Unfortunately, it’s usually only when your website gets hacked that you realize the importance of keeping your WordPress site secure. WordPress is known for being one of the most user-friendly Content Management Systems for websites, but WordPress is also a popular target for hackers and spammers.
According to Sucuri’s 2019 Threat Research Report, 94% of all hacked CMS sites run WordPress. This doesn’t mean that WordPress is not a secure platform. Quite the contrary, a properly secured and maintained WordPress site is very safe. But hackers don’t spend time trying to hack platforms that no one uses – right? And given WordPress is more popular than all of its competitors combined – with a whopping 63% market share – it is a big target!
You may be wondering why anyone would want to attack your website, particularly if you have a low traffic website; however, the vast majority of hackers are not looking to steal your data or delete important files. What they want is to use your server to send spam emails. They’ll install a program on your site that sends out tons of spam, and you won’t even know it.
I know what you are thinking — this sucks! Yes, it does. Now let’s review the quickest and easiest tips on how to keep your WordPress site secure.
How to Keep Your WordPress Site Secure:
1. Cut Back on Plugin Use
You should delete plugins and themes you’re not using. It’s worth noting that you should make an effort to limit the total number of plugins you install in the first place. To keep your WordPress site secure, you need to be scrupulous in the criteria you use to select plugins. In short, unless the plugin provides real value or necessary functionality, dump it, or even better, don’t install it in the first place.
2. Don’t Download Premium Plugins for Free
Though I completely get what it’s like to run a business on a budget, it’s just a bad idea overall to try to download premium plugins from anywhere other than where they are officially for sale. When you pay for a premium plugin from the license seller, you are getting a level of protection you can’t get from some no-name site offering a premium plugin for free. The odds are that the “free” plugin is loaded with malware.
3. Consider Automatic Core Updates
If you’re running an older version of WordPress, all of the security flaws are common knowledge to hackers. The folks at WordPress are constantly updating their code to make it more secure and usable. Once a security flaw is detected, a new version of WordPress is quickly rolled out. Turning on automatic core updates will ensure you have the latest and most secure version of WordPress installed.
4. Set Plugins and Themes to Update Automatically
Typically, plugins and themes are things you’ll need to update manually. After all, updates are released at different times for each. But again, if you’re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention. According to WP White Security, 29% of hacked WordPress sites, were hacked via a security issue in their WordPress Theme, and 22% were hacked via a security issue in their WordPress Plugins.
5. Eliminate PHP Error Reporting
Shoring up your site’s security has a lot to do with closing the holes and strengthening the weak spots. And one of the often overlooked items is error reporting. If a plugin or theme doesn’t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but here’s the problem: these error messages often include your server path.
If a hacker gets ahold of these error reports, they can see your full server path, which means they’d have a map to get to where they need to go to install their malware. Error reporting can be helpful, but it is safer to disable it.
6. Protect Your Most Important Files Using .htaccess
If you’re into WordPress security at all, you’ve heard of the .htaccess file and have accessed it. The changes you make in this one file can have a huge impact on your entire site’s security.
For those that are new to working with .htaccess, first a basic definition: it is the file that configures your web server. It contains the rules your server follows when working with your website’s files. It’s primarily used to generate user-friendly URLs for your web pages, but it can also be used to make a lot of security-related changes to your site.
Here are just a few of the many things you can do with .htaccess to make your WordPress site secure:
Block Bad Bots
Restrict All Access to wp-includes
Allow only Selected IP Addresses to Access wp-admin
Protect Your WordPress Configuration wp-config.php File
Disable Directory Browsing
Ban Suspicious IP Addresses
Here is a nice article from WPBeginner if you’d like to find out more.
7. Hide Author Usernames
If WordPress defaults are left intact, it’s really easy to find out each author’s username for your site. And since the main author of a site is often the administrator, it’s also easy to find out the admin’s username. Anytime you give away info to hackers, you run the risk of having your site compromised.
If you run a site with multiple authors, none of which are site admins, you’re probably fine. However, if you run a small site and you are an author and site admin, an easy fix is to set up a separate user for all your posts. Make sure the user is designated with the Author role. This will significantly restrict the rights of that user name.
8. Hide the Login Page
While a security plan that focuses solely on hiding files and login pages isn’t complete, it’s still an important part of your overall strategy. After all, hiding certain elements of your site won’t prevent hackers from accessing them, but it’ll make it harder for them to get to, and that’s a good thing.
Moving or renaming your login page is an easy way to make a hacker’s job more difficult. Many forms of attacks are typically automated, so if your login page is different than the standard www.websitename.com/wp-admin or www.websitename.com/wp-login.php, they’re going to have a much harder time attacking your site.
There are several plugins that make this task super simple. WPS Hide Login is a popular option with over 400,000 installs.
9. Choose a Rock-Solid Hosting Company
With 41% of hacked WordPress sites hacked through a vulnerability on their hosting platform, it’s smart to pick a host with rock-solid security. Look for a hosting company that:
- Provides support for the latest versions of PHP and MySQL
- Is optimized for running WordPress
- Includes a firewall optimized for WordPress
- Provides automatic WordPress core, plugin, and theme updates
- Has malware scanning and intrusive file detection
- Trains their staff on critical WordPress security issues