I’ve heard many website owners complain about the security of WordPress. The thought is that an open source script is vulnerable to all sorts of attacks. Is that a fact? And if so, how do you secure your WordPress website? Luckily, this is mostly untrue. In fact, sometimes it’s the other way around. Okay, let’s say that it’s partially true. But even then the blame shouldn’t fall on WordPress. Why? Because it’s usually the user’s fault that their site got hacked. There are some responsibilities that you have to take care of as a website owner. Unfortunately, most website owners don’t know this, through no fault of their own, and they learn the hard way by their site getting hacked, costing them hundreds or thousands of dollars to recover. So the key question is, what are you, or your webmaster, doing to understand what you need to do to save your site from being hacked? Today, I plan to discuss quite a few simple steps that can help you secure your WordPress website. These are just a few of the steps we perform on client sites, so stay tuned for part 2 in the future with additional information. After implementing these tactics and following up with continual security checks, you’ll be well on your way to secure your WordPress website for good. Yes, this article is long, but this is an important topic because the cost of getting hacked is very high!
1. Strong Security Starts With The Right Hosting
There are a lot of reasons we love Siteground hosting, security is just one of them. Siteground security experts constantly monitor for WordPress related vulnerabilities and proactively protect users with custom WAF (website application firewall) rules when needed. And they are officially recommended by WordPress.org as one of the best and brightest WordPress hosting providers. But it doesn’t matter how secure your site is if isn’t fast and Siteground sites are blazing fast. Their hosting platform is built on the latest SSD hardware. Siteground adds their secret sauce, their own caching tool, the SuperCacher, which drastically increases WordPress speed. And if you need to contact SiteGround support, they are available 24/7. With virtually no wait time on chat and phone and around 10 minutes for the first response in their ticketing system, they consistently achieve nearly 100% customer satisfaction rates. Quite frankly, we don’t know how they do it!
2. You Can’t JUST Set It And Forget It
After you have your wordpress website created, you can’t just set it and forget it. WordPress sites are composed of the WordPress framework, a theme that controls the look and feel of your site, and plugins that provide extra functionality. On a regular basis, there are updates to wordpress, themes, and plugins. In some cases the purpose of an update is to fix a security issue. If you do not keep your site updated on a regular basis, at least monthly you are asking for trouble and it is probably a matter of time before your site gets hacked in some way! In addiiton to regular updates, it is critical to do full backups of your site and scan for issues. While in some cases it’s possible for clients to add content to their sites, we highly recommend having a professional handle updates, backups, and scans. Whether it is us or someone else, it is critical to have a strong maintenance plan in place to help prevent security hacks, and to be able to recover quickly and with minimal cost in case there is an issue.
3.Protect the login page and prevent brute force attacks
Everyone knows the standard WordPress login page URL. The backend of the website is accessed from there, and that is the reason why people try to brute force their way in. Just add /wp-login.php or /wp-admin/ at the end of your domain name and there you go. What I recommend is to customize the login page URL and even the page’s interaction. That’s the first thing I do when I start securing my website. Here are some suggestions for securing your WordPress website login page:
3A. Set up a website lockdown feature and ban users
A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
3B. Change The Login Username
By default, you have to input your username to log into WordPress. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is created with a unique email address, making it a valid identifier for logging in.
3c. Rename your login URL
By default, you have to input your username to log into WordPress. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is created with a unique email address, making it a valid identifier for logging in. Changing the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL. When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations). At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks. This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so: Change wp-login.php to something unique; e.g. my_new_login Change /wp-admin/ to something unique; e.g. my_new_admin Change /wp-login.php?action=register to something unique; e.g. my_new_registeration
3d. Use Strong passwords
Always use strong passwords and change them regularly to secure your WordPress website. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters. Many people opt for long passphrases since these are nearly impossible for hackers to predict but easier to remember than a bunch of random numbers and letters. LastPass is one of the easiest ways to get on top of your passwords. It’ll not only generate safe passwords for you but then store them inside a browser add-on, which will save you the hassle of having to remember them.
4. Secure your WordPress website through the admin dashboard
For a hacker, the most intriguing part of a website is the admin dashboard, which is indeed the most protected section of all. So, attacking the strongest part is the real challenge. If accomplished, it gives the hacker a moral victory and the access to do a lot of damage. Here’s what you can do to secure your WordPress website admin dashboard.
4A. Protect the wp-admin directory
The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached, then the entire site can get damaged. One possible way to prevent this is to password-protect the wp-admin directory. With such a security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other secures the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.
4B. Use SSL to encrypt data
Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info. Getting an SSL certificate for your WordPress website is simple. You can purchase one from a third-party company or check to see if your hosting company provides one for free. I use the Let’s Encrypt free open source SSL certificate on most of my sites. Any good hosting company like SiteGround offers a free Let’s Encrypt SSL certificate with its hosting packages. The SSL certificate also affects your website’s Google rankings. Google tends to ranks sites with SSL higher than those without it. That means more traffic. Now who doesn’t want that?
4C. Change The admin Username
During your WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to figure out is the password, then your entire site gets into the wrong hands. I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.
CONCLUSIONThis article was a lot to take in. However, everything mentioned in this article is a step in the right direction. The more you care about your WordPress site security, the harder it gets for a hacker to break in.
Request a free discovery session and we’ll determine the best security solution for your website.