- Why WordPress Websites are More Vulnerable
- How to Secure your WordPress Website
- 1. Choose Good Hosting
- 2. Use Quality Themes and Plugins
- 3. Limit the Number of Plugins
- 4. Keep WordPress Core, Theme and Plugins up to Date
- 5. Back up Your Website Regularly
- 6. Use Strong Password and Unique Username
- 7. Implement Two-factor Authentication
- 8. Limit Failed Login Attempts
- 9. Rename WordPress Login URL
- 10. Change Database Prefix
- 11. Install SSL Certificate (HTTPS)
- 12. Disable PHP Execution on Folders to Prevent Backdoor Intrusion
- 13. Secure wp-config.php File
- 14. Disable File Editing in the WordPress Dashboard
- 15. Connect with the Server Properly
A CMS Analysis in a study by the Sucuri Remediation Group revealed that 83% of the infected websites were using WordPress as the CMS.
It shows how often WordPress websites are being attacked.
However, don’t let the data fool you.
Most of the websites being hacked use WordPress CMS but that doesn’t mean WordPress is a less secure CMS.
WordPress is, in fact, a highly secure platform. There are many other reasons why WordPress websites are often infected.
Why WordPress Websites are More Vulnerable
WordPress powers more than 30% of the top 10 million websites on the internet. It’s the most popular and has 60% of the total content management system market. More than three-quarter of the websites we developed at our web design agency last year use WordPress as their CMS. So, you can see how popular WordPress is.
Naturally, when we take the number of websites subjected to cyber-attacks, the count of WordPress websites will also be higher.
How to Secure your WordPress Website
There are many things you can do and many things you should avoid making your WordPress website more secure. In this post, we are going to discuss all the techniques that we follow in our web design company in Chennai to make your WordPress websites more secure.
If the security of your website and data in your database are important for you, you will find the points extremely useful.
#1 Choose Good Hosting
The security of the server you host your WordPress website is the most important safety factor.
Websites using shared hosting are more vulnerable to attacks. Shared hosting also causes performance issues, so it’s better to avoid it altogether.
You need to choose servers powered by the latest web technologies to increase security.
Some hosting companies provide Managed WordPress Hosting which is specifically designed for WordPress websites. This plan will include special WordPress security measures and regular backup of the website and database.
#2 Use Quality Themes and Plugins
According to a study conducted by WP Scan, more than 50% of the WordPress websites attacks are caused by vulnerabilities with the plugins while 11% of are caused by themes.
Therefore, choosing a good WordPress themes and avoid installing shady plugins are essential to secure your website.
Most of the free themes will not be updated regularly to fix the security patches though there are some exceptions.
Paid WordPress themes from reputed developers will be updated regularly which ensures better security.
Similarly, you shouldn’t install all the plugins you find useful. Most of the plugins you see in the WordPress repository are rarely updated. Installing them on your website may cause security challenges.
Basically, you should always use plugins and themes which are developed by reputed WordPress developers and updated regularly.
#3 Limit the Number of Plugins
Installing lots of plugins on WordPress is also a bad idea. Although the number of plugins installed on WordPress is not a factor affecting the security directly, it’s observed that websites that are subjected to attack generally have lots of plugins installed. The similarity can be due to the lack of vigilance or the carelessness of the webmasters.
Anyway, it’s a better idea to limit the number of plugins because that can directly impact the performance of the website.
There are many free reputed plugins you can find to enable this feature. iThemes Security Pro is a highly recommended plugins. Although this is a paid plugin, it’s worth it. This plugin is a panacea to resolve a wide range of security issues and secure WordPress websites.
#4 Keep WordPress Core, Theme and Plugins up to Date
Cyber attackers find new techniques to hack WordPress websites as WordPress fix them. This is a race, and it’s important for you to stay ahead with WordPress in this race.
WordPress volunteers fix security patches along updating the WordPress features.
There are minor as well as major updates.
Minor update: WordPress 5.0.2 to WordPress 5.0.3
Major Update: WordPress 5.0.X to WordPress 5.1.0
Your WordPress core will automatically install the minor updates. However, you need to update the major updates of WordPress manually.
Quick Note: You can wait a couple of days before manually updating WordPress core because you may want to wait for your theme developers’ confirmation. Sometimes, WordPress updates may break the website because of the inconsistencies with the theme. So, it’s ok to wait until the confirmation from theme developer that their theme will work fine in the updated WordPress.They will also offer a fix if there is any problem with their theme in the latest version of WordPress.
Similar to WordPress, you also need to update your theme and plugins if there is an update available.
Please note that it’s a good practice to back up your website and database before you make the update. So, you can always revert back if your website has any problem with the update.
#5 Back up Your Website Regularly
Creating the backups of your website regularly gives you peace of mind. Even if your website is hacked or you lost the access to WordPress, you can reinstall your website from the backup.
In some cases, it might be very difficult to remove the malicious code injected by hackers. The code might reemerge even after the cleanup.
Regular website backup can help you to avoid such unfortunate moments because you will always have a fresh and clean copy to revert back after the hacking.
#6 Use Strong Password and Unique Username
If you are still using the default username ‘admin,’ you should change it. If you have a unique username for your WordPress, you make it even harder for the attackers to hack your website.
Similarly, you should also avoid using simple passwords. It will help if you use passwords that contain small letters, big letters, digits, and symbols. It’s better if your password contains more characters.
You can use tools like KeePass to generate and save your password securely in your computer.
#7 Implement Two-factor Authentication
Two-factor authentication adds one extra layer to access your WordPress system. If you have enables this, you will need to enter an OTP code sent to your mobile each time you log in.
This will prevent others from accessing your WordPress system even if you lose the credentials because they can’t complete the login without entering the code that is sent to your phone.
Best Two-factor authentication plugin
#8 Limit Failed Login Attempts
It’s very convenient to have unlimited login attempts if you always forget your password or username. However, it also opens unlimited opportunities to crack your password.
So, it’s a better idea to limit the number of failed login attempts on your WordPress website. This will prevent hackers from brute-forcing into your WordPress system.
#9 Rename WordPress Login URL
The default URLs to the login page of WordPress website are the following.
If you change the default login URLs, you can prevent hackers from reaching the login page.
Fortunately, renaming the default URLs to the WordPress login page is not that difficult. WPS Hide Login plugin will help you to create a new unique URL for your login page. Beware that you may have a hard time to recover the access to your website if you forget the new URL.
#10 Change Database Prefix
When you have installed WordPress, you might have seen an option to add a prefix to your database. By default, it’s wp_. It’s recommended to change this into something else.
If you use default prefix, hackers can easily guess the names of the tables in the database and inject MySQL code to hack your website.
Most web developers use the name of the website as a prefix. However, it’s better to use a random string with letters, number, and symbols.
#11 Install SSL Certificate (HTTPS)
Most of you might have already installed an SSL certificate on your website. If you haven’t already, then you should do it immediately.
SSL certificate encrypts the data transferred between server and browsers, so it’s essential for the security of your website and website visitors.
Google gives a small boost in rankings for websites with SSL certificates. Moreover, browsers will show your website visitors that your site is not secure.
You can either use a server with SSL security or buy an SSL certificate from a Certificate Authority and configure it with your website. It’s better to choose the first option because it is simple.
#12 Disable PHP Execution on Folders to Prevent Backdoor Intrusion
Hackers can obtain access to your website by uploading malicious codes. Some of the commonly targeted folders for backdoor intrusion on WordPress are
You can disable PHP execution on these folders by creating a simple text file in these folders.
Order allow, deny
Deny from all
Create a file with the name .htaccess on all these folders and paste the above code in that. This will disable PHP code from being executed which is injected by hackers.
#13 Securewp-config.php File
The file named wp-config.php in the WordPress root folder contains sensitive information like database name, username, password, and, etc.
Keeping this file on the WordPress root folder is considered as a bad security practice. For better security, you can move wp-config.php to one level up in the directory.
Although it’s now outside the WordPress folder, WordPress can still access the file. So, it wouldn’t affect your website.
#14 Disable File Editing in the WordPress Dashboard
If someone gets the admin access to the WordPress dashboard, they can modify the files in the WordPress installation. You can prevent it by adding one simple line of code to your wp-config.php file.
You can add this code at the end of the wp-config.php file. This will disable the ability to edit the WordPress file using the WordPress dashboard. If you ever want to make the change to the files, you will have to do it via FTP or cPanel.
#15 Connect with the Server Properly
When you connect with your server, always use SFTP or SSH instead of the less secure regular FTP connection.
Choosing plugins and themes carefully is the best thing you can do to your website because they cause the most vulnerabilities.
WordPress website backup is also really useful. This will allow you to restore your website anytime there is a problem. You can use hosting plans that offer free automatic backups or use plugins to back up your website.