WordPress is the most popular CMS which is used by more than 39% of all the websites on the internet (as of the time of writing). As it’s so popular, hackers are specifically targeting WordPress sites. The worst part is in most cases, they don’t care about the popularity of the site.
In this post, I will share ten ways on how you can secure your WordPress site.
- Choose a Good Hosting Company
I don’t know how many times I have stressed on the fact that a good hosting company is a must not only for keeping your website secure but also for website speed and stability.
Never ever go for super cheap companies which are surely lacking good security. One day you website might work fine but the next day your website’s content can get totally changed and can begin redirecting somewhere else. This will give you nightmares as its pretty difficult and expensive to clean up a hacked website.
Paying a little more for better hosting means your website’s performance and security will increase drastically with additional layers of security and caching.
While there are many good hosts, I personally like Hostinger. Their plans are affordable and they have top notch security including daily backups and access to 24×7 chat support.
- Don’t Use Nulled Themes/Plugins
WordPress premium themes and plugins may be expensive but it’s far less expensive compared to their nulled counterparts. How? nulled themes or plugins may contain malicious code and viruses which can act as a backdoor to your WordPress site. Also, many times they are not updated so that may leave some security bugs unfixed.
While it may be tempting to go with the nulled versions to save some money, its usually not worth the risk.
- Get a WordPress Security Plugin
There are many security plugins for WordPress. A security plugin takes care of the security of your WordPress site (but not the server. That’s why a good hosting is needed for server-side security). The plugin will scan and protect your site 24×7.
Wordfence is a great security plugin which has malware scanners, file integrity monitor, WAF, login protection etc.
- Use a Strong Password
Passwords are critical for WordPress security. If you use a password like 1234567 or password then say goodbye to your site. While these passwords are easy to remember, they are easy to guess too.
It’s recommended to use complex passwords which include special characters like !,&,# etc.
- Disable File Editing
WordPress has theme and plugin file editing options. They can be accessed by using Appearances>Editor and Plugins>Editor respectively.
Once you install all your themes and plugins and make the required modifications, its highly recommended to disable the file editing feature. If hackers gain access to your site, they can use code injection to create a backdoor.
To prevent this, type in
in your wp-config.php file.
- Install SSL Certificates
Nowadays, almost every site has SSL. Initially, SSL was meant for sites that handled transactions, user logins etc. Today, however, Google gives pretty high priority to SSL for site rankings.
Most of the times you can get off with a free Lets Encrypt SSL certificate. This will not only secure your website from man in the middle attack but will also help you to rank up in Google Search.
- Change WP-login URL
By default, admin URL is domain.com/wp-admin. By leaving it at its default location, you risk getting brute-force attacks. So the best way to protect from this is to change the admin URL. You can do this by the help of a plugin. You can also enable 2FA which will increase wp-admin security drastically.
ALSO READ: How to Install a WordPress Theme
- Limit Login Attempts
Another way by which you can reduce chances of brute-force attacks is with by limiting login attempts. This way, if an attacker fails to enter the correct login credentials a few number of times, they will be blocked from accessing the login page for a certain amount of time.
You can enable this with the help of Limit Login Attempts plugin. You can configure the settings by going to Settings> Login Limit Attempts.
- Block Access to wp-config.php and .htaccess
It’s usually a good idea to hide wp-config.php and .htaccess files from being access from anyone on the internet.
To hide these two files, open your .htaccess file and enter these lines:
<Files wp-config.php> order allow,deny deny from all </Files> <Files .htaccess> order allow,deny deny from all </Files>
- Keep your Themes, Plugins and WordPress Installation Updated
You should ALWAYS keep your themes, plugins and WordPress version updated. With every update, developers add new features and more importantly – security fixes. By staying updated, you help your site from being hacked. Also, you will get new features.
WordPress is the most popular CMS on the market. So, it’s being targeted a lot by hackers. So, keeping your WordPress website secure is more crucial than ever. I hope these tips have helped you increase your WordPress security. If you have any queries or suggestions, please free to let me know in the comments down below.
ALSO READ: How to Install a WordPress Plugin