Secure Your WordPress Website with these 19 Essential Steps
Being a WordPress website owner, you may or may not be aware of the necessity to take some essential steps to secure your website against unwanted intrusions. In this post, I am giving you the 19 best security tips that I have found in my research to assist you in keeping your site as secure as possible. These tips are for those business owners or blog owners who have their own website being hosted with a hosting company.
It is important to realise that website security is not a one-off event. Rather, it is an ongoing practice to ensure that your website can do its job of attracting your customers.
1. Choose the best hosting service possible.
You will need to do your research to know what you need so that you are able to choose the best option for you. For example, if you are expecting to attract a lot of traffic to your website, like over 50,000 hits per day, you may want to avoid shared hosting and look at dedicated hosting or a service with cloud hosting.
2. Pick a good, unique username.
DO NOT use admin, test or your website name! Part of this includes using a good strong password as well. Use this link to check how well your password performs https://howsecureismypassword.net/
3. Install the Wordfence plugin.
This is hands down the best security plugin out there and one of the best tools to help you secure your website. The free version deals really well with such things as limiting login attempts, blocking unregistered users from trying to login and blocking random bot attacks. The settings are quite comprehensive and allow for customization as well. If you feel you need extra security, you can always opt in for the premium paid version. Check out all the necessary documentation here: https://docs.wordfence.com/en/Wordfence_Official_Documentation.
4. Find out if a website username is hidden or not.
Type in a website domain and follow it with /?author=1 and hit enter eg www.yourdomain.com/?author=1 This reveals the username to log into the site if not properly secured. If the site is properly secured, the user is referred to a Page that says No Results.
5. Limit login in attempts to your website.
5 is a good number. Enough to still let you in if you make a mistake yet not enough to allow someone else to gain access. The Wordfence plugin has settings that allows you to do this. It also allows you to select how long the user has to try those 5 login attempts and then allows you to choose the time frame that they are locked out for. (See image below). This is a quick and easy step to secure your website.
6. If you are comfortable going into your website backend, hide the core WordPress file wp-config.php.
This is the main file to make your website function. It is typically stored in your WordPress installation directly. By moving it up to the public_html/ folder, it makes it inaccessible to hackers.
7. Select a good and reliable backup plugin.
The best plugin will depend on the size of your website. For smallish websites, free plugins like Duplicator or Updraft Plus are good choices. Updraft Plus is also a good choice for larger websites. You can store your backup files locally or in a location of your choice (see image for Updraft Plus choices). The settings in Updraft Plus means you can schedule backups at regular intervals automatically. A good practice is before making any changes to your site, always make a backup first.
8. Make sure the latest version of WordPress has been updated.
Before you do this, backup your site! Updating the WordPress version prevents hackers using out of date versions to gain access. Hackers can find this information just by viewing source code. It is best to remove the version of the WordPress file. The Wordfence plugin will remove this for you, you only have to tick the box to achieve this.
9. Consider your computer’s security to your website.
Run an anti-malware software program regularly on your computer to make sure it is safe.
10. Check if your website files are opening for public view
- Go to your domain name and type it into the url followed by /wp-includes
- If you are redirected to your homepage that is good.
- Should you see a list of files on your web page that means you are not safe.
- Add 2 lines of code to your .htaccess file to prevent folder browsing. Add it right at the beginning of the file.
# Prevent folder browsing options
11. If you have multiple authors, regularly review what users are doing.
Doing this allows you to see if there is any suspicious activity. Make sure you set up new users properly with only the permissions they need to access your site. Remember to backup your site before adding a new user. Then, Pay attention to:
- Who is logged in
- When they logged in (at odd times)
- What they add/delete/edit (ie what are they changing?)
- You can use the plugin WP Security Audit Log to record activity if you are concerned about the activity you see.
12. Password protect your most vulnerable website files.
You can do this In your hosts cpanel by going to Password protect your Directories. DO NOT PASSWORD PROTECT YOUR MAIN ROOT DIRECTORY! However, It is ok to password protect the wp-admin folder with a username and password. Again, make sure you use a strong password. https://howsecureismypassword.net/
13. Choose your theme or plugin from a reputable source.
Do this by reading the reviews and doing your research.
14. Take note of when themes and plugins were last updated as there is increased risk if they are out of date.
This means you can see if changes were made to any files that were not part of the update. It also means if they are out of date (see item 14).
15. Make sure you always keep your themes and plugins up to date
Out-dated plugins and themes are often exploited by hackers to gain access to websites. Ensuring yours are up to date will prevent hackers from using this tactic to gain access to your site.
16. Uninstall any themes and plugins you are not using.
These take up space on your website and can contribute to slowing down your website.
17. Ensure you keep your WordPress version up to date as well.
Usually if the WordPress version is out of date it means it was updated because there was some kind of vulnerability detected in the current version. Keeping your WordPress version up-to-date ensures you are covered in this instance.
18. Back your website up regularly.
Having regular backups gives you peace of mind. Store the backups in several locations so that if one location falls over, you still have a backup plan to save your website.
19. Be active in your website security.
Gone are the days where you put up a website and you forget about it. Your website is a living tool, that adapts and changes to your marketing needs. Being active in your security is a key component to keeping your website secure and attracting your clients to your business.
While this is not a fully comprehensive list, it is a great start in keeping you safe. If you have any trouble with any of the steps you can contact us and we can implement them for you. We have great value maintenance plans on offer to make this easy for so that you can be assured your site is safe.