Your site is probably one of the 455 million that run on WordPress. If so, you should know the basics of keeping your WordPress site safe. In this Ultimate Guide to Safeguarding Your WordPress Website from Hackers, you’ll learn it all.
We’ll start from the basics and take you through more advanced steps to limit access as much as possible. This way, you’ll be as protected as can be from hackers trying to take down your site or steal your information.
Some of these tips are more complex than the others. This is by design since advanced users may want more fundamental security features than what can be achieved with plug-ins. However, for most users, the basic security tips will be fine.
At the base of everything is choosing the right hosting provider (see below). Since you can’t possibly handle all the web traffic yourself, it’s the job of a hosting provider to do that for you. Beyond that, authentication measures, access limitations, and latent security measures can do a lot more.
The fundamental task here is to avoid major breaches that can wipe out critical information or result in financial loss.
The Basics of Keeping Your WordPress Site Safe
WordPress is the dominant CMS on the internet. Hence, hackers and cyberterrorists will by definition be more inclined to take down those sites. So, you need to at least do the bare minimum to prevent those hacks. They could lead to financial loss, and even the personal loss of losing your hard work.
Choosing the Right Hosting Service
Choosing the right hosting service is half the game when you create any website. Hosting platforms manage and update your website security software, install the basic plug-ins and back up your data. This is one of the reasons we suggest people think long and hard about where they are hosting their website. Our website clients are hosted on a reliable VPS (virtual private server) to make sure they stay as safe and secure as possible.
Good website hosting companies will take extra measures to protect your data and ensure maximum uptime. They will also have the infrastructure in place to prevent any large scale DDoS attacks which smaller companies won’t.
So, it’s in your best interest to choose a well-known, reliable hosting service. It’s the best way to give your WordPress website the protection it deserves.
WordPress is open source and updated regularly. By default, minor updates and tweaks are installed by WordPress. However, major releases need a more proactive approach. You should keep a lookout for major update releases.
There are thousands of plug-ins and themes which you can install on your website too. Make sure you update them as well. There’s no knowing which vulnerabilities can lead to a hack.
Unfortunately, many website owners get busy with the day-to-day running of their busienss and don’t get around to doing this. We always stress the best way to make sure your site updates are done on a regular basis is to sign up with a WordPress maintenance service, such as ours, who takes care of that for you.
Update Your PHP Version
The backbone of your WordPress site is PHP. Hence, you need to be using the latest version on your server. Every major release of PHP is supported for 2 full years after its release. However, it’s in your best interest that you updated to the latest version.
The latest version is usually free of bugs and security issues found in the previous versions. As of the date of this article, anyone running PHP 7.1 or below doesn’t have security support. Hence, they’re exposed to all sorts of security threats.
You shouldn’t open up your WordPress site to everyone. User permissions are important because they provide limited access to each user. That way, even if a breach occurs, it’s likely to be stopped because the user is fenced off.
You can find out more about user roles in WordPress here.
According to Verizon’s 2021 Data Breach Investigations Report, 81% of hacking-related breaches used stolen or weak passwords. Hence, it’s important that you set a strong password for all your WordPress accounts. You should also set strong passwords for every online account you have.
You can make it easier on yourself by installing a password manager. You can also use built-in password generators from certain browsers like Safari and Firefox. That way, you’ll just need to remember one master password and you’ll be good.
Advanced Security Tips to Keep Your WordPress Website Safe
Beyond the basics of WordPress security, you should do your best to minimize any chance of a hack. This includes installing various security plug-ins, reducing access, and tweaking your site to verify and authenticate each user identity.
These are just some of the advanced security tips you should follow to keep your WordPress website safe.
Security plug-ins are the most logical first step to securing your WordPress website. They not only keep out unwanted traffic, but scan your site for malware and suspicious activity. Hence, they’re the first line of defense after your hosting services.
Here are the best security plug-ins in the WordPress space.
Right now, Sucuri is the best WordPress security plug-in. Their basic package will scan your site for common threats and boost your overall security. However, the paid plans offer firewall protection to prevent brute force and malicious attacks.
They also provide a DNS level firewall with a CDN which gives your site a performance boost. They even offer a cleanup service to root out and destroy malware at no additional cost.
WordFence is the next best thing. They also offer a free and paid packages. You can scan your site for malware and they also provide a firewall, though one that runs on your server. They don’t offer any performance boosts though.
The best thing about iThemes is its clean user interface. There are tons of options including limiting login attempts (see below) and brute force protections. They also use Sucuri’s sitecheck malware scanner. There is no firewall included however.
Web Application Firewall (WAF)
A web application firewall blocks malicious traffic from reaching your website. That way, you keep out potential attacks and viruses. There are 2 basic types of WAFs:
DNS Level Firewall
This routes your web traffic through cloud proxy servers. That way, only genuine traffic is let through.
Application Level Firewall
This firewall examines traffic after it reaches your server, but before loading WordPress scripts. This method is less effective than the DNS Level Firewall.
Custom Admin Name
WordPress allows you to select a customer username when you’re installing it. However, certain users set it to ‘admin’ by default. It’s a good idea to choose a web hosting platform which doesn’t do that.
If you do have a username starting with ‘admin’ or containing ‘admin’, then you should change it. You can do this by creating a new username and deleting the old one, or using a Username Changer plug-in. You can also update the username from phpMyAdmin.
Disable the Built-in Code Editor
WordPress has a built-in code editor that can change plug-ins, themes, etc. If a malicious actor gains access to it, it can be a huge security risk. You should turn it off using this code in your wp-config.php file:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
Limit Login Attempts
By default, WordPress allows you to login as many times as you need to. This leaves WordPress accounts open to brute force attacks. Hackers can hack any password, no matter how complex, by trying different combinations.
Hence, limiting login attempts can stop these attacks and logout a specific IP address from the account. A Web Application Firewall (see above) automatically takes care of this.
Login LockDown Plug-in
This plug-in allows you to limit login attempts. You can easily set a limit to the login attempts for a single account.
Log Out Idle Users
Users that leave their machines unattended or haven’t been active on their account for a long time are potential access points. This poses a huge security risk if someone hijacks their session. Hackers can change passwords, access financial details, or even take down the site.
Hence, you should install the WordPress Inactive Logout plug-in. When activated, it will logout any user that has been inactive on their account for more than the specified time. You can set the time duration yourself.
Two-factor authentication is now a standard method of verifying the identity of a user. It basically requires two pieces of information; a username-password combo and another verification method, for authentication. Most big websites like Google, Facebook, Twitter, etc. use it.
For WordPress, you can install and activate a 2FA plug-in yourself. In all probability, this will already be installed if you have a reliable hosting service.
You will need an authenticator app on your phone or tablet to complete the 2FA lock. Apps like Google Authenticator, Microsoft Authenticator, or Authy will do the trick. You can also use LastPass or 1Password for this as well.
XML-RPC is enabled by default on WordPress since it helps connect your site with web and mobile apps. It’s a very useful tool considering that mobile devices are the norm to connect to the internet today. However, it’s also providing significantly more access points to hackers.
This way, it can amplify brute-force attacks. For instance, hackers may need to try 500 different passwords on your website for a brute force attack. However, with XML-RPC enabled, hackers can use the “system.multicall” command to try thousands of passwords with just dozens of requests.
You can learn how to disable them here.
Disable Directory Indexing and Browsing
This is perhaps the most technical of the security tips mentioned here so far. Your directory is basically a file system on WordPress to keep track of your files including documents, images, etc. Directory browsing is often used by hackers to find out if you have files with any vulnerabilities.
The best way to stop them using those vulnerabilities is to block access to the directory. That’s why it’s recommended that you turn off directory indexing and browsing.
You’ll need to connect to your website with an FTP or cPanel’s file manager. Next, you need to locate the .htaccess file in the website root directory. Then add the following line at the end of the file:
Then save and upload the .htaccess file back to the site.
These are some more tips on what to do to protect your WordPress account:
- Don’t install unverified third-party plug-ins or themes.
- Always write down emergency 2FA codes when you’re setting up 2FA. These will help you login and lock out hackers.
- Write down your master password and hide it somewhere if you’re using a password manager.
- Set your backups to the highest frequency to ensure that you don’t lose any valuable information.
Damage Control Methods for WordPress Website Hacks
No matter how strong your security is, there is always a chance of a hack. There will always be a chink in your armor, no matter how committed you are to keeping your WordPress site safe. Hence, you need to be prepared for the worst.
Have a Website Backup
The best way to do that is to install a backup mechanism. Backups can restore your website in case it’s take down. These mechanisms allow you to save your most critical information and even save settings, and preferences.
There are several paid and free WordPress backup plug-ins out there. Of course, if you’re going with a major web hosting service then this service will automatically be provided for you. That being said, you should have a backup plug-in of your own at a remote location.
The best practice is to either sign up with a WordPress maintenance care plan, which backs up for you on a dialy basis, or go with a large service like Amazon, Google, Apple, or Dropbox. You can use plug-ins like UpdraftPlus or BlogVault for this purpose.
Cleanup Your Website
Use your security plug-ins to clean up your website as soon as possible. Sucuri or WordFence, or any other security plug-in you have will feature methods to take back control. Also, changing your password and deauthorizing any accounts linked to your WordPress is a good idea.
This guide is by no means conclusive since there are more complex security methods online. However, this guide is meant to get you to a decent level of security so that you don’t lose data. Ensure that your basic security features are up to date, and that you’re not leaving any glaring vulnerabilities.