Security is a major concern for anyone running a WordPress site, and as your site grows in popularity it will inevitably become a target for hackers. Even less popular sites can still be susceptible to security breaches and less informed WordPress users often operate their sites without maximising their security. As a result, whether you are an experienced WordPress user or complete beginner, it’s best to make use of the best security practices to protect your site from hackers.
Luckily, despite being a popular target for hackers, WordPress offers a wide range of plugins and ready-made capabilities that help to keep your site safe. Also, the majority of threats can be prevented by implementing a number of simple, easy to apply security tips, and we’ve compiled ten of the best WordPress security tips to keep your site safe in 2020.
- Change the “admin” username
When going through your initial WordPress installation, it’s best to never select “admin” as the username for your administrator account. While it’s an easy to use and logical name to select, it’s also easy for hackers to guess and leaves them just needing to figure out your password in order to gain access to your entire site.
WordPress actually requires that you choose a custom username when going through the installation process, however, if for any reason you are still using the “admin” username for your main administrator account you can simply create a new admin username and delete the previous one. You can also download and install the Username Changer plugin to change the name in just a few clicks.
- Rename your login URL
Another easy way to strengthen your site’s security is by changing the default URL that you use to sign into your site and access your dashboard. WordPress takes your site’s URL and adds wp-admin or wp-login.php so you end up with a login URL of yoursite.com/wp-admin or yoursite.com/wp-login.php.
These URLs are the favourite choices of hackers and will be the first two that they try in order to access your site and get into your database. By changing the default URL, you significantly reduce the chances of getting hacked as having to guess a custom login URL is extremely more difficult for anyone trying to access your site. The iThemes Security plugin allows you to do this quite easily and select your own unique login URL.
- Limit login attempts
Once again, an easy way to improve your WordPress security is simply by changing another default setting. WordPress allows users to try and login an unlimited number of times by default, and if left unchanged, will leave your open to brute force attacks. Here, hackers can try to access your site by trying a variety of different username and password combinations.
Limiting the number of login attempts is an easy and straightforward way of improving your security and you can use a plugin such as Login LockDown to complete the process. Anyone who has already opted to use a comprehensive web application firewall program may have this automatically implemented.
- Manage your passwords
Passwords are of the upmost importance and it’s now becoming common knowledge that you should always look to make use of strong passwords. The “best” or strongest passwords include uppercase and lowercase letters, as well as numbers and special characters, and long passphrases are good choices as they are often relatively easy to remember but close to impossible for a hacker to predict.
It’s also a good idea to change you passwords regularly (every 2/3 months), and if this all sounds like a bit too much hard work, then you should look into using a good password manager. The top managers store your info safely inside a secure, encrypted vault, and also generate strong passwords for you.
- Set up two-factor authentication
Another easy way to improve your WordPress security is by making use of two-factor authentication (2FA) on the login page. This requires a two step login and can include a secret code/question in addition to the regular password. A popular 2FA method requires users to authenticate their login using a separate device or app such as Google Authenticator which sends a unique code to your phone.
First, you need to install and activate a Two Factor Authentication plugin, and upon activation, you can then click the ‘Two Factor Auth’ link in your WordPress admin dashboard. Authy and LastPass Authenticator are solid choices as they allow you to back up your accounts to the cloud so that if you lose your phone you can easily restore your account logins.
- Backup your WordPress website regularly
One of the best ways to secure your website is, and ensure that your WordPress security is maximised is to regularly backup your site and keep an up to date version off-site and easily accessible. Regardless of how careful you are, nothing is 100% secure or totally foolproof so having a backup allows you to quickly get going and restore your WordPress site if something goes wrong.
There are a variety of free and premium WordPress backup plugins available including VaultPress, BlogVault, CodeGuard or UpdraftPlus which are generally easy to use. However, the most important aspect of backing up your site is to regularly save your backups to a remote location. These can include on cloud services like Amazon or Dropbox, and depending on the size of your site and how frequently you update it weekly or monthly backups should be fine, however, sites that are updated regularly may require daily backups.
- Update your site regularly
On top of backing up your site, you also need to ensure that it is regularly updated. Good software developers make a habit of updating their products with updates designed to fix bugs and update any security vulnerabilities, and this is true for WordPress plugins and themes.
Not updating your WordPress themes and plugins can allow hackers to exploit any vulnerabilities that may have already have been fixed, and provides them with another easily avoidable attack vector. WordPress produces updates automatically and sends out email notifications of any updates and fixes in your dashboard. Plugins can be updated manually from your dashboard, and you are notified whenever a new version is available.
- Enable security scans
As we’ve already seen, WordPress is a comprehensive CMS system with a wide range of moving parts, and the best way to ensure everything is working as intended is to scan your site. Security scan software and/or plugins search your entire website looking for anything suspicious, and immediately remove anything malicious that is found.
These scanners work much in the same way as anti-virus programs and add a further layer to your WordPress security protocols as well as help with your own peace of mind. CodeGuard, and Sucuri SiteCheck are good options while the Jetpack plugin includes backup features as well as malware daily scans which can be manually resolved.
- Use SSL
Making use of SSL (Secure Socket Layer) is a great way to secure your admin panel and associated data. SSL makes sure the data transfer between the user browser and server is secure, and makes it difficult for hackers to breach the connection or spoof your information.
You can get an SSL certificate buy purchasing one from a third-party company or buy checking to see if you hosting provider also incorporates this feature. Pagely hosting comes with free SSL across all plans, while SiteGround offers a free Let’s Encrypt SSL certificate with its hosting packages. Depending on your host, SSL certificates can be obtained for free, and SSL encryption also helps you to rank higher in Google rankings as Google favours sites that use SSL.
10: Choose a reliable hosting provider
Hosting remains crucial with regards to WordPress security and regardless of the protocols you employ, your security can be significantly compromised by choosing an unreliable hosting provider. Close to 40% of WordPress websites are hacked due to security vulnerability available in the hosting server which means that selecting the right hosting provider goes a long way to maximising WordPress security.
Shared hosting providers such as SiteGround and BlueHost have good reputations and incorporate a range of security focused features. However, the most reliable solution may be to choose a dedicated hosting provider with includes a wide range of security features, as well as unlimited bandwidth and disk space which allow you to obtain the optimum levels of both security and performance.
While that may seem a lot to take in for some, there is still a lot more to cover with WordPress security covering a number of departments such as your WordPress dashboard/database, themes/plugins, and hosting. While we have covered some of the fundamentals, anyone with pressing security/maintenance requirements should look into one of our site maintenance plans. From just £90 a month (excl VAT) we will take care of your site and perform nightly website backups, daily security scans, weekly WordPress Core updates, and weekly WordPress plugin updates. As ever, be sure to get in touch in order to find the best solution that works for you and your business.