Home » Read & Learn » WordPress » Tips to Secure Your WordPress Website

Tips to Secure Your WordPress Website

ByJudith Reading Time: 7 minutes
WordPress Security Tips to Help Keep Your Website Safe

When you find out your site has been hacked, it is common to wonder if you could have done anything to prevent it. Yes, yes, there probably is.

When it comes to hacking, not having the basics in place means it is not a matter of if — it is a matter of when your site will be compromised. I’m not saying this to be overly dramatic. It’s just the reality when you do not keep your site secured.

There are solid reasons why sites are targeted and then hacked. The primary reason is not keeping WordPress, themes, and plugins updated. So, it makes sense to remove that target from your website’s “back” when you have the power to do so.

Small WordPress Sites are Just as Vulnerable

You may be asking, why would hackers be interested in your little old site? You don’t have to be a big, famous brand name to be hacked. Your “website” is on a web server (computer) with software that hackers can manipulate while your resources are used for nefarious activities.

The little guys are more of a target because they often lack the necessary blocks to prevent exploitation. They also tend to be un-updated websites, leaving old code and back doors open to manipulation.

For example, a site I recently helped was a little non-profit with a very local market. The site owner even had a security plugin, but foreign troublemakers still caused them many problems. (This is where a quality host comes into play.)

I will share some basics you need to consider for your WordPress website.

WordPress, Database, and Files

Short for malicious software, malware is the code used to gain unauthorized access to your WordPress website. You’ll often hear that sites that are compromised, therefore, have malware.

This is where your web hosting provider can determine whether server-side intrusions are blocked. You can do your part by having a crazy strong password for your hosting account login, and any FTP (File Transfer Protocol) accounts in place. FTP is how you can access where your WordPress core files are stored.

One of the primary ways hackers gain access to your website is via file inclusion exploits. Vulnerable code is then used to load remotely located files. The most common target is the wp-config.php file, which is the heart of your WordPress installation.

Next comes the SQL injection. Your WordPress website runs via an SQL database. When hackers gain access to your database, they also gain access to all your data. They can then manipulate that data and add links to malicious websites.

Cross-site Scripting via Plugins

Cross-site scripting is accomplished via plugins. Code is often modified to direct users to other web pages that include insecure scripts, such as JavaScript.

Because of this, I recommend you only use plugins that are maintained and kept up to date due to known threats. Only use plugins tested with the most recent version of WordPress. I invest in premium plugins as they take security up a notch.

Security Tips to Put to Work Right Now

Delete the Default “admin” Account

When WordPress is installed, a default administrative user account with the username “admin” is created. Administrative account permissions have access to everything on your site and are the most powerful role.

Since that is the default user setup on new WordPress installs, hackers look for that account to exploit. So, we need to delete that account immediately.

Go to Users > All Users

If the default admin account is the only user noted, set up a new user account with the role set as Administrator for yourself. It is also a good idea not to have your nickname and username be the same.

Use the WordPress password tool to create a complex password for this critical new account. Then, log out, re-login with the new account credentials, and delete that default admin account.

Use Strong Passwords

Use passwords that are at least eight characters in length and consist of a combination of capital and lowercase numbers, letters, and symbols. You want to make it as difficult as possible to guess.

Use the password tool on your WordPress user page to get a password that will be difficult to determine. The best passwords don’t spell anything out and are challenging, even for you, to remember. Of course, this goes for your WordPress database password, too.

I hear you—how do I remember all these complicated passwords? Typing them in is a real pain, so I sought a solution. Check out LastPass. I use the premium version of LastPass, which does all the heavy lifting.

Keep WordPress, Themes, and Plugins Updated

All updates include security hardening due to bugs and newly discovered issues that must be addressed. When they provide an update, update your theme and plugins to ensure you have the latest, most secure versions.

However, this is important before just “updating.” There are considerations to go over, and backups must be accomplished first. Updates can go wrong, plugins can have bugs that have yet to be discovered, and your site can break. You must back up first.

Techie Issues

Several “techie” things, such as server, folder, and file permissions, are also involved. Permissions allow access to your files and folders on your website hosting server. Your hosting provider usually sets these from the start.

Your .htaccess file can also control access, which can be technical for many. You shouldn’t mess with these files unless you understand the ramifications. Generally, we only need to check this file if we’ve been hacked to eliminate that as a catalyst.

Security Plugins

Security plugins can check your WordPress installation for vulnerabilities and suggest corrective actions. Things like:

  • Passwords
  • Hiding Your File Editor
  • 2FA (Two Factor Authentication)
  • File Permissions
  • Database Security
  • Version Hiding
  • WordPress admin protection/security

But they aren’t the be-all and end-all. For example, I’ve seen sites with a security plugin exploited anyway. So, I use WordFence as a monitoring tool to help keep my sites secured and monitor any concerning activity.

Using a CDN (Content Delivery Network)

I am a big fan of using Cloudflare to add a layer of security and enhance performance for all my sites. Cloudflare is a network of data centers that connects your web server to the rest of the Internet.

Two things are accomplished: CloudFlare can serve cached static web content to visitors to enhance performance and screen visitors to ensure they are legitimate and not traffic from an attack, malicious bots, or other bad things.

Cloudflare filters out most spam attacks at the name-server level, and such requests don’t even hit your server. It protects your website from DDOS attacks, SQL injections, and comment spam.

The free account is suitable for most sites. However, you can upgrade for additional features and hardening.

2FA = Two Factor Authentication

Due to the recent increase in hacking and identity theft activity, I advise you to lock down your WordPress dashboards with 2FA. Two-factor authentication adds a verification step to login to your WordPress website dashboard.

To set up 2FA, download the Google Authenticator App on your phone. Once that is in place, use your phone’s camera to scan the QR code provided for your account within the WordFence dashboard (Setup in WordFence > Login Security).

Then, when you log in, you open the app on your phone and input the new code displayed in the app into the provided field. You are good to go. Another layer of security is to prevent access to your WordPress dashboard.

Security Needs to be Taken Seriously

Google Site Hack Notice

Every day, I work on WordPress websites that require updating. I can tell the site owner doesn’t consider it a time-sensitive priority. Most times, they are just afraid to tackle the process themselves.

Then, one day, they discover that their site is not accessible, redirecting to porn or illegal sites or simply not responding.

Worse yet, they then discover Google is warning searchers that their site has malware or may have been hacked. Imagine finding this out from a potential or established customer.

Google Hacked Message

Boy, will that ding your brand! You’ll then have to get your site cleaned and secured and ask Google for a review to remove the hack notice from search engine results. That’s what you call baptism by fire.

Security is NOT Set, and Forget

Even with the best security plugins, you must monitor your site regularly for unforeseen occurrences or file changes that indicate trouble is afoot. Based on actual activity, you can tweak settings or address any apparent concerns.

You want to have these processes and procedures in place so you can do your best to secure your website. The time (and $$) it takes to remedy and recover is something you do not want to have to deal with. [FOR MORE READ: Hardening WordPress on WordPress.org]

As a site owner, you must protect your investment from those with too much time on their hands or who may have sinister motives. Review these issues carefully and make sure your WordPress site is as secure as possible. Now.

At your service,

Trusted and Reliable WordPress Products and Services