12 Overlooked Ways to Secure Your WordPress Site
November 8, 2016
On average, over 30,000 websites are hacked each and every day. That’s a terrifying statistic, and more than enough reason to take a long, hard look at your WordPress site’s security. While there are simple ways you can increase your security, and most hosting sites will assure you that you’re secure, it’s best to be as secure as possible.
That’s why today we’re going to look at twelve ways you can secure your WordPress site that many website owners may not know about. Employing these tactics will drastically reduce the chances that your site gets hacked.
12 Simple But Powerful Ways to Secure Your WordPress Site
Starting a website is an amazing feeling. You get to set everything up, choose your WordPress theme, and start building an online presence for yourself. Of course, once your site goes live, it becomes vulnerable to an extent. Hackers are always looking for opportunities to get in and steal information or damage a site.
You can prevent this from happening by following these 12 strategies for securing your website today:
1. Limit Login Attempts and Ban Offenders
One of the reasons that hackers manage to penetrate a website is because they have unlimited attempts to do so. They use bots which can quickly try all kinds of different passwords in a short amount of time. A simple way to fix this, is to limit the number of times someone can try (and fail) to access your site.
While there are several plugins that do this, you could also download iThemes Security, which is a comprehensive solution for WordPress. This tool will allow you to limit the number of login attempts, and it will also block the IP address of any attackers that try to hack your site.
2. Change Your Username to an Email
The default username for WordPress is simply “admin,” and one of the most prevalent pieces of security advice you’ll find online is to change this immediately. The default username essentially makes it easy for hackers to guess half of your login info.
Now, you could create something more unique for the username, but the ideal option is to use your email. This will make it much harder to predict what your username is, especially if you use a personal email instead of your blog or website contact email.
You can use the WP Email Login plugin to make this happen immediately with little to no effort on your part. It’s a simple, but effective step.
3. Keep Your WordPress Updated
WordPress is updated constantly. This is not to simply add new features or tweak designs in the backend. No, these updates are also meant to plug holes in security and remove vulnerabilities in the code. They are a security feature in and of themselves.
That’s why it’s important to make sure your WordPress installation and the plugins you have installed, are constantly updated. This will ensure you don’t have any invisible holes in your security you don’t know about. You can always find the latest version of WordPress on the codex, which has them all listed out.
4. Use Two-Factor Authentication
The simple fact of the matter is that even the best blog platforms and the best passwords can be beaten. That’s why you need two-factor authentication. This is a process that generates a random code that must be typed in along with your password for entry into the site.
The randomly generated code is typically sent to your phone or mobile device, thereby making it impossible to get into your site without both the password and the code. You can set up this type of security with a plugin called WP Google Authenticator.
5. Require a reCAPTCHA Form
We’ve all used reCAPTCHA forms before. They’re used by a variety of websites to verify that the person logging in is in fact, human. Bots created by hackers are unable to pass these tests, as they require some level of input and comprehension. They can be annoying as many users know, but there’s no arguing the security they add to a login page.
Implementing these types of forms isn’t quite as simple as using a plugin, but there are guides that help you through the process.
6. Utilize a Secure Password Generator
The strongest kind of passwords are ones with upper and lowercase letters, along with numbers and special characters. You can try to create something rock-solid yourself, but you’ll have an easier time with a password generator.
Of course, trying to remember such a complicated password is extremely difficult. That’s why you should consider using password storage software, or if you want to be absolutely safe, write it down.
7. Purchase an SSL Certificate
Secure Socket Layers, also known as SSL certificates, are common among eCommerce websites. These provide a secure means of transferring data between web browsers and servers. This makes it extremely difficult for hackers to break into the connection.
Many hosting companies offer SSL certificates as part of their service packages. Having this will make your website more secure, and it looks good in Google’s eyes for SEO purposes. It’s a win-win overall.
8. Maintain Site Wide Backups
No matter what happens, if you have your website backed up somewhere else besides your hosting server, then you can bounce back from any kind of calamity. There are several different services that offer backups. Hosting companies will sometimes include it as a feature, depending on your plan.
Ultimately, you should have a backup plugin or service for your website. Even if a hack doesn’t cause a problem, there are tons of other things that can bring the site down or remove content. You don’t want to lose countless hours of work, so make sure it’s backed up.
9. Remove The WordPress Version Number
Did you know that hackers can learn a lot about how to break into your site just by looking at your WordPress version number? It’s true, and by default the number if present on your website for anyone to see. Let’s fix that, shall we?
If you’ve installed a security plugin for WordPress, you’ll find that almost all of today’s options offer the ability to hide your WordPress installation version. This will remove yet another means for hackers to quickly tailor an attack for your website.
10. Disallow File Editing
A hacker’s goal is to get into your admin access. Once they’ve broken into this part of your website, they can start editing files and messing with your plugins and your themes. Luckily, you can stop them from doing this, even if they manage to get into your admin access.
All you need to do is disallow file editing. That will prevent anyone, hackers included, from making changes to these core files in your WordPress installation. To do this, we need to access the wp-config filewithin your WordPress. Here is a walk thru:
It’s important that you don’t touch anything else in this file as one mistake can bring your whole website down. Here are the steps to take:
- You’ll need to start by installing an FTP client. This will allow you to access your WordPress root files.
- To connect the FTP to your site, you’ll need the proper login information from your hosting provider. Simply ask them for it.
- Look for the wp-config.php file in the root folder of your WordPress site. It should be in the same area as other folders like /wp-content/.
- When you’ve opened it, go all the way to the bottom and add this code beneath all the text that’s currently there: define(‘DISALLOW_FILE_EDIT’, true);
And just like that, you’ve made your website more secure!
11. Rename The Login URL
The default URL to log into a WordPress site is the domain with “wp-login” or “wp-admin” added to the URL. It’s simple and easy to get to, but what if it wasn’t? Many of today’s security plugins, like the iThemes one I mentioned earlier, will allow you to change this login URL.
Here are some examples of what it could be changed to:
Anything that you can remember, that’s also unique will suffice, and it will keep people from finding the login page to your site without permission.
12. Require Strong Passwords For User Accounts
If you’re making your website into a WordPress blog or a site with multiple authors, then you’re going to need more than one user account. This can be detrimental to your security, but only if you let it.
By setting requirements for your user accounts, you can make sure they’re following the same rules as you are for the username and passwords they choose. A convenient plugin called Force Strong Passwords will allow you to ensure that any user accounts are meeting your standard for password complexity.
When it comes to the World Wide Web, you can never be too secure. Keep these tactics in mind as you build your WordPress site and always be vigilant with your security measures. What tactics do you employ to keep your site safe and secure? Let us know in the comments!