There’s no foolproof way to completely make your site secure, but there are some simple steps you can take to boost security of WordPress and put up a good fight. This article will teach you why WordPress sites get hacked in the first place and then walk you through 11 easy ways to boost security of WordPress. Ready? Let’s toughen up your site!
Why do sites get hacked?
To help you understand how to keep your site safe, it’s important to first understand why hackers attack websites in the first place. Especially if you only run a personal blog or tiny eCommerce shop, no one should want to mess with it, right?
Not necessarily. Hackers go after websites for three main reasons:
- They want to use your site to send spam emails.
- They want to steal access to your data, mailing list, credit card information, etc.
- They want to cause your site to download malware onto your user’s machines or your machine.
Malware, or malicious software, can be installed in a way that makes it very hard to tell if it’s even there. Great for the hackers, but not so great for your site. Hackers will often do this to use your machine in larger-scale attacks, such as a Denial of Service attack.
Why do hackers target WordPress, specifically?
The short answer – because it’s popular.
Put yourself in the mindset of a hacker for just a second. If you want to take over a lot of websites for your nefarious purposes, would you spend all of your time trying to find vulnerabilities on a platform only used by 500 websites, or would you try to break the platform with hundreds of millions of sites? Because WordPress is so widely used, it’s an incredibly popular target for hackers.
The WordPress core is very secure, which makes it pretty hard to hack into. However, because anyone can write additional tools for WordPress, such as themes and plugins, not all extensions may live up to the same code review standards as the WordPress core. A very popular plugin can have security flaws that can impact thousands of WordPress sites all at once.
Don’t worry about the potential for security issues; the open-source nature of WordPress helps make it more secure. Here’s how:
- Community Vigilance: Open-source code allows white hat hackers to find and report vulnerabilities, leading to timely patches.
- Developer Contributions: Developers continuously work to improve WordPress security.
- Third-Party Solutions: Many security plugins are available to enhance WordPress’s built-in protection.
While no site is completely immune to hacking, there are several steps you can take to boost security of WordPress. Here’s a list of measures, starting with essentials and moving to more advanced options.
Use smart usernames and passwords
It seems obvious, but many WordPress users overlook this vital security measure. Your username and password are to WordPress what locking your front door is to home security, and it doesn’t matter how good your security system is if you leave the door open for anyone to walk through.
As for the username, steer clear from picking something typical like “admin” or the name of your site. Those will be the first thing a hacker tries to guess. The same rule of thumb goes for the password; don’t pick anything obvious. If your WordPress password is short, something readable, used on multiple sites, or even just something someone could guess, chances are it should be stronger. If you have trouble remembering a random password (or you want to be extra secure) you could always try using a tool such as 1Password or LastPass.
Keep themes, plugins, and WordPress updated
Keeping your WordPress site updated is crucial for security and performance. Here’s why:
- Security: Plugins and themes can have vulnerabilities that developers fix in updates. Regular updates protect your site from malicious bots that target outdated software.
- Bug Fixes and Improvements: Updates often resolve bugs and enhance functionality, improving your site’s overall performance and usability.
- New Plugin Checks: When installing new plugins, verify if they have known issues. While some popular plugins might have a history of vulnerabilities, it’s important to weigh this when choosing plugins.
- Core Updates: Staying updated with WordPress core updates is essential for security. WordPress will notify you of updates via the dashboard.
Regularly updating themes, plugins, and WordPress itself helps keep your site secure and running smoothly.
Uninstall inactive plugins and themes
Even deactivated plugins and themes can have vulnerabilities, and for that matter, can still take up your server’s resources. It’s best to simply uninstall any plugins or themes that aren’t consistently active.
If this idea stresses you out, just remember: You can always reinstall themes or plugins later if you need to.
Add Captcha
There are several variants of Captcha out there, but the idea is the same between plugins and methods: force any site visitor who tries to fill out a form to first prove they’re human. While it was once a troublesome and inconvenient option, Captcha has improved greatly in recent years. Plus it protects all kinds of forms on your site, so it does double duty by helping to stop hackers and prevent spam.
Limit the number of login attempts
A tactic for some hackers is to continuously try to guess your username and password to get through your site’s front door, also known as brute-force attacks. Various plugins out there will help prevent this by blocking an internet address from making further attempts after a specified limit on retries is reached. This is highly effective at making a brute-force attack difficult or even impossible to perform.
Add an SSL certificate
SSL (Secure Sockets Layer) is crucial for securing and encrypting communication between your site and its users. Here’s why it’s important:
- Security: SSL protects sensitive information like passwords, credit card details, and banking credentials by encrypting data. This keeps it secure from unauthorized access.
- Trust: Users see a green padlock in their browser’s address bar, signaling that your site is secure. This builds trust, especially if your site handles sensitive information.
- SEO Benefits: Google flags sites without SSL as insecure, which can negatively impact your search rankings and traffic. Having an SSL certificate is essential for maintaining SEO performance and user trust.
In summary, SSL is not just beneficial but often necessary for any WordPress site dealing with sensitive data and for improving your site’s overall security and search engine visibility.
Add two-factor authentication
Another way to prevent brute-force login attempts is by setting up two-factor authentication. This method requires two verifications – a password and an authorization code sent to your phone or email – to log in.
While it takes a little more time for people you trust to log in, it also makes it a whole lot harder for people you don’t trust to gain access to your site. You can add two-factor authentication to your WordPress site login, and some hosts offer it for your hosting account as well.
Two-factor authentication takes a little time to get used to it, but it’s worth it in the long run!
Move your WordPress login screen
Many WordPress hacks are carried out by malicious bots that look for the default login URL (/wp-admin
) to attempt unauthorized access. To add an extra layer of security, you can make your login screen harder to find.
Using the Rename wp-login.php Plugin:
- What It Does: This plugin allows you to change the default login URL from
/wp-admin
to a custom URL, such as /mysitelogin
or /open-sesame
.
- Benefits: By obscuring the login URL, you make it more difficult for bots and hackers to find and attack your login page.
Important Note:
- After changing the login URL, remember to share the new URL with anyone who needs to access the WordPress admin area. Without this, users won’t be able to log in.
This simple change can help protect your site from brute-force attacks and enhance overall security.
Use Cloudflare
This is more of an advanced option, and certainly not one that everyone needs, but CloudFlare is an external service that acts as a sort of “filter” between your servers and your users. CloudFlare offers many security and performance options, several of which are available on their free plan.
While most sites don’t need to worry about DDOS attacks, CloudFlare is excellent at preventing those, since your server’s IP address will be effectively masked. CloudFlare also offers a variety of other security options, including blocking IP addresses or specific regions.
Back up your site regularly
Backing up your site, routinely, is a safety precaution that will make your life easier if hackers do find their way into your site. By having a recent copy of your site, you’ll be able to easily restore your content before it was compromised and won’t be stuck in the position of trying to figure out what to do next.
Moral of the story: While WordPress is very secure, just be smart with your site and have a game plan for the day it does get hacked (AKA backups!) We pinky promise it’ll all be OK.