WordPress Security: 8 Tips to Keep Your Website Safe
Look at the latest hacking statistics and you will have cause for worry:
- Across the world, 30,000 websites are hacked daily.
- Over 60% of companies have suffered some form of malware attack.
- Every 39 seconds, there is an attack.
- 300,000 fresh attacks are launched every day.
Since WordPress makes up over 40% of the internet, there is a fair chance that WordPress sites get taken down most often (the same way hackers used to target Windows when it was dominant).
Alarmed? Don’t be. Instead, take steps to make your WordPress site secure and safe.
Hire a WordPress developer and have them take a look at your site security.
Till you hire one, pay heed to our advice and learn how to make WordPress site secure.
8 Best Tips to Keep WordPress Site Safe
- Strengthen login procedure
By default, your login URL is www.myownsite.com/wp-login.php
That is public knowledge and you need to change it to something more protected. Otherwise, once the hacker logs in, he can install malware.
The best way to change the URL is to use a plugin such as Change wp-admin login. It is a light plugin that has over 80,000 installs and is highly regarded.
Make the URL secure such as www.myownsite.com/personal-login-John
Use a strong password that has an uppercase letter, number, and special character. Try to choose random characters such as 23Chp#01%
Enable two-factor authentication by inputting a password and also using another device like a smartphone.
There are many additional steps you can take.
Add a Captcha and you are sure that no bot can find its way. You could also limit login attempts to three to prevent brute-force attacks.
- Use secure hosts
The cost of website hosting is not cheap. Most top-end hosting services charge above $10 monthly for a personal site. Business sites require more bandwidth and space and cost 5X.
To reduce the cost, you might be tempted to buy from unknown providers who offer to host for as low as $8 per month for a business plan and $20 monthly for managed WordPress hosting.
These are attractive terms for sure, but you could be doing more harm than good by saving a hundred quid.
The servers need to be wiped daily using the best anti-malware technology.
Cheaper hosts skip many essential steps, like installing a good firewall.
You don’t need to always go with the best, but stay with an established global name.
- Update WordPress and plugins
WordPress releases new versions regularly. Every month there is a new release or a patch.
These changes are not significant. They don’t affect the working of the site. It remains the same.
But it is these patches that stop malware dead in its tracks.
Software is never a finished product since there are infinite ways to exploit code.
Developers try to keep up with the bad guys by patching them as soon as they are discovered.
The same applies to plugins. New versions are always more secure.
Usually, WordPress updates are taken care of by the hosting service. For updating plugins, go to the Control Panel > Plugins / Installed Plugins and check if there are updates.
You may also need to update the PHP version of your server from time to time.
- Use HTTP & SSL
Hypertext Transfer Protocol is a set of rules that a computer browser uses to communicate with other computers.
But HTTP is an old system. It was invented in 1990 when malware was few and far between and the internet had not assumed its present shape.
When HTTP is used, others (between the computers A and B that are communicating) along the route can listen in. data can be copied rather easily.
HTTPS is the secure version of HTTP. It uses encryption that offers nothing to those who want to monitor the data flow.
But HTTPS is expensive. For a large site, the cost can be thousands of dollars every year.
That is why many WordPress site owners skip this step. It is a bad strategy to follow. Not only does HTTPS provide peace of mind, but it also fetches you a higher rank in search. Google Chrome browser does not allow non-HTTPS sites to open.
- Install a security plugin
Just like your home computer is protected by an anti-virus, your site too needs a sentry.
A security plugin can monitor brute force attacks, log out users after a predetermined period of inactivity, add math captcha, and lock IP address ranges that are responsible for previous malware attacks (e.g. not allow visitors from Russia and China).
Security plugins also have a robust firewall. a firewall prevents data from going out (just as anti-virus stops anything from coming in) to unauthorized sources. Many types of malware sit quietly and “phone home”. A firewall puts a stop to these nefarious activities.
- Protect against DDoS
One of the oldest forms of malware that are still around and used with devastating consequences.
Basically, the hacker sends out a tiny executable file to hundreds of thousands of computers. These files act like a zombie till they are asked to execute the program. Upon activation, they try to log in to the same site simultaneously.
Suddenly half a million devices try to access www.myownsite.com
The servers which host your site are overwhelmed and shut down.
Authentic visitors are unable to log into your site because the servers are not working.
Usually, DDoS is aimed at well-known sites. GitHub and AWS faced it in recent years.
But who is to say that it can’t be used against smaller sites.
If you are worried, you can buy protection from Cloudflare.
- Disable special characters
Hackers can use the comments section to inject code into the server. Write a few lines of malicious code and press enter to gain access to your site.
There is an easy way out. Disable special characters in comments.
No one can write code unless they use special characters such as / and <>
Allow comments to use alphabets and numbers and periods so that genuine users can comment, but the space cannot be used for breaching your site.
- Use trusted themes
The free WordPress themes are so boring to look at.
But the good ones like Elementor and Divi can prove to be quite expensive. After all, a lot of work goes into creating a beautiful looking theme.
Some WordPress owners take a shortcut and buy themes on the aftermarket. Simply buy a zip file and load it on their server.
Even worse is using one that is shared by torrents.
You can be sure that the theme file is hiding an executable file. As soon as you press install it runs the theme and the malware.
Never be tempted to use unsafe theme files. Buy from a prominent creator listed in WordPress site with a good track record.
Backup Your Site – an Invaluable Step
To back up the files on the site, just create a copy of all of the files under public_html.
If your website is not simply a collection of static files, then you have to back up your website’s database as well. You may use a plugin to back up your WordPress website, such as UpdraftPlus.
You can back up your WordPress websites using your web hosting provider, or, alternatively, do manual backups through your cPanel.
If automatic WordPress daily backups are not enough, you can make manual backups as needed.
You don’t need to worry. WordPress is safe and a good WordPress developer can install additional measures.
Ensure that you never fail to follow best practices as outlined and you will never be subject of an attack.