When it comes to building great websites, there’s no better platform than WordPress and the 55,000+ plugins you can use to enhance its functionality. But with 41% of all sites using it, it is a magnet for cybercriminals. With customers and search engines demanding better security and ever stricter regulations to comply with, it has never been more important to protect your site from attack. Here, we’ll look at ten proven ways to keep your WordPress website secure.
1. Change your login page
If a hacker is going to try to log in to your website, they’ll first need to access the login page. You can make this far more challenging by changing its URL. By default, the admin login page is yourwebsite.com/wp-admin and this makes it easy for cybercriminals to find it. However, you can change the page’s URL to something different using the WPS Hide Login plugin, so that the ‘/wp-admin’ just displays a 404 error ‘Page Not Found’ message.
2. Use strong usernames
While we are constantly reminded to use strong passwords, it’s important to remember that hackers also need your username to log in to your WordPress admin panel. These can be surprisingly easy for hackers to guess. They’ll try using ‘admin’ which is the default username and they’ll also search your website looking for possible names to use. These can be displayed in ‘Meet the Team’ pages or email addresses and some WordPress themes are configured to display usernames as post authors by default.
You can change the username to something far less easy to guess by using either phpMyAdmin in cPanel or by installing the Username Changer plugin.
3. Use two-factor authentication
While strong passwords are a must, the sophisticated brute force software used by hackers today means you cannot rely on these alone. What’s more, if your password is stolen, it doesn’t matter how complicated it is.
Two-factor authentication adds a robust layer of protection because, in addition to your username and password, you’ll also need a code that is sent to your mobile phone. So, unless a hacker has your mobile phone with them, they won’t be able to break in. And as the code only works for a short amount of time, their software won’t be quick enough to crack it. Yes, two-factor authentication can be a bit of a pain, but nowhere near as painful as having your site hacked.
If you need help with setting this up, read our knowledgebase article How to enable two-factor authentication (2FA).
4. Update themes and plugins on release
If there are vulnerabilities in your WordPress website, they are most likely to be found in themes and plugins. When these are identified, the developers will respond quickly with an update that removes the vulnerability. If you don’t update plugins and themes as soon as a new version is available, you leave your site open to attack. It’s crucial, therefore, that you set up notifications for updates and install these as soon as you can after release. Even better, set up auto-updates.
5. Delete unused themes and plugins
If you have deactivated plugins and themes, it’s less likely that you’ll see a need to keep them updated. However, they too can have vulnerabilities. The simple way to permanently eradicate any risk is to delete them. You can always reinstall if you change your mind.
6. Keep PHP versions up to date
PHP is the scripting language used to write WordPress. Unbelievably, 80% of WordPress websites still use outdated versions of PHP which leave them vulnerable to attacks, such as object injection, SQL injection and application denial of service. You can guard against this by updating to the latest version of PHP in cPanel.
7. Only install themes and plugins from trusted sites
It’s not unheard of for cybercriminals to develop plugins infected with malware and distribute them on the internet. Some may even resell genuine plugins from other developers but tamper with them first. If you install themes and plugins from the WordPress repository, these will have been thoroughly checked before being made available. If you download them from other websites, you need to be completely sure that the vendor is trustable. Always scan the file on your computer using your antivirus program before uploading it to your website.
8. Use a security plugin
Free plugins like Wordfence or Securi offer a range of advanced security measures to keep your WordPress website protected. These include firewalls, malware scanning, file integrity checks and the monitoring of suspicious activity, for example, if a user or bot is making too many attempts to access your site. They also do a lot more.
9. Make use of Patchman
Patchman is a security tool available from WHUK that is specifically designed to protect WordPress and other CMS platforms. Quite simply, it automatically scans your website for vulnerabilities and detects and removes any malware to prevent your site from being infected or taken over. At the same time, it scans your website for out-of-date software, notifies you if it finds any, and if you don’t take action within a given timeframe, installs security patches automatically on your behalf. Learn more about Patchman.
10. Choose a secure web host
Your choice of web host can have a big impact on the security of your WordPress website. A good host will provide you with a wide range of protection tools and security services. These should include strong firewalls, spam and malware email filtering, remote backups, SSL certificates and more. In addition, look for 24/7 support, so that if you have a security issue, an expert is there to help you resolve it quickly.
WordPress is an extraordinary platform for building websites. However, with cyberattacks on the rise and attack methods becoming more sophisticated, security must be a priority. Hopefully, the suggestions given here will help you strengthen your WordPress security.
Looking for secure hosting on servers optimised for WordPress? Take a look at our WordPress Hosting plans.