WordPress Security is very important when it comes to having a WordPress website. Here are eight common-sense steps on how to secure your WordPress website including some WordPress security plugins which every WordPress website owner can use to make their WordPress site much more secure.
WordPress Security Tips
Here are few things to do to secure your WordPress Website. And I will list the best WordPress security plugin that you can also install to secure your WordPress website the more.
WordPress Security Tip 1. Don’t use the default administrator user account
Every hacker knows this account is named “administrator” so changing this means one less thing that they know about your site. This will greatly reduce the likelihood of a brute force attack is successful.
Create a new user with administrator privileges; it’s this new user you will then use to administer your WordPress website.
WordPress Security Tip 2. Use a Secure Password
This should go without saying. Modern password crackers use software that can attempt billions of passwords per second and need no technical expertise to use them. Using a free password manager such as LastPass you can generate extremely complex passwords and have them presented just when you need them.
Alternatively, you can use a passphrase instead of a password. This simply means remembering a string of words and adding extra characters to make it more secure, for example, nonsen$e PeanUt 1ndicaTors would be quite easy to remember but quite difficult to crack (at least at the time of writing).
A variation of this technique is to take letters from a memorable phrase. For example, a phrase like “my important website is now much more secure” could become the password “MiWiNmM$” by taking the first letter of each word.
You should also force all users to have a minimum level of password strength with a plugin like Force Strong Passwords.
Finally, two-factor authentication massively increases site security. If you use online banking then you’re familiar with the one-time password (OTP) sent via SMS or another method.
This means a hacker needs to know your password AND steal your phone to gain access. Use a plugin such as Two Factor Authentication. (Incidentally, looking at the active install statistics for two-factor authentication plugins will tell you how few people are using this secure method of website access.)
WordPress Security Tip 3. Limit Login Attempts
Brute Force Attacks rely on the fact that WordPress by default allows as many login attempts as you like so passwords can be tried again and again until one works.
This can be stopped by limiting the number of login attempts and then blocking or causing a delay before allowing the next attempt. Accomplish this with a simple plugin or use a general security plugin like Wordfence which has this feature.
A side benefit of this method is that you can identify repeated attempts from the same IP address and perhaps consider blocking that address, although this method of blocking is not very effective as IP addresses can change frequently.
WordPress Security Tip 4. Change The Login Page
As with the default admin account, every hacker also knows the place to log in to your website is http://www.yoursite.com/wp-login.php.
Changing this address will mean the attacker cannot find your login page and will greatly reduce the incidence of brute force attacks that even make it to your door. If they can’t find it, they can’t exploit it.
Use a general WordPress security plugin that lets you do this, like the one from iThemes Security.
WordPress Security Tip 5. Control User Access
If you have other users who log on to your site then be very careful about how much access you give them. Many site owners automatically make everyone an admin so that they can do whatever they need to without disturbing the administrator. This is a dangerous policy as you cannot control how these users access the website.
Also, be very careful about who you give your password to and how you do it. Instead of sending passwords via email, use something like BurnNote or PrivNote to securely pass credentials to developers and others who need access.
Remember that if you have multiple users on your system you are also responsible for what those users do on your system.
WordPress Security Tip 6. Choose a Reliable Web Hosting Provider
Whether you’re using shared hosting, a VPS, or a dedicated server you need to make sure the company has a great reputation for making customers’ security a priority.
- Read reviews from past users.
- Check that SFTP and FTPS are available – this will let you know the company at least takes security seriously.
- Make sure a backup policy is included and clear to understand.
- Make sure they have clear server maintenance and update policy so you know they regularly apply the latest security measures to their infrastructure.
WordPress Security Tip 7. Keep WordPress up to Date
Here are few reasons why you should regularly update your WordPress website
WordPress Security Tip 8. Use a WordPress Security Plugin
Nowadays, there are some terrific free plugins that do a good job of securing your WordPress website. A couple of really good examples that I’ve used include iThemes Security and the Sucuri security plugin.
Note, however, that to make good use of these plugins you do need to understand something about the security problems they attempt to protect you from so that you can configure them appropriately.
A great, free and easy-to-use option is WordFence. Wordfence is simple enough for non-technical users and includes features to cover most of the security recommendations above.
In addition to the above tips you should consider employing a website firewall and installing some basic monitoring and alerting if problems arise. Installing a software firewall will allow you to set rules about who is allowed to enter your side and from where.
Sucuri firewall is considered among the most trusted of website firewalls and is a paid plugin providing very good protection. On their website they also offer a free website malware scanner.
The Wordfence plugin mentioned above also includes a free website firewall.
WordPress Security Plugins
There are around 18.5 Million websites infected with malware at any given time each week. An average website is attacked 44 times every day, which includes both WordPress and non-WordPress websites.
A security breach on your website can cause some serious damage to your business.
Let’s take a look at some of the best WordPress security plugins, and how they help you protect your website.
Sucuri is the industry leader in WordPress security. It is one of the best WordPress security plugins on the market. They offer a basic free Sucuri Security plugin that helps you harden WordPress security and scan your website for common threats.
But the real value is in the paid plans, which come with the best WordPress firewall protection. A firewall helps you block brute force and malicious attacks from accessing WordPress.
Sucuri website firewall filters out bad traffic even before it reaches your server. They also serve static content from their own CDN servers.
Apart from security, their DNS level firewall with CDN gives you a tremendous performance boost and speeds up your website.
Most importantly, they offer to clean up your WordPress site if it gets affected by malware at no additional cost. You can even take a website already affected by malware, and they will clean it up for you.
Wordfence is another popular WordPress security plugin. They offer a free version of their plugin which comes complete with a powerful malware scanner, exploit detection, and threat assessment features.
The plugin will automatically scan your website for common threats, but you can also launch a full scan at any time. You will be alerted if any signs of a security breach are detected with the instructions to fix them.
Wordfence also comes with a built-in WordPress firewall. However, this firewall runs on your server just before loading WordPress. This makes it a little less effective than a DNS-level firewall like Sucuri.
iThemes Security is a WordPress security plugin from the folks behind the popular BackupBuddy plugin. Like all their products, iThemes Security offers a nice clean user interface with tons of options.
It comes with file integrity checks, security hardening, limit login attempts, strong password enforcement, 404 detections, brute force protection, and more.
iThemes Security does not include a website firewall. It also does not include its own malware scanner and uses Sucuri’s Sitecheck malware scanner.
ALL IN ONE WP SECURITY
All in One WordPress Security plugin is a powerful WordPress security auditing, monitoring, and firewall plugin. It enables you to easily apply basic WordPress security best practices on your website.
It comes with features like login lockdown to prevent brute force attacks, IP filtering, file integrity monitoring, user account monitoring, scan for suspicious patterns of database injection, and more.
It also comes with a basic website-level firewall that can detect some common patterns and block them for you. However, it is not very efficient and often you will be required to manually blacklist suspicious IPs.
WPScan is a unique WordPress security plugin because it uses its own manually curated WordPress vulnerability database that is updated daily by dedicated WordPress security specialists and community members.
They scan your site for over 21,000 known security vulnerabilities in WordPress plugins, themes, and core software.
You can schedule automated daily scans and get email notifications of the results. They have a free security API which is suitable for most websites, but you can upgrade to the paid plan if you have a larger site and use a lot of plugins.
Also Read: How to Maintain WordPress Website
WordPress security issues
You only need to use one plugin from this list. Having multiple plugins active from this list can lead to bugs.
If you don’t feel comfortable handling all of these security tasks by yourself then it is certainly worthwhile to consider a service like we provide at Realjossy.
The reasons to pay someone else to handle your WordPress security for you are the same reasons for paying any professional in any field – to save you time so you can focus on more important things and because that person knows more about it than you do.