Securing a WordPress site, which is the most widely used content management system in the world, is essential because that popularity makes it a prime target for hackers. A WordPress site whose security hasn’t been addressed is an open door for attackers seeking to recover your data or simply corrupt your website.
It’s important to implement good security practices from the very start of building your site so you don’t have to fight intrusions all day long. Installing security plugins doesn’t significantly affect the price of your WordPress websiteIt’s even possible to secure your site yourself.
That’s why in this guide we’re going to give you 13 simple best practices to ensure the security of your WordPress site.
1. Regularly back up the database
All sites have a database where content is stored. It’s essential to back up this data regularly in case something goes wrong with the site. Even if your site is highly secured, it’s always good to have a backup available because “you never know.” Keep in mind that the largest websites, which spend huge amounts on security, are sometimes hacked, so why not yours?
Making regular backups of your site will allow you to restore it after fixing the vulnerability if it gets hacked and corrupted.
Ideally, we recommend making a weekly backup. Be sure to note the date of the backup on the backup folder. In case of an error, hacking, or site loss, you’ll be able to reinstate everything quickly and easily.
There are various plugins that allow you to make automatic backups solutions for your files, plugins, themes and more. Here are two popular WordPress backup plugins:
These two plugins let you create automatic backups of your database and files, then store them on your server or in the cloud (Dropbox, Azure, Google Drive, etc.), or even send the backup by email.
2. Regularly check for updates
To protect your WordPress site or blog, you must perform regular updates. As soon as an update is available, follow our tips for properly updating your WordPress site before installing it.
This rule applies to the CMS as well as to all plugins. New vulnerabilities are regularly discovered, which leads developers to frequently release fixes. An outdated plugin therefore represents a significant risk…
As for updates to your security plugin, they are absolutely essential! These updates take into account new viruses and hacking methods.
3. Install a security plugin
Just as there are antivirus programs to install on your computer, you can also add an antivirus plugin to secure your WordPress. Often, these plugins not only protect your site from viruses but also monitor your WordPress’s overall security.
A security plugin will let you manage several aspects of your WordPress security easily and transparently. It’s a toolbox that combines multiple tools to secure your site. Among these security plugins you will find:
- WordFence Security
- iThemes Security
- WP fail2ban
- Sucuri Security
- SecuPress
- All In One WP Security & Firewall
For example, WordFence will allow you to:
- Monitor your site's traffic to block malicious traffic
- Notify you of available updates for your WordPress
- Protect your login system against a brute-force attack
- Check your files for malware, non-compliant URLs, code injections, bad redirects, etc.
- Check the integrity of your files
- Repair your files if necessary
- Scan your site for known vulnerabilities
- Enable two-factor authentication
- Block bots with a CAPTCHA system
Other features are available with WordFence, and most security plugins offer similar functionality. They are very useful plugins and recommended to install. WordFence alone is currently installed on more than 3 million WordPress sites.
Also read: 10 must-have security plugins for WordPress
4. Use official plugins and themes
Using cracked plugins or themes is bad for your site’s security.
When you install unofficial versions, you potentially grant anyone access to your site. Because cracked versions are not validated by WordPress, those providing these plugins and themes may insert malware into the files, a backdoor to your site, or any other malicious code without you even realizing it.
Warning: As a result, your data could be stolen and access could be given to malicious actors without your knowledge!
That’s why it is strongly recommended to never install cracked versions and always add plugins and themes through the official WordPress directory or from the companies from which you bought a theme or plugin.
5. Remove unused plugins and themes
Themes and plugins on WordPress are the primary entry point for hackers. To secure your WordPress site, you must be vigilant about what you install on your site.
Sometimes you install themes and plugins to test them or for a short period, then deactivate them (in the best case) or forget them and leave them aside.
This is a problem, especially if you don't update them or if they become outdated, because these unused plugins and themes are potential additional entry points for hackers and are useless to your site.
The best practice is therefore to delete any plugin or theme you no longer use to reduce the risk of your website being hacked.
6. Change the login URL
To reduce hacking risk and secure your WordPress site, it is also recommended to change its login address. By default, WordPress offers my-site.com/wp-admin. This once again makes the hackers' job easier!
You can change this URL by modifying the .htaccess file or by using a plugin such as Custom login URL. This second solution is perfect for people who have little or no coding knowledge.
7. Delete the default admin account
To log into your WordPress admin, the admin username is offered by default. It is therefore widely used by attackers to access your site.
Don't make their job easier: create a personal username that is impossible to guess before deleting the admin account.
Follow our step-by-step tutorial to edit and delete a username.
8. Enable two-factor authentication
This security option offered by various plugins allows you to secure your login system almost 100%! It’s a low-impact, easy-to-implement method to secure a WordPress site, so why skip it?
In most cases, the 2nd the second login step will be a code sent by SMS, a phone call, or a required connection via a mobile app. The attacker would therefore need to know both your password and have access to the device used for the second login step, which is almost impossible.
Among the plugins offering two-factor authentication you can find:
Most of these plugins work paired with their own mobile app, allowing you to manage the two-step authentication system and authorize the login when a login is initiated with that same system.
9. Hide the WordPress version in use
For each version of WordPress there are vulnerabilities that hackers will be happy to exploit. To make these intruders’ job harder, consider hiding the WordPress version you’re using.
The change is made at two levels: in the version.php file, as well as in the readme.html file. This latter is located at the root of your WordPress and must be deleted!
Discover how to hide the WordPress version in our dedicated tutorial: How to protect WordPress from malicious attacks?
10. Prevent directory browsing
On a WordPress site, by default, folders are accessible to everyone. It’s therefore essential to block access to them to better protect your site.
To do this, you must modify access rules via your .htaccess or opt for a plugin like Hide My WordPress.
11. Choose a secure hosting provider
Security vulnerabilities will not necessarily originate only from your site. They can sometimes come from your hosting provider. A large number of hacked WordPress sites were compromised because of a security flaw on the host's side rather than the sites' own security.
To secure your WordPress site, it is therefore important to choose your hosting provider carefully.
To do this you can already evaluate hosts' offerings according to 3 criteria:
- Do the hosting provider's servers have a firewall and antivirus?
- Are automatic backups performed regularly?
- For shared hosting, is each account isolated from other users so that an infected user cannot infect others?
Warning: If your current or prospective host does not meet at least these 3 key points, you should move on and switch to another provider.
12. Protect your site’s connection with an SSL certificate (HTTPS)
You've likely already seen the little padlock next to a site's URL and the URL preceded by “HTTPS”. This is possible because the site holds an SSL certificate. This SSL certificate enables the HTTPS protocol which ensures a secure connection between the browser (client) and the web server.
This certificate is known to be important when a site offers an on-site payment system, but it is also useful for other reasons:
- Over HTTP, data transferred between the server and the browser is not hidden and is sent in plain text. This is not the case when you use the HTTPS protocol for data transmission.
- The SSL certificate affects your SEO. Google states that it is a (slightly) determining factor for your search rankings.
- With digital literacy becoming increasingly common, people have gotten into the habit of checking for the small padlock on sites because they've often heard it's a sign of security. Having an SSL certificate increases the trust people have in your website.
- Related to the previous point, some web browsers browsers like Chrome now display a " Not secure " before the URL of sites that don't have an SSL certificate. Worse, sometimes they may show a warning page before allowing access to the site, which can potentially scare away a large majority of visitors.
- For technical reasons, the HTTPS protocol tends to be faster than HTTP. You can potentially improve the speed of your WordPress site simply by adding an SSL certificate.
Want to install an SSL certificate and switch your WordPress to HTTPS? Follow our step-by-step tutorial !
13. Protect yourself against DDoS
The DDoS is a denial-of-service attack; it involves making a system (or website) inaccessible by targeting it with multiple systems at the same time. Securing a WordPress site against DDoS attacks prevents it from becoming unavailable during an attack.
Concretely, several systems (computers or servers) will try to perform actions on a specific target (a website, for example) at the same time so that it becomes overloaded with requests until it can no longer handle them and “crashes,” putting the target out of service.
To prevent this type of attack, there are services (including a plugin) to configure on your WordPress site that will, thanks to their anti-DDoS protection, mitigate denial-of-service attacks.
Among these security services you can find Cloudflare or the WordPress plugin Sucuri Security.
Get help to secure your WordPress site
Security is an important aspect not to be neglected when creating and maintaining your WordPress site. A breach of your database or files by a hacker can quickly put your website out of service… which can cost several hundred or even thousands of euros if your site generates income.
That’s why it’s essential to implement the kinds of best practices covered throughout this guide to reduce potential hacking risks.
To further secure your WordPress site, you can also follow our complete tutorial: How to protect WordPress from malicious attacks?
If you need help securing your WordPress site, don’t hesitate to post a free ad on Codeur.com to quickly find the help of a freelancer who can assist you.
