Having a website and driving business online seems to be pretty simple but managing security of your WordPress website is important but tricky.
Securing WordPress site is not rocket science but a practical approach. Below are some tips on how to secure your website.
Switching to https
The most basic way to prevent this happening is to switch from insecure HTTP to secure HTTPs by using an SSL Certificate. Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info. SSL certificate also affects your website’s Google rankings. Google tends to rank sites with SSL higher than those without it.
You can purchase SSL certificate from a third-party company or check to see if your hosting company provides one for free.
Change the WordPress database table prefix
If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.
Using the default prefix makes your site database prone to SQL injection attacks. Such attacks can be prevented by changing wp- to some other term like clientWP-.
Remove your WordPress version number
Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view. Hackers would know which version of WordPress you use and make it easier for them to customize their perfect attack. Fortunately, it is easy to hide your version number with almost every WordPress security plugin.
Configure your file permissions
File permissions are represented by a three-digit number in WordPress, and each digit has a meaning. The first digit stands for an individual user (the site’s owner), the second digit for the group (for example, members of your site), and the third for everyone in the world. The number itself means that the user, group, or world:
0: Has no access to the file.
1: Can only execute the file.
2: Can edit the file.
3: Can edit and execute the file.
4: Can read the file.
5: Can read and execute the file.
6: Can read and edit the file.
7: Can read, edit, and execute the file.
So if a file is given a permissions level of 640, for example, it means the primary user can read and edit the file, the group can read the file but not edit it, and everyone else cannot access it. This may seem overly complicated, but it’s important for ensuring that each person only has the level of access to your site’s files and folders you want them to have.
WordPress recommends setting folders to a permissions level of 755 and files to 644. You’re pretty safe sticking to these guidelines, although you can set up any combination you’d like. Just remember that it’s best not to give anyone more access than they absolutely need, especially to core files.
You’ll also want to keep in mind that the ideal permissions settings will depend somewhat on your hosting service, so you may want to find out what your host recommends.
Note: you should be very careful when making changes to your permissions levels — choosing the wrong value can make your site inaccessible.
Set up a website lockdown feature and ban users
A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity. Three reliable plugins for that are iThemes, All in One WP Security & Firewall and Wordfence Security. You can check out which one suits your website best.
Use your email to login
By default, you have to input your username to log into WordPress. Using an email ID instead of a username is a more secure approach because it is hard to predict.
Several WordPress security plugins like iThemes allow you to set up login pages so that all users must use their email addresses to log in.
Use strong passwords
Play around with your passwords and change them regularly to secure your WordPress website. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters. You can also use Secure Password Generator to help you generate strong password.
However, if you have multiple sites that you need to remember all your passwords, you can use LastPass or 1Password to store all your logins and just remember one master password.
Carefully choose plugins and theme and update regularly
You need to be very careful about the themes and plugins you choose to add to your site. Each one should be vetted to ensure it’s a solid option that won’t hurt your site or cause problems. There are many elements to keep in mind, but the following will help you select quality tools:
- Check user ratings and reviews of the plugin
- Take a look at how recently the plugin or theme has been updated.
- Install new plugins and themes one at a time, so if anything goes wrong you’ll know what the cause was. Also, be sure to back up your site before adding anything to it.
- Get your plugins and themes from trustworthy sources, such as the WordPress.org Theme and Plugin Directories, ThemeForest and CodeCanyon, and reliable developer websites.
Finally, keep them up to date to ensure they work well together and are secured against the latest threats.
Keep the number of users on your site low
If you’re running your WordPress site solo, you don’t need to worry about this step. Just don’t give anyone else an account on your site, and you’ll be the only person who can make changes.
But there will come a time when you eventually add more than one user to your website. You may want to let other authors contribute content, or you might need people to help edit that content and manage your site. It’s even possible to find yourself with an entire team of users, who are regularly accessing your WordPress site and making their own changes.
This can be beneficial in many ways and is sometimes even necessary. However, it’s also a potential security risk. One way of overcoming this is to use WP Security Audit Log to keep tabs on what they are doing on the site.
Tracking activity in your WordPress admin area will help you spot when other users are doing things they shouldn’t and can indicate whether unauthorized users have gained access. It provides a full list of activities, along with email notifications and reports.
Back up your site regularly
Backing up your site on a regular basis is the simplest and best way to safeguard it in the event of a disaster. If you have a recent backup handy, you can restore your site to the way it was before it was hacked or otherwise harmed. This will help you fix the issue and move on as quickly as possible.
There are loads of simple things that you can do to prevent your site getting hacked. Some of them are just basic procedures like using complex passwords, but there are also plenty of plugins that have been created specifically to ensure that your site is safe and secure. You just have to put some time and energy into it. Otherwise, you’re likely to lose valuable business and income while trying to repair the damage.