WordPress is one of the most popular platforms for self-hosted blogs and websites and powers over 43.2%<\/a> of all websites. Even WhiteHouse.gov is using the WordPress platform! So because of its popularity, it may fall victim to attacks by hackers.<\/p>\n\n\n\n With the various themes and plugins out there, it is unsurprising that vulnerabilities exist and continually affect websites.<\/p>\n\n\n\n The last thing you want to happen is to find out one day that your website got hacked. To help you prevent this from happening, we will be sharing multiple tips and techniques you can use to secure your WordPress website and stay protected.<\/p>\n\n\n\n WordPress security is an essential consideration for any website owner. Protecting your site from hackers, malicious code, and other security threats that could compromise your data or gain access to confidential information is essential. Brute force attacks, malware insertions, and phishing schemes are all potential dangers to WordPress websites. As such, it\u2019s essential to take the necessary steps to ensure your WordPress site is secure.<\/p>\n\n\n\n To ensure optimal security, it\u2019s essential to keep up with the latest security measures for WordPress websites to avoid potential risks posed by hackers or malicious actors online. Updating plugins regularly can help reduce the risk of exploited vulnerabilities while ensuring all users have unique usernames and strong passwords, adding another layer of defence against unauthorized access attempts into accounts or admin areas on a website. Installing additional security plugins like Wordfence Security Plugin can further enhance these measures while providing real-time monitoring capabilities so you know what\u2019s happening at all times on your website too.<\/p>\n\n\n\n WordPress security is essential for protecting your website from malicious attacks and data breaches. Considering the potential risks that can threaten WordPress sites is imperative, so let\u2019s examine some of them.<\/p>\n\n\n\n Weak passwords<\/strong> are one of the most common security risks for WordPress sites. Using a simple or easily guessed password can make it easy for malicious actors to gain access to your site and potentially cause irreparable damage. Create complex passwords that combine uppercase and lowercase letters, numbers, and special characters for maximum security. For added security, consider utilizing a reliable password manager such as 1Password or Dashlane to store passwords with greater complexity and randomness.<\/p>\n\n\n\n Another security risk is outdated software,<\/strong> such as WordPress core files or plugins\/themes installed on your site. Updating all components to the most recent versions is necessary to prevent hackers from taking advantage of any existing vulnerabilities that may exist in older versions. It\u2019s also important to regularly back up your website to quickly restore any lost data if something goes wrong during an update process.<\/p>\n\n\n\n Common security risks for WordPress sites include malicious code injections, brute force attacks, and unsecured hosting environments.<\/p>\n\n\n\n To guarantee the safety of your website, it is essential to comprehend how to safeguard your WordPress site appropriately.<\/p>\n\n\n\n It\u2019s super important to remember that WordPress is open-source software. This means that anyone can examine the code that makes WordPress work. Sure, yes, hackers are constantly analyzing this code to find potential exploits. Still, so are the security teams at WordPress, volunteer developers, ethical white hats, and the millions of people who contribute to WordPress for the opposite reason of hackers \u2013 to keep it secure and be on the lookout for the community at large. <\/p>\n\n\n\n Additionally, most<\/em> security breaches aren\u2019t caused by a WordPress code vulnerability. They happen because people often don\u2019t keep their WordPress site and the plugins installed up-to-date.<\/p>\n\n\n\n If you follow good security practices, your site will be just fine. <\/p>\n\n\n\n Every web host out there should take security very seriously. The reason why you must choose a web host you can rely on for your business. The research you do before choosing a web host should include inquiries into how they handle security events. <\/p>\n\n\n\n You should look for a host with the following essential services:<\/p>\n\n\n\n The same goes for other software, like MySQL, MariaDB, cPanel, Plesk, and the server operating system.<\/p>\n\n\n\n GetHost uses cloud infrastructure for all of our WordPress Hosting<\/a> customers to keep their data safe. By distributing data across redundant servers, the information hosted in the cloud is always protected against hardware failure.<\/p>\n\n\n\n In addition to this, our servers run on CloudLinux OS, which allows us to use a virtualized file system for each account and completely isolate it. A significant advantage is that if one user account becomes compromised, the malware infection does not spread to the other accounts hosted on the same server. Moreover, we\u2019ve partnered with Imunify360 to provide a secure and reliable WordPress Hosting service. Its multi-layered defence architecture ensures precision targeting and eradication of malware and viruses.<\/p>\n\n\n\n Through these services, we add additional layers of protection to your website. <\/p>\n\n\n\n An SSL or Secured Socket Layer Certificate encrypts the data transmitted between the user and your website. This is CRUCIAL to websites where your users are customers, and they are submitting payment information to acquire items from your store. <\/p>\n\n\n\n Sure, if you\u2019re running a blog and not selling anything, you can get away with a Let\u2019s Encrypt SSL Certificate, which is free. But if you\u2019re taking payments, you need an SSL. Using an SSL means you use https:\/\/ in front of your site instead of seeing a red \u201cNot secured\u201d notification in the address bar. <\/p>\n\n\n\n SSL Certificates have engrained trust in the populous because of their security, and even more so with the famed Green Bar SSL, aka an EV SSL Certificate, because they know those companies are verified and authenticated by a trusted security provider.<\/p>\n\n\n\n If you are on a WordPress host that uses cPanel, you can easily install a Let\u2019s Encrypt SSL Certificate. <\/p>\n\n\n\n See this? This is scary<\/em>. That\u2019s a user who doesn\u2019t care about their site right there. 10 updates, including a WordPress version update. <\/p>\n\n\n\n An outdated WordPress site, plugin, or theme is a potential wide-open gateway to your website. Let\u2019s review some recent WordPress stats. <\/p>\n\n\n\n Fortunately, a recent update in a major release of WordPress enabled us to use the GUI to automate things like automatic updates for themes & plugins and WordPress itself. Previously you needed to be somewhat savvy and edit your wp-config.php file by hand to add some lines of code for these things. <\/p>\n\n\n\n Enabling automatic updates for plugins couldn\u2019t be easier!<\/p>\n\n\n\n Step 1:<\/strong> Log in to your wp-admin. By default, wp-admin can be accessed by entering https:\/\/www.yourdomain.tld\/wp-admin into your browser, where \u201cyourdomain.tld\u201d would replace your domain name.<\/p>\n\n\n\n Step 2: <\/strong>Locate the Plugins<\/strong> option on the left.<\/p>\n\n\n\n Step 3:<\/strong> In the far right column, click \u201cEnable Automatic Updates\u201d for each plugin you want to be able to update itself automatically.<\/p>\n\n\n\n That\u2019s all you have to do! Now, your plugins will update themselves automatically when the developer publishes a new version.<\/p>\n\n\n\n Step 1: <\/strong>Click Appearance<\/strong> in the menu on the left side of your WordPress Admin Dashboard.<\/p>\n\n\n\n Step 2:<\/strong> Select Enable auto-updates<\/strong> for your theme.<\/p>\n\n\n\n Note: You will need to do this for each of your themes. Also, as of this writing, not all WordPress themes have been updated to support this feature, and as such, you may<\/strong> not see the option to enable auto-updates for your theme until the developer provides an update.<\/em><\/p>\n\n\n\n If you\u2019re more hands-on and don\u2019t trust automation, no worries; this release hasn\u2019t forgotten about you! Feel free to turn off those automatic updates, and when you\u2019re ready to update a theme or plugin, upload it as a ZIP file, and voila! It\u2019s updated! \ud83d\udc4d<\/p>\n\n\n\n Regarding user security, using reasonable security practices is key to keeping your login credentials secure. Avoid using a username as \u201cadmin,\u201d and always choose a complex password.<\/p>\n\n\n\n Instead of using Admin for the WordPress admin, use your name, or a variation of it, or a random username altogether. Actually, here\u2019s a list of usernames you should definitely<\/strong> avoid.<\/p>\n\n\n\n Make sure to choose a complex password. Google has some great tips on how you can choose a secure password<\/a>. You should be using a password manager, like 1Password<\/a> or Bitwarden<\/a>. <\/p>\n\n\n\n If you are managing multiple WordPress sites, it is prudent to use different passwords. One way to generate random passwords<\/a>.<\/p>\n\n\n\n If you want to store your passwords locally, on your computer, then you can use a free tool such as KeePass<\/a>.<\/p>\n\n\n\n Take advantage of Two-Factor Authentication to completely secure your WordPress login. Two-Factor Authentication involves a second step in the login process. It is a text (SMS), or time-based one-time password (TOTP) required to log in. Two-factor authentication is a 100% effective<\/strong> way to prevent brute-force attacks on your WordPress admin panel.<\/p>\n\n\n\n We prefer using the free Google Authenticator<\/a> plugin, as you can use it for unlimited users. Just install the plugin and click on a user account. You can then set up two-factor authentication by creating a new secret key or by only scanning the QR code. Then make sure to mark it \u201cActive.\u201d<\/strong><\/em><\/p>\n\n\n\n With 2-Step Verification enabled, you will be asked to enter a six-digit code on your login page after you provide your username and password. If you do not provide this six-digit number, you cannot log in, even if you have the correct username and password.<\/p>\n\n\n\n WordPress comes with a set of very easy-to-reach plugins and theme editors. These editors, while super handy if you want to edit your theme\/plugins in the same wp-admin you do everything else in, allow direct access to your site\u2019s code. If someone compromises a user account of sufficient privileges, they would have easy access to make some malfeasant changes on your site. <\/p>\n\n\n\n Most WordPress users will never need to touch the plugin and theme editors. If you are a user who likes to tinker and do some custom coding, re-enabling the plugin and theme editors is just as easy as disabling them.<\/p>\n\n\n\n It\u2019s one line of code in your wp-config.php<\/strong>: Doing this won\u2019t be the end of stopping a hacker, but it will confuse less experienced hackers and stop them in their tracks. At the very least, it will make doing something on your site that much more challenging and give you time to sort out what\u2019s gone wrong. <\/p>\n\n\n\n If you want to make it even harder for hackers to find certain backdoors, you are less likely to be the target of an attack. Locking down your WordPress admin URL and login is the right way to increase your login security.<\/p>\n\n\n\n The default WordPress site\u2019s login URL is domain.com\/wp-admin. One of the problems with this is that all of the bad bots, hackers, and scripts out there also know this. By changing the URL for your WordPress admin panel, you can make yourself less of a target and better protect your site against brute-force attacks.<\/p>\n\n\n\n Out of the box, anyone can access your wp-admin page simply by visiting https:\/\/yoursite.com\/wp-admin. You can (and should) use a plugin to stop them in their tracks, such as the free WPS Hide Login<\/a> plugin. This plugin allows you to rename the \/wp-admin to anything you want, like \/login, or even something like \/mywordpressadminloginpageishere if you wanted to.<\/p>\n\n\n\n Sarcasm aside, you should use a path that isn\u2019t obvious. I use this plugin on my own site, and while I won\u2019t tell you what the path is, it\u2019s something you wouldn\u2019t guess but is still easy to remember. <\/p>\n\n\n\n You should also install a plugin that limits the number of attempts a user has to log in before they\u2019re blocked. The aptly named, Limit Login Attempts<\/a> plugin (also FREE) gives users several attempts to login before they are locked out. The plugin can also cleverly detect and redirect bots away from your login page. <\/p>\n\n\n\n If you want to go the extra mile<\/em>, you can enable Cloudflare Rate Limiting<\/a> to further control access to your site. Using the Cloudflare network, this tool automatically detects brute force attacks and DDoS attacks and blocks those offending IP addresses. <\/p>\n\n\n\n We recommend using a free plugin called WPS Hide Login<\/strong> to change your WordPress login URL.<\/p>\n\n\n\n This plugin lets you quickly and safely change the URL of the login form page to anything you want. It renames or changes files in the core, nor does it add rewrite rules. It merely intercepts page requests and works on any WordPress website. This way, the wp-admin directory and wp-login.php page become inaccessible.<\/p>\n\n\n\n Once installed, go to General Settings of your WordPress dashboard and set your admin panel URL.<\/p>\n\n\n\n Deactivating this plugin brings your site back precisely to the state it was before.<\/p>\n\n\n\n The wp-config.php file stores all the necessary details for an intruder to access your site\u2019s database. It is one of the most critical files in your entire WordPress install.<\/p>\n\n\n\n You can prevent the file from being accessed by adding the following code to your .htaccess<\/strong> file. Anyone who tries to access your site\u2019s wp-config.php will receive a 403 Forbidden error. Neat trick, eh? <\/p>\n\n\n\n By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory.<\/p>\n\n\n\n This could make your site vulnerable to attacks by revealing the critical information hackers need to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general.<\/p>\n\n\n\n Just add the following line in the site\u2019s .htaccess file located in the root directory of your website. If you are a GetHost customer, we have you covered. By default, the directory listing is disabled on our servers.<\/p>\n\n\n\n Most of the time, hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in \/wp-includes\/<\/strong> or \/wp-content\/uploads\/<\/strong> folders.<\/p>\n\n\n\n An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.<\/p>\n\n\n\n Create a blank .htaccess<\/strong> file and paste this code inside it:<\/p>\n\n\n\n Then upload this file to \/wp-content\/uploads\/ and \/wp-includes\/ directories.<\/p>\n\n\n\n Hotlink Protection will prevent other websites from directly linking to files on your website. An example of hotlinking would be using a <img> tag to display an image from your site on some other site on the internet. This will result in the other site stealing your bandwidth.<\/p>\n\n\n\n To prevent hotlinking insert the following code into your .htaccess file: <\/p>\n\n\n\n Backing up your site is about creating a copy of all the site\u2019s data and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything wrong happens.<\/p>\n\n\n\nWhy is WordPress security important?<\/h2>\n\n\n\n
What are some common security risks for WordPress sites?<\/h2>\n\n\n\n
How can I secure my WordPress site?<\/h2>\n\n\n\n
Invest in Rock-solid WordPress Hosting<\/h3>\n\n\n\n
\n
\n
Install & Use a (Good) SSL Certificate<\/h3>\n\n\n\n
Always Keep Your WordPress Version + Plugins Up To Date<\/h3>\n\n\n\n
![\"\"](\"https:\/\/blog.gethost.co.zw\/wp-content\/uploads\/2024\/03\/WordPress-Updates.png-1024x307.webp\")
<\/figure>\n\n\n\n\n
How to Enable Auto-Updates for Plugins<\/h4>\n\n\n\n
![\"\"](\"https:\/\/blog.gethost.co.zw\/wp-content\/uploads\/2024\/03\/WordPress-Dashboard-Plugins.png-1024x296.webp\")
<\/figure>\n\n\n\n![\"\"\/](\"\/wp-content\/uploads\/2024\/03\/WordPress-Dashboard-Plugins-Enable-auto-updates.png-1024x291.webp\")
<\/figure>\n\n\n\nHow to Enable Auto-Updates Updates for Themes<\/h4>\n\n\n\n
Use Smart Usernames and Smarter Passwords<\/h3>\n\n\n\n
\n
Use Two-Factor Authentication<\/h3>\n\n\n\n
![\"\"](\"https:\/\/blog.gethost.co.zw\/wp-content\/uploads\/2024\/03\/1.jpg.webp\")
<\/figure>\n\n\n\nDisable The Plugin Editor<\/h3>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/code><\/p>\n\n\n\nLock Down Your WordPress Login URL<\/h3>\n\n\n\n
How to Change Your WordPress Login URL<\/h4>\n\n\n\n
![\"\"](\"https:\/\/blog.gethost.co.zw\/wp-content\/uploads\/2024\/03\/WPS-Hide-Login-680x186.png.webp\")
<\/figure>\n\n\n\nHarden Your wp-config.php File<\/h3>\n\n\n\n
Deny Access to the wp-config.php File<\/h4>\n\n\n\n
<Files wp-config.php> order allow,deny deny from all <\/Files><\/code><\/p>\n\n\n\nDisable directory listing<\/h3>\n\n\n\n
How to disable directory browsing in WordPress<\/h4>\n\n\n\n
Options -Indexes<\/code><\/p>\n\n\n\nDisable PHP Execution in WordPress Directories<\/h3>\n\n\n\n
<Files *.php> deny from all <\/Files><\/code><\/p>\n\n\n\nPrevent Hotlinking<\/h3>\n\n\n\n
How to Prevent Hotlinking<\/h4>\n\n\n\n
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(www\\.)?domain.com [NC] RewriteRule \\.(jpg|jpeg|png|gif)$ - [NC,F,L]<\/code><\/p>\n\n\n\nPerform regular backups<\/h3>\n\n\n\n