Website security is increasingly being placed in the hands of people who do not necessarily know what they are doing. This is especially true when it comes to WordPress websites as they are so easy to set up. The website security of your WordPress site is, however, incredibly important to consider.
Every year, tens of thousands of WordPress websites have obvious security flaws. You can correct them, you do not have to suffer an attack before you take it seriously.
WordPress website security
1: Secure your connections
People who set up WordPress websites frequently do so in a mobile environment. I have seen more than a few people in the local coffee shop with their CMS open working on pages. While it may seem innocent to be using public Wi-Fi to work on your website, it is actually quite risky. Hackers can set up fake a wireless access points in a public space specifically to steal things that they find.
Hackers are able to do this because people do not encrypt their communications. I know that encryption sounds like a complicated thing, but in this instance it does not need to be. Anyone who uses public Wi-Fi, especially in the context of website security, needs to invest in a VPN with strong encryption. IPVanish is an exceptional example as it can work in a number of environments, and on a number of devices.
2: Keep your website updated
A good portion of your website security will come directly from WordPress in the form of patches. While some of these patches will be purely cosmetic, a number of them are actually for security reasons. The WordPress team are constantly working to check their security measures, and when they find an issue they will create a patch for it.
This does not mean that you should only update from 4.0 to to 4.1, it’s actually more important to update from 4.1 to 4.1.1. It’s the minor updates where they are patching up small issues that they find. The same also applies to your plug-ins.
3: Keep your WordPress version private
Advertising your WordPress version is akin to telling hackers how they can hack you. Once they know your version they can look up what sort of documented problems that has, and exploit that website security issue.
This is easy enough to do. All you have to do is add this code to your functions.php file, and it will automatically erase all traces of your WordPress version number.
4: Everyone has to use secure passwords and usernames
If you do not know how to do this, I would recommend that you contact someone who does. Teaching people how to code it is not something that is possible in this article.
Insecure passwords lead to Brute Force attacks. These attacks are when a hacker uses a tool to guess passwords a multitude of times per second. The tool will simply keeps guessing passwords until it gets it right, And this is much easier if you have a very simple password. Here are a few ways to secure your passwords:
- The most secure passwords are a combination of letters, numbers, symbols, and uppercase letters.
- If you cannot remember a simple password with a few numbers, moved to using passphrases which are nearly an entire sentence.
- For those with higher password needs you simply have to use a tool like Lastpass. This password management tool will greatly diversify and secure your passwords.
As your website grows you will be giving access to more and more people. You can force them to use secure passwords:
Your username is another type of password that allows people to get access to your WordPress website. The simplest thing that you can do is not choose ‘admin’ as your username. Literally anything is better than that. Treat your user name more like your password, and add some different characters to it.
5: Limit the number of login attempts
This is directly related to what we were discussing above when it comes to brute force attacks. If you allow hackers to have an unlimited number of login attempts, and you don’t have an absolutely secure and unguessable password, they will get in. It may take time, but they will get it if they really want in.
The best tool for this is the Login LockDown plug-in for WordPress. It will not give you perfect website security, hackers can change their IP address in an attempt to get around this, but it will significantly increase your chances of thwarting a brute force attack.
6: Move your login page from default
One of my favorite things to do is to find out whether or not I can locate the login page of most websites. Just for fun, and to see what they have done with the page. It’s pretty simple as they all have the same default, and it ends with /wp-admin. This is where a hacker will go to try and use a brute force tool.
The simplest thing that you can do is install the HC Custom WP-Admin URL plug-in. This will make it so that you can change your login page to something a little bit more random.
7: Choose a secure host
We have been looking at how you can increase your website security, but you also need to look at how you can increase the security of your host. Wouldn’t it be awful if you put all of this effort into securing your WordPress website, but then your host got you caught out?
Do not go with the absolute cheapest host, they frequently skip out on security. The most popular website hosts with good security include:
- Inmotion hosting
The first thing to look out for is whether or not they offer HTTPS. To put it simply, the S stands for secure. It actually denotes further encryption between the browser and the web host.
8: Turn off your plug-in and theme editor
This is another really simple thing to do, but I can seriously improve your security if a hacker were to get access to it. Simply add the following code to your wp-config.php file:
( ‘DISALLOW_FILE_EDIT’, true )
This will make it so is that even an admin won’t be able edit the theme, and a hacker certainly would not be able to alter your code and insert something malicious. This is a very simple step, but it’s one more thing that could trip up a hacker. Sometimes the best you can hope for is tripping them up until they are caught.
9: Add a WordPress security plug-in
This may be the easiest step in my website security for WordPress guide. There are a plethora of WordPress security plug-ins out there. Some of them are free, some of them are paid, the key is choosing the right one for your needs.
Effective choices include:
Choosing one of these is the final, or even the first, step in your website security. You cannot use it alone, but you can use it as part of your overall plan. They can be quite easy-to-use, here is a video showing you how to set up BulletProof Security: