WordPress is the most popular Content Management System (CMS) and powers more than 30% of websites. No matter how much work you’ve put into launching your site, it can always find itself in harm’s way, even though you might have done nothing wrong. This is just how the internet works and how random attacks are carried out.
But most threats can be prevented if you just spend a short while implementing these 10 simple WordPress security tips:
1. Update WordPress regularly
Every time a new WordPress update comes out, we get several emails from users asking whether it’s safe to update their WordPress site. Are you wondering whether you should update your WordPress to the latest version? Want to know the pros and cons of updating WordPress?
To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.
2. Don’t Use Nulled Themes
WordPress premium themes look more professional and have more customizable options than a free theme. But one could argue you get what you pay for. Premium themes are coded by highly skilled developers and are tested to pass multiple WordPress checks right out of the box. There are no restrictions on customizing your theme, and you will get full support if something does go wrong on your site. Most of all you will get regular theme updates.
But, there are a few sites that provide nulled or cracked themes. A nulled or cracked theme is a hacked version of a premium theme, available via illegal means. They are also very dangerous for your site. Those themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials.
3. Back up your site regularly
Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.
To back up your site, you need a plugin. There are lots of good backup solutions out here. For example, Jetpack has some integrated backup features now, priced at an affordable $3.50 / month. For that, you get daily backups, one-click restores, spam filtering, and 30-day backup archive.
4. Use a Strong Password for WordPress
Passwords are a very important part of website security and unfortunately often overlooked. If you are using a plain password i.e. ‘123456, abc123, password’, you need to immediately change your password. While this password may be easy to remember it is also extremely easy to guess. An advanced user can easily crack your password and get in without much hassle.
It’s important you use a complex password, or better yet, one that is auto-generated with a variety of numbers, nonsensical letter combinations and special characters like % or ^.
5. Limit login attempts
Don’t let your login form allow unlimited username and password attempts because this is exactly what helps a hacker succeed. If you let them try an infinite number of times, they will eventually discover your login data. Limiting the available attempts is the first thing you should do to prevent that.
You can use certain specialized plugins to limit possible login attempts. There are two very popular solutions, for example, Login LockDown, WP Limit Login Attempts.
6. Disable File Editing
When you are setting up your WordPress site there is a code editor function in your dashboard which allows you to edit your theme and plugin. It can be accessed by going to “Appearance>Editor”. Another way you can find the plugin editor is by going under “Plugins>Editor”.
Once your site is live we recommend that you disable this feature. If any hackers gain access to your WordPress admin panel, they can inject subtle, malicious code to your theme and plugin. Often times the code will be so subtle you may not notice anything is amiss until it is too late.
To disable the ability to edit plugins and the theme file, simply paste the following code in your “wp-config.php” file.
7. Limit user access to your site
If you’re not the only user who has access to your site, be careful when setting up new user accounts too. You should keep everything under control, and try to limit the access of any type to users that don’t necessarily need it.
If you have many users, you could limit their functions and permissions. They should only have access to the functionalities that are essential for them to do their job.
Force Strong Passwords can help you with this issue too. By default, WordPress recommends a strong password, but it won’t force you to change it if you’re picking a weak one. This plugin won’t let you proceed unless your password is strong enough. This could be a good solution for all the people who enter your admin. Essentially, it’s your only way of making sure that they use strong passwords just like you do.
8. Change your WP-login URL
By default, to login to WordPress, the address is “yoursite.com/wp-admin”. By leaving it as default you may be targeted for a brute force attack to crack your username/password combination. If you accept users to register for subscription accounts you may also get a lot of spam registrations. To prevent this, you can change the admin login URL or add a security question to the registration and login page.
- You can also check which IPs have the most failed login attempts, then you can block those IP addresses.
- You can further protect your login page by adding a 2-factor authentication plugin to your WordPress. When you try to log in, you will need to provide additional authentication in order to gain access to your site — for example, it can be your password and an email (or text). This is an enhanced security feature to prevent hackers from accessing your site
9. Enable security scans
Security scans are something done by specialized software/plugins that go through your whole website in search of anything suspicious. If something is found, it’s removed immediately. Those scanners work just like anti-viruses.
For a simple and affordable solution, you can use the aforementioned Jetpack plugin. Apart from the backup features, it also has daily scans for malware and threats with manual resolution. Alternatively, you can also use CodeGuard or Sucuri SiteCheck.
10. Protect your wp-config.php
The wp-config.php file is one of the most important, hence vulnerable files on your site. It hosts crucial information and data about your whole WordPress installation. It’s technically the core of your WordPress site. If something bad happens to it, you won’t be able to use your blog normally.
One simple thing you can do is take that wp-config.php file and simply move it one step above your WordPress root directory. Your WordPress site won’t be affected at all by this move, but hackers won’t be able to find it anymore.