This blog post will provide you with some WordPress security tips and advice to help you secure your website and keep it safe from hackers.
Is WordPress Secure?
The first question you’re probably asking yourself is WordPress secure? The simple answer is yes, however a lot of websites get hacked due to the fact that people don’t keep their website up to date, or the themes and plugins are not up to date or they use easy to guess passwords. The list can go on the reality is WordPress needs to be managed, maintained and secured you cannot install it and forget about with the hope that it will take care of itself.
With any new release, WordPress gets improved and its security is improved too. Various bugs and vulnerabilities are fixed each time a new version of the content management system is released.
If a serious security issue is found in WordPress the developers normally resolve the issue really fast and push out the update to all the websites affected which is another reason why you need to ensure you keep an eye on your website and update it to the latest, stable and secure version.
Updating WordPress is a simple task and will take you a few seconds to do. Just login into the website dashboard, if an update is available there will be an announcement asking you to update the website. With a single click of the “Update now” button the website will be updated automatically for you to the latest version.
Backup Your Website
This is a golden rule for anyone running a website. Always backup your website on a regular basis. should anything go wrong you can quickly get your website back online using one of the backups to the restore the website. Also some hosting companies give you daily website backups as part of the plans they offer however we would also recommend you invest in a 3rd party backup service which will automatically backup your WordPress website for you for a small monthly cost. Again we can not stress this enough BACKUP YOUR WEBSITE.
You have heard the old phrase “You get what you pay for” this also applies to hosting. If you host your WordPress website with a cheap hosting provider or with a free service don’t expect the server your website is hosted on to have great security or backups which you can rely on to recover your website. Our advice is to do your research, look at the WordPress hosting reviews we have included at this website and invest in a good quality hosting company. The bottom line is if you wake up one morning to find that your website has been hacked by hackers you need be in the position to restore the website from a backup to get it back online.
Update Plug-in And Themes
The great thing about WordPress is it gives you the flexibility to install themes and plugins to expand its functionality. It is essential that you keep the themes and plugin you have install upto date.
This will ensure you avoid any vulnerabilities, bugs, and potential security breaches via a 3rd party plug in or theme.
We would also recommend you only install what you need and only install a theme or plugin from the original developer’s website. If you install a nulled theme or plug-in you have downloaded from an warez, illegal site you will get hacked.
Use Latest PHP Version
PHP is the backbone of your WordPress site and so using the latest version on your server is really important. Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patch on a regular basis.
The latest version of PHP is 7.2 If you’re using PHP 5.6 or below then you are opening yourself to getting hacked by hackers. Ensure the hosting company supports the latest version of PHP 7.2 or above if they don’t move to a hosting company that does.
Use Strong Passwords
Don’t make it easy for a hacker to hack your website. Use a strong and secure password for your website. Don’t be stupid enough to use passwords like qwerty, 123456, password, 123456789.
Hackers will use brute force attach tools to attack your website to get your password. You can generate strong passwords by visiting https://www.lastpass.com/password-generator or https://www.avast.com/en-gb/random-password-generator
Install A Firewall Plugin
You can find lots of free and commercial Firewall plugins at https://en-gb.wordpress.org/plugins/search/firewall/ which will automatically secure your website within a few minutes.
A firewall plugin is a great way to protect your website from hackers as they do most of the work for you. You can download and install the firewall plugin directly from the WordPress dashboard and within a few minutes, your website will be protected.
Cloudflare is a great way to protect your WordPress website from hackers. Cloudflare automatically blocks a wide range of bots and attacks before they even reach your website.
Its will also protect you from DDoS attacks. You can also block countries and protect the WordPress login form from brute force attacks. We would recommend you start with the free version of Cloudflare and if you like it upgrade to the Pro version which gives you access to the WAF web application firewall features and much more.
Encrypt your connection with an SSL certificate
SSL encryption secures the connection between your site and visitors’ browsers. This means that all the data which passes through is encrypted and private, preventing hackers from stealing information like passwords and credit card details and much more.
Both Google and Website visitors expect to see a website use an SSL certificate. If you don’t use one your website will be flagged as insecure and will stop visitors from visiting the website. Google also ranks secure website higher in the search results compared to a website which does not use an SSL certificate. Most companies also offer free self-signed or let’s encrypt versions of the SSL certificate which can be easily installed for your website.
Password Protect Your Login & Admin Pages
You can also add another layer of security by password protecting your WordPress admin page with a password. This measure requires users to enter another set of username/password before they can even access the login page. Restricting access to your login, admin and other critical pages is a surefire way to protect your site from bots as well as some DDoS attacks. This can be done at a server level using a .htpasswds file in combination with a .htaccess file to protect the page.
Limit Website Login Attempts
Another proactive way to protect your site from brute force attackers is limiting failed login attempts.
By default, WordPress allows users to attempt to log in as many times as they want; however, this leaves your site vulnerable to brute force attacks. Hackers can target your website by trying to guess your username/password combination millions of times until they break-in.
You need to put a safeguard in place that would limit the number of times anyone can try to log in with incorrect credentials.
You can easily limit the number of login attempts at your WordPress website by installing a plugin that will automatically limit the number of login attempts for you.
WordPress is a great content management system that allows you to create amazing websites however due to its popularity it is targeted by hackers. The key to keeping a website secure is to
- Invest in good quality hosting
- Ensure you take regular backups
- Install a firewall plugin
- Keep WordPress up to date
- Keep your themes and plugins up to date.
If you follow these simple rules it will go a long way to securing your website.