Did you ever wonder how you can make your WordPress site more secure?
You are not alone.
WordPress is used by 27.8% of all the websites. It has a content management system market share of 58.8%, often making it a target for intruders.
In the following steps, you will learn how to harden your WordPress site.
How to Secure Your WordPress Website
Your goal is to protect your WordPress site against: intruders, defects, vulnerabilities and human error. I will explain these in the next steps.
1. Protect Your WordPress Dashboard Admin
The first thing automated bots will attempt is to login to your WordPress dashboard the default admin URL.
By default, your WordPress login URL ends with wp-admin. For instance:
Tip: hide the WordPress admin URL. Use the plugin WPS Hide Login.
So, instead of the above URL, you could append a directory name of your choice, e.g.:
Note: Intruders may guess your custom URL by trial and error. But at least, this tip will slow them down..
2. Defend Against Brute Force Attacks
Most automated bots that attempt to login your WordPress admin dashboard expect to see a login and password form.
Stop them in their tracks with a captcha. This will secure the login page and prevent brute force attacks.
Use a plugin such as WP Limit Login Attempts, which forces typing a captcha text before displaying the WordPress admin login page.
3. Use Strong Passwords
Make sure you use strong passwords for your WordPress site. Passwords such as “password123” are not a good idea. A better password: “H}9EVN*MbXT267PDv}”.
A password generator will create strong passwords for you. Difficult to remember them? Then, I suggest you use a password management software.
4. Enforce SSL To Encrypt Data on Your Admin Dashboard
To avoid a man in the middle attack, you need to enforce SSL on your WordPress admin dashboard. SSL turns your website URL from HTTP to HTTPS.
SSL encrypts all your sessions — between your browser to your WordPress site.
To implement SSL on your WordPress site, you need to get an SSL certificate. Most of today’s WordPress hosts will provide you with a Let’s Encrypt Free Open Source SSL certificate.
5. Select A Good Hosting Provider
When you shop for a hosting provider, verify whether they offer hardware assisted security. It consists in a layer of security sitting in front of your WordPress host. Take a look at WPX hosting plans. They offer DDoS protection and an Application Firewall. The following chart compares the benefits of a WPX hosting plan versus a standalone solution such as Sucuri.
Many hosting companies – or other services like Sucuri, now owned by GoDaddy – charge a lot extra for various security measures to protect your website/s.
WPX Hosting are always looking at ways to add additional value to their service WITHOUT adding additional cost to you.
For that reason, they have recently added a batch of extra security features to all accounts and sites hosted with WPX, to a level now far exceeding what is offered on the cheapest $200 a year plan at Sucuri.
How About Security Plugins?
You may be tempted to use WordPress security plugins. But think twice: they will have a performance impact on your WordPress site. And this is the last thing you need.
6. Backup Your WordPress Site
A backup will help you recover against human error, faulty code (plugins, themes) and intrusions. Your hosting provider may run backups as part of your plan. However, I suggest you make your own backups too.
Here is my advice:
- Backup your WordPress every week. Use your backup scheduler to automate it.
- Store backups off-site. If your website gets hacked, local backups may be destroyed. Consider using off-site storage such as Google Drive, Dropbox, etc.
- Keep several backup versions. If a problem occurs, you can restore your website to a previous state.
- Run backups everytime you update a plugin or theme. This measure will protect you against faulty software that can hose your website. Believe me, that has happened a few times. Use software such as Updraft Plus. It will take care of this for you. See the screen grab below.
7. Keep WordPress Updated
As part of WordPress security best practices, you should update your WordPress core, the themes and plugins. This will minimize potential WordPress security vulnerabilities.
Delete unused plugins. Get rid of plugins with no updates in several years. Use plugins and themes from trusted vendors.
The Final Word
There is no best WordPress security scheme. We’ve covered best practices you can implement today.
Start with these techniques as I will cover more security topics in future articles.
I appreciate your feedback. Please write your comments below.
- How to Protect Your Personal Data in Public Areas for Free
- Do You Need an Excellent Password Manager? Dashlane Free