Did you ever wonder how you can make your WordPress site more secure?
You are not alone.
WordPress is used by 27.8% of all the websites. It has a content management system market share of 58.8%, often making it a target for intruders.
In the following steps, you will learn how to harden your WordPress site.
Your goal is to protect your WordPress site against: intruders, defects, vulnerabilities and human error. I will explain these in the next steps.
The first thing automated bots will attempt is to login to your WordPress dashboard the default admin URL.
By default, your WordPress login URL ends with wp-admin. For instance:
Tip: hide the WordPress admin URL. Use the plugin WPS Hide Login.
So, instead of the above URL, you could append a directory name of your choice, e.g.:
Note: Intruders may guess your custom URL by trial and error. But at least, this tip will slow them down..
Most automated bots that attempt to login your WordPress admin dashboard expect to see a login and password form.
Stop them in their tracks with a captcha. This will secure the login page and prevent brute force attacks.
Use a plugin such as WP Limit Login Attempts, which forces typing a captcha text before displaying the WordPress admin login page.
Make sure you use strong passwords for your WordPress site. Passwords such as “password123” are not a good idea. A better password: “H}9EVN*MbXT267PDv}”.
A password generator will create strong passwords for you. Difficult to remember them? Then, I suggest you use a password management software.
To avoid a man in the middle attack, you need to enforce SSL on your WordPress admin dashboard. SSL turns your website URL from HTTP to HTTPS.
SSL encrypts all your sessions — between your browser to your WordPress site.
To implement SSL on your WordPress site, you need to get an SSL certificate. Most of today’s WordPress hosts will provide you with a Let’s Encrypt Free Open Source SSL certificate.
When you shop for a hosting provider, verify whether they offer hardware assisted security. It consists in a layer of security sitting in front of your WordPress host. Take a look at WPX hosting plans. They offer DDoS protection and an Application Firewall. The following chart compares the benefits of a WPX hosting plan versus a standalone solution such as Sucuri.
Many hosting companies – or other services like Sucuri, now owned by GoDaddy – charge a lot extra for various security measures to protect your website/s.
WPX Hosting are always looking at ways to add additional value to their service WITHOUT adding additional cost to you.
For that reason, they have recently added a batch of extra security features to all accounts and sites hosted with WPX, to a level now far exceeding what is offered on the cheapest $200 a year plan at Sucuri.
You may be tempted to use WordPress security plugins. But think twice: they will have a performance impact on your WordPress site. And this is the last thing you need.
A backup will help you recover against human error, faulty code (plugins, themes) and intrusions. Your hosting provider may run backups as part of your plan. However, I suggest you make your own backups too.
Here is my advice:
As part of WordPress security best practices, you should update your WordPress core, the themes and plugins. This will minimize potential WordPress security vulnerabilities.
Delete unused plugins. Get rid of plugins with no updates in several years. Use plugins and themes from trusted vendors.
There is no best WordPress security scheme. We’ve covered best practices you can implement today.
Start with these techniques as I will cover more security topics in future articles.
I appreciate your feedback. Please write your comments below.
Steve Williams is a blogger, consultant, and entrepreneur. He helps people thriving with digital marketing and blogging.