When deciding on which CMS platform to use undoubtedly WordPress springs to mind and it’s the number 1 choice not only for developers but for general consumers. We have 5 WordPress security tips for you that you might need.
It’s no wonder that WordPress has become one of the most popular CMS platforms on the internet. The CMS powers over 34% of all websites in existence on the web.
Although WordPress is a secure CMS out of the box it can still be targeted by hackers. As cyber-attacks increase day by day the fact that WordPress is one of the most popular CMS’s used makes it a prime target.
A study in 2018 showed that WordPress infections rose from 83% in 2017 to 90% in 2018 and the trend seems to be going up.
Source: sucuri.net/reports/2018-hacked-website-report/
Like with any type of software security issues and vulnerabilities can surface on WordPress if your web hosting isn’t set up properly, you use a theme or plugins whose developers don’t follow coding standards or if there is simply a general lack of maintenance of the CMS.
Other types of security issues can arise if your site is receiving brute force attacks by bots (automated hacking software), spam attacks which bombard your site with spam comments (which inevitably slows the site down), or via code injection where hackers find a way to inject malicious code into your site.
Don’t worry though, a WordPress website can be kept safe and secure so long as you take the necessary precautions and review your setup at regular intervals.
Today we are going to share with you our top 5 security tips to ensure your site is not one of those that a potential hacker would class as a prime target.
1. Use A Good Hosting Company
The advent of $1 hosting companies has meant that its cheaper than ever to get a web hosting account. However, many of these fly-by web hosts simply don’t maintain their platforms and this can lead to your site getting hacked.
Your first line of defense is to use a good quality web host. You can still get your unlimited web hosting at an affordable price but with added benefits of a secure platform to host your site on.
Quality web hosts will ensure that they support the latest versions of MySQL (database) and PHP. They will also offer firewall and malware protection all of which will deter even the most persistent of attackers.
2. Update WordPress And Plugins
Sounds like common sense doesn’t it? To keep your WordPress version and plugins up to date. But you would be surprised how many websites use out of date versions of WordPress and plugins.
Newer versions of WordPress not only provide new features, but they also fix security holes. From version 3.7 WordPress started to push out security patches which are automatically installed on sites using the CMS.
However, although security patches are automatically applied, to install major updates it needs to be initiated by a user.
This is an important and easy task to do. You should update to newer versions to benefit from the newer optimized code, bug fixes and above all the speed enhancements it can provide your site.
The same goes for your plugins and themes. They should also be updated to their latest versions. Very often apart from new features, security exploits and bugs are also fixed.
A word of warning. Often you may be tempted to use a ‘nulled’ plugin or theme. These are plugins and themes that you would normally have to buy but can be downloaded off the internet for free.
These free premium plugins are generally riddled with exploits and backdoors allowing hackers a way to exploit your website. If you need to use a premium plugin or theme then for the small cost associated, you should just buy it!
3. Protect Your Login Page
Many WordPress websites can be accessed via URLs like example.com/wp-admin. This creates a point of attack for hackers to gain access to your site.
One of the simplest things you can do is to have a unique login URL. Using the iThemes plugin (discussed below) you can change your login URL to something more secure and memorable i.e.
Example.com/my_secure_login
Only you will be aware of this and any attempts to access the default URL directly will result in a 404 error.
Hackers who can access your default login URL will also attempt to use the default username of ‘admin’ and then have multiple attempts to guess your password (via brute force).
Another simple way to stop them in their tracks is to change the default ‘admin’ username to something else.
Again, the iThemes plugin can automate this process for you so you won’t have to update your database tables, etc. manually to change your default admin username.
Your password. It’s very common for people to use easy memorable passwords that will take no time for a hacker to guess. Use a password tool like LastPass to generate secure passwords and have it remembered for you. Passwords are saved in a secure online vault which only you can access.
There is really no excuse not to be using secure passwords.
Lastly, ensure your website is using secure connections. Upgrade to use an SSL which will protect the data being transferred between your website and a user.
Without a secure site the data being transferred, which may include personal information, credit card details or other sensitive data may be susceptible to being intercepted and being used by a 3rd party.
SSL certificate is free depending on the quality of your web host. To install an SSL properly on your site this guide to migrate your site from http to https will help and it covers the benefits and steps required to easily implement an SSL.
4. File Permissions
When you install WordPress it will set the file permission for you. Depending on your setup these permissions can be overridden by hosting your site with a poorly maintained web host.
Your wp-config.php file is the most important file of your WordPress install. It contains the access details for your database, your security keys and much more. Securing this 1 file means a secure WordPress site!
You can easily secure this file by changing the permissions fn it. Login via your favorite FTP client and change the default permission for the wp-config.php file from 644 to 444.
This will stop anyone especially hackers viewing this very important file.
As you have got your FTP client open making a quick edit to your .htaccess file can also provide additional security for other important WordPress files.
Simply open your .htaccess file and add the following lines at the end:
<FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny, allow
Deny from all
</FilesMatch>
What that code will do is prevent access to the most common WordPress files like your error log files, PHP files, etc. all of which could contain important information a hacker can again use to gain access to your site.
5. iThemes Security Plugin
Using a security plugin can be a very efficient way to protect your WordPress website. As we have discussed above some of the edits that you may need to make require altering code.
If that worries you or you’re not comfortable with editing or changing files, then a plugin can help greatly.
The iThemes Security plugin does just that. It has over 30 options to protect your site from the most common hacks.
It will help you to plug common holes found in WordPress, stop automated attacks and secure your user credentials. All from a user-friendly GUI. It’s one of the best plugins to use to secure your install.
A few of the features of this plugin are the ability to change your login URL (which we discussed above) to limiting logins to specific IP addresses.
You can effectively lock down admin access to your site to a select few users as well as specifying times which a login can be successful.
You can download and use the iThemes plugin free from the WordPress repo here: https://en-gb.wordpress.org/plugins/better-wp-security/
Final thoughts.
These are the simplest and easiest ways to secure and protect your WordPress website.
99% of the holes and vulnerabilities a hacker may attempt to use will be prevented before they can get to your login page. If they do manage to get to your login page, then the additional security settings will only allow access to those who genuinely require it. With that said please use these 5 WordPress security tips to protect your website.
