits also change every 20-30 seconds.
Disable file editing
By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface. The problem with this is that this is often the first thing an attacker would look at if they managed to gain access to an administrative account.
To disable editing from within the administrative interface, you should enter the following snippet in the wp-config.php file:
You can easily do this via FTP and, once added, will prevent logged-in users from being able to edit themes and files.
Make sure your website uses HTTPS
SSL (Secure Sockets Layer) is a protocol that encrypts the data transfer between your website and users’ browser. Once you enable SSL, your website will use HTTPS instead of HTTP. You will also see a padlock sign next to your website address in the browsers.
As explained by Cloudflare, “HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider.”
So how do you set up an SSL on your website? Well, many hosting companies – including Rocket.net – now offer a free SSL certificate for your WordPress website.
Consider using WordPress security plugins
Now if you are thinking: well do I really need a WordPress security plugin? Know this stat — The average website is attacked 44 times every day.
Make sure that you install an auditing and monitoring system that keeps track of everything that happens on your website — security-wise. WordPress security plugins can monitor things like file integrity, failed login attempts, and also can complete malware scanning.
There are several free and paid plugins out there that can help you accomplish all of this and more. A few recommended WordPress security plugins are iThemes Security, WordFence, and fail2ban.
Don’t forget to keep regular backups
In the end, even if you follow all of these tips, your website can still succumb to a hacker attack. This is why it is incredibly important for you to do regular website backups.
However, one backup every six months is not enough. Not only should you have multiple backups available, but you should also make sure that they aren’t stored in the same place. We recommend uploading your latest backups to the cloud and also keeping another copy on your server.
Remember that your website is one of the most important features of your business. It is a place where you sell your products or your services. Therefore a hacked website can mean trouble for you and your business. It can also mean a lot of time, energy, and money wasted on something that could have been prevented. So what are you waiting for? Is your WordPress security the best that it can be?