How to Secure Your WordPress Site – The Essentials

If you have launched your WordPress website — or you are planning to do so — one thing that you must always think about its security. No matter what kind of website it is, or what it may be about — security must always be your top priority. There are many threats out there, including hackers, malware, and more. All of them might try to do it harm, and today, I will present you with some of our top tips on what to do to protect your WordPress site.

Tips on Securing your Website

There are a number of things that you can do to make sure that your site remains safe. Don’t worry; they’re not hard to follow. You just have to give it about 10 minutes of your time, and you’ll be able to secure your WordPress website in no time. Let’s go.

1. Choose a Secure Hosting Provider

The first thing you must do when creating your WordPress website is to choose a secure hosting provider. This must be your first move — something that you should do before anything else.

It is the simplest way to ensure the safety of your website right from the start, and a foundation on which you will set up all other security layers.

What Does This Mean?

First of all, you must not fall for a low price. It might be tempting, as you may not have as much money to invest in your business yet.

But you must know that choosing a cheap provider usually means getting a cheap service, which could lead to everything else crumbling down if the worst comes to pass.

In other words, paying only a bit more money at the start would be very beneficial in the long run. In return, you will likely receive some extra security layers, greater stability of your website, and maybe even greater speeds.

Good hosting services often provide regular malware scans, non-stop customer support, and their prices are not actually that high anyway, so you don’t have to pay a fortune.

If you are only starting out, money might still be tight for you, and I understand that. However, investing in security is the best thing you can do with it, and it is one thing that you will definitely not regret.

However, one thing to keep in mind is to check if the hosting company regularly updates its servers’ software. If they do, and you are satisfied with the rest of what they offer, then this is a service that you should choose.

If you are not sure about a service that interests you, you can always try reading their customers’ reviews, complaints, and alike. This can not only tell you what to expect but also what to watch out for.

2. Use WordPress Security Plugins

The next thing to do is to make sure that you install some of the best security plugins that WordPress has to offer.

WordPress is actually quite known for its plugins — security-oriented, and otherwise. There are thousands of them that can allow great features for you and your users.

However, security is something that must come first. Some of the most popular plugins include:

• Wordfence (3+ million users)
• Sucuri (60,000 users)
• fail2Ban (40,000 users)
• Bulletproof Security (70,000 users)

The Benefits

With these and other plugins, you don’t have to bother to constantly check the website’s code, scan for malware manually, and alike.

You could make sure to conduct some additional security practices if you want to play it extra safe, but in most cases — good plugins are all you need.

These plugins can offer things such as security activity auditing, blacklist monitoring, notify you of any potential breaches or attempts to breach your site’s security, scan for malware, and even install a website firewall if there is a need.

One thing to keep in mind, however, is to do the same thing here as you should do when choosing a hosting provider — make sure that plugins are alive, regularly updated, and that they have as much positive feedback from other users as possible.

Always remember to check the comments and reviews, as they will reveal all ugly sides of plugins, hosting providers, and any other product.

That way, you will be sure that developers are regularly fixing bugs and security issues that may emerge, which would ultimately lead to the security of your own website.

3. Set Up a Strong Password

I cannot stress enough how important it is to set up a strong password for your website’s security. Passwords are crucial, as they are your first and biggest line of defense.

They are also the first thing that any hacker would try to breach your site’s security and take control.

Methods like brute force attacks were specially designed to try and log into your website by using all popular password variations that we, as human beings, tend to put.

In fact, we tend to think in such similar patterns that many of these attempts are quite successful if you don’t protect yourself properly.

To make a long story short, you don’t have to set up a password that has dozens of characters. All it takes is for it to be as difficult to randomly guess as possible.

That means avoiding the use of numbers in a predictable sequence, or some popular words or phrases that are common.

Instead, think of a sentence that you can easily remember, and put the first letter of each word. Use upper-case and lower-case letters, and add numbers, symbols, and alike.

Your password does not have to be “long,” but it must be complex. To do that, you can use password managers which can generate complex passwords for you, or you can think of one yourself, whichever you prefer.

4. Set a Cap on Login Attempts

While we are on the topic of breaching passwords, it might also be a good idea for you to set up a cap on login attempts on your website.

As mentioned before, brute force attacks rely on trying to guess passwords, which can often take a while until the right password has been found.

You can prevent the attackers from trying infinite combinations simply by limiting login attempts. As you may know, WordPress allows you to try to log into your account as many times as you want.

Of course, this can be quite helpful if you tend to use different passwords on different websites (as you should), and you end up mixing them up, and forgetting which password is used on which site.

Even if you remember which password you are using, if you have mixed capital letters in (again: as you should), you might make a mistake, forget to put an upper-case character where it should go, or put one extra by mistake.

All of these examples would lead you to be locked out of your account, and you might have to try to log in multiple times.

However, this leaves you vulnerable to brute force attacks, which is why limiting the number of login attempts can save you.

How?

To do this, you can use the plugin I mentioned previously, called Wordfence, which allows you to set up how many times you should be allowed to try to log in.

After you (or someone else) try and fail for 3,4, or even five times, you would get temporarily blocked from logging in.

This limit can only last for about 5 minutes, but if someone else tries to log in, those 5 minutes would mean a lot if you also enable notifications that would warn you of someone trying to access your account.

5. Use Cloudflare

Another good method of adding extra security to your website is to use Cloudflare. This is one of the biggest networks operating online, and it is dedicated to improving not only the security of websites but also their performance.

As mentioned, pretty much everyone around the world uses it, at least when it comes to those who wish to truly secure their site or app.

Cloudflare is especially effective when it comes to securing your site from DDoS (Distributed-Denial-of-Service) attacks. These attacks are pretty simple but extremely damaging. To perform them, a hacker infects a number of devices, such as smartphones, computers, tablets, and even the Internet of Things gadgets.

Anything with access to the internet can be used. Then, they force all of those devices to start bombarding your website with information requests.

Eventually, the server on which your site is running cannot handle the requests anymore, and your site crashes — often damaging servers permanently as a result.

Cloudflare provides you with enough resources to let you handle such attacks, and it does it through the use of its edge network, which allows you to get the information as fast as possible.

Furthermore, Cloudflare also has a mode called known as ‘Under Attack Mode,’ which is a unique feature that helps you mitigate Layer 7 DDoS attacks by adding extra protections that stop malicious traffic. 

6. Make sure to install SSL certificate

These days, SSL (Single Sockets Layer) is very beneficial for websites that use it.

Adding SSL to your website makes your site secure for some rather specific transactions, including payment processing and handling other sensitive data.

Not only that, but Google will actually allow your website to rank better if you have an SSL certificate, which would ultimately drive more traffic to your website and make it more visited and more visible.

Depending on the type of website that you have or plan to create, SSL may even be mandatory, especially if your site will process sensitive information. This includes everything, from credit card details, passwords, and more.

But, what does SSL do?

Well, if you don’t use it, all the data “between your website and the users” travels as plain, regular text. This makes it easy for hackers and online surveillance agencies to intercept it and view it. Obviously, you can see how this can be bad when it comes to sensitive data. 

This is where SSL comes in, and it encrypts all of this information before sending it, which makes it impossible to read.

That way, your account won’t be hacked, your users’ credit cards won’t get stolen, and no sensitive data will leak or be retrieved by bad actors.

Your website will also start with HTTPS instead of HTTP, which is a good way to find out which websites have SSL and which are unsafe by today’s standards.

Best of all, you don’t even have to pay extra for it, if you choose to use Cloudflare. Cloudflare offers a free SSL certificate that doesn’t require set up on either, hosting nor WordPress level.

7. Make sure to update your WordPress to the latest version

One practice that you should take to heart is keeping your software up to date. That includes everything — apps on your phone, OS on your PC, and of course, your WordPress version.

In fact, not only your WordPress but always make sure that all of your plugins and themes are up to date, too. 

As I briefly mentioned before, each new update brings some changes. They may be minor improvements, new features, or serious bug fixes and additional security.

As long as the software developers continue to work on the software, there will always be improvements to be implemented, and it is your responsibility to keep your site updated and immune to all currently known threats.

That way, you are protecting yourself, your site, as well as your customers. Of course, you don’t have to do it all manually, and WordPress will download minor updates automatically.

However, when it comes to the major ones — which are usually the most important — you will have to download the update manually, directly from the admin dashboard.

It is a quick and easy procedure that could save you from a lot of headaches in the future, so do keep it in mind and try to make these checks for updates a regular thing.

The Steps

You can update your WordPress site by following a few simple steps:

1. Backup your site
2. Turn caching plugins off if you have any
3. Update your plugins and themes
4. Update your WordPress core in your WP-admin dashboard
5. Turn on caching
6. Carefully check the website and make sure that everything is working properly
7. Do another backup of your site if you decide that everything is fine, and that’s it.

Another thing to keep in mind is in regard to themes — if you make changes to your themes, you should remember that every new upgrade is likely to remove all of the changes that you made by hand. To prevent this, use a child theme to keep your changes the way you want them to be. 

In case you didn’t know — a child theme is a sub-theme, which inherits the functionality, style, features, and everything else of the main, parent theme.

That way, you don’t have to change the parent theme’s files manually each time when they get updated, and you can simply use a child theme to do it automatically since all changes will be preserved.

Think of them as pre-sets which are used for saving modifications and implementing them instantly, a sort of theme backup, if you will.

8. Backup Your WordPress Website

While we are talking about backups, backing up your WordPress website is also an excellent way to ensure that it will remain safe in case something unfortunate happens to it.

Even if you use all security measures that we have mentioned so far or that we will mention by the end of this text — there is always a possibility that something might go wrong.

Perhaps the server will experience issues or end up being damaged, or some hacker might find a way to slip through your security and destroy your website. 

If something like that happens, everything that you have worked for will be gone. This is why you must keep an off-site backup somewhere as a safety precaution.

Not only that, but you should also backup your site as regularly as possible so that you wouldn’t experience major setbacks if something happens to it.

You can do it manually, or you can even use some plugins such as VaultPress to do it automatically, which is usually the easiest way. After that, you can restore your site with a single click, and no permanent harm will be done to it.

All serious websites use these methods to back their files up, with some of the largest ones out there doing regular backups every few hours, or so.

You likely won’t have to do it so often, but at least once a week, or even once per month is better than not having a backup at all, or doing it only once or twice per year.

Keep in mind — the more recent your last backup, the less you have to lose in the event something goes wrong.

9. Use Two-Factor Authentication

Using Two-Factor Authentication (2FA), also known as Dual Authentication, is another thing that you should enable on all of your apps, sites, and services that you use. Naturally, that goes for your own website, as well. 

2FA is a great way to secure accounts as it requires you to confirm your identity twice.

The first time is, of course, when you enter your login credentials — usually your email or username, and your password. However, what if a hacker obtains these? They would log in and have instant access to your account.

This is where the second authentication comes, and that can be done in several ways. You may end up receiving an email with a one-time code that you have to enter to access your account, or a text message on your phone, that would provide you with the same type of code.

There are even USB stick-like devices that contain a password, and you have to enter them into your computer, which scans the USB automatically, retrieves the password, and grants you access.

This is likely the most secure way of protecting your account, although it does mean that you now also have a piece of hardware that you need to look after and make sure that you don’t lose it, damage it, or have it stolen.

Generally speaking, 2FA is one of the most secure ways of protecting your account from intruders these days, although it is not 100% efficient.

Nothing is. But, having that extra layer of security, alongside all of the others, will make sure that your account will be safer than it would be without it.

10. Change Admin Username

One simple method of adding extra security to your WordPress site is to change your admin account’s username. By default, when you set up your site, the username is simply ‘admin.’

If you wish to add extra security, be sure to change it into something else as soon as possible. That way, you would make it more difficult for hackers to try and hack your account.

As I mentioned before, hackers already have to spend a lot of time and effort into guessing your password. If you change your username as well, they will have to figure that piece of information out, too, if they wish to access your account.

Changing Your Admin’s Password Manually

It is effortless to do so, and there are several ways in which you can do it. We prefer to do it manually by following these steps:

1. Log in to your dashboard
2. Go to ‘Users’ and hover your mouse above it
3. Select ‘Add New’
4. Fill in the details in the form, such as new name, email, and alike
5. Under ‘Role’ choose ‘Administrator’
6. Log out of your current account
7. Log in to the new account
8. Delete the default admin account

On the other hand, if you leave it be, you are giving them half the info that they need to enter your account and take over your entire website.

Changing it is quite easy and quick, and it can save you a lot of trouble down the road, so be sure to do it as soon as you set up your site.

11. Avoid Nulled Themes

Another good practice that should help you keep your website safe is to avoid nulled or cracked themes. Basically, WordPress has free themes and premium themes, which you have to pay for in order to use. Free themes are as good as you would expect, and not a lot of people are particularly satisfied with them.

However, premium themes cost money, which is yet another cost that you must add to the list. However, they are usually very good, and quite worth the money.

They are created by developers who know what they are doing, they are tested to be fully compatible with WordPress and pass all of its checks, and they are supported by the developers, who often release updates for them, and can help you out if something goes wrong.

However, the fact that they cost money remains, and some website owners find this to be a problem. This is why many started searching for nulled/cracked themes, which are basically hacked versions of these premium themes, which you can get for free.

But Why Should You Avoid Them?

Now, there are several reasons why you should avoid using them. The first reason is that it is illegal. The second one is that they represent a danger to your website.

Someone who knows how to crack a theme obviously has some skill and knowledge, and it doesn’t take much more than that to add malware and hide it among endless lines of code.

Such malware could steal sensitive information from your site, or it could completely destroy it, depending on what it was designed to do.

In other words, you are risking your entire website, your own and your customers’ safety, your reputation, and legal issues just so that you would avoid paying for premium themes, which are not that expensive in the first place.

12. Add .htaccess to protect your files

Our final piece of advice is that you add .htaccess file, which is basically a configuration file that can impact a web server’s response to different requests.

The most popular version of it is provided by Apache software, and most commercial web hosting providers use it. 

It operates at a directory level, and it allows you to override configuration settings. Its original use is to restrict access to some of your directories.

It is a simple but effective way to add an extra security layer to your website, and it does not require a lot of technical knowledge, which is why using it is both, popular and helpful.

My Personal Advice

With that, we end our list of tips to protect your WordPress websites. As you can see, there are many different ways of securing your site against hackers and other online threats, although none of them is good enough to be used alone. You certainly don’t have to employ all of these tips, but:

However, you should keep in mind some of the tips, especially the one about not using nulled themes, since doing so would not be much different from inviting the hackers in.

Conclusion

Alright, so now you know what you can do to prevent your WordPress website from being hacked or attacked. While some of the methods will cost you a bit more, using them would serve you in the long run, which makes them worthy of consideration. Now, you tell me, do you have any more tips to add? Drop them in the comments below.