If you have own a blog, a forum or an ecommerce site, there’s a good chance that it’s based on WordPress. And why not – after all, it’s the most extensible and easy to use CMS in the world. Those things have led to its popularity and widespread adoption. However, popularity comes with its own risks. As most popular content management system in the world, WordPress makes an attractive target for cyber criminals. Therefore, if you’re using it then it’s your responsibility to do everything possible to protect your site. So here we’ll take a look at 11 critical steps that you must take to secure your WordPress website. Let’s get started:
Keep your software up to date
This step is often taken for granted, but a majority of security issues can be avoided by following this one single step regularly. Keep your server operating system and WordPress installation both up to date and you can avoid a number of security issues before they hit you hard. Because whenever new software vulnerability emerges, hackers are quick to abuse it for their own advantage. Mass cyber attacks on websites are evidence of that.
By keeping your server OS and WordPress installation updated you can avoid falling prey to such incidents, as both WordPress and Linux foundation roll out security updates for new vulnerabilities as soon as they’re discovered. You can use tools like Gemnasium to be notified automatically whenever a new software vulnerability that can affect your website is announced and patches to fix it are released.
Keep your themes and plug-ins up to date
The next important things to keep updated after software are themes and plugins, because bugs and security loopholes may exist in these things as well. For example, Ninja Forms and WooCommerce have been victims of some serious security issues in recent past. The best way to avoid being victim of any such problem is to keep your themes and plugins updated. Whenever you see a newer version of your theme or plugin in their respective pages, you should update.
And besides updating the themes and plugins, also don’t forget to uninstall those themes and plugins which you don’t use. Unnecessary clutter is never good as it adds up to the backup of your site, which in the end becomes more cumbersome if you need to restore your site from a backup in any case.
Install SSL Certificate and Enable HTTPS
Every time when you login to your WordPress administration panel there’s a possibility that someone may steal your login credentials through a Man-In-The-Middle (MITM) attack. A MITM attack is when someone steals the data that you send to a website. So when you send your WordPress login credentials to your web server for authentication that too can be prone to a MITM attack – until you install an SSL certificate on your site!
An SSL certificate prevents user data from being stolen while it’s transmitted between the user and the site. It encrypts the transferred data from one end to another end so no one can see it even if it’s captured by someone during transmission. Therefore, installing an SSL certificate should also be among your top priorities if you want to keep your WordPress website secure. Nowadays various types of SSL certificates are available at in market according to various needs of buyers and it’s not costly anymore.
Enforce Usage of Strong Passwords
You should not just have a strong password yourself – all the users on your website who can add content to the site should also have strong passwords for their accounts. This is because you never know in which form a malicious script is going to enter your site. It may also be in form of something as simple as an image added to the site by a contributor. So even if a contributor account is hacked, your site can become vulnerable to external mischief. Therefore, you should insist on strong passwords that are at least 8 characters long include numerals and symbols and mix both lowercase and uppercase letters. You can use Force Strong Passwords plugin (or any other similar plugin) to force your users for using strong passwords.
Second thing about passwords is that they should be stored in an encrypted environment. Never keep your password in something as simple as a word document. You should use good quality password managers instead because they encrypt the content of your passwords in such a way that even if they’re stolen they won’t be of any use to the person(s) who stole them.
Enable Two factor authentication
Coming to more advanced security mechanisms, the first thing that comes to mind is enabling two factor authentications. This method can add another layer of security that can prevent unauthorized access to your WordPress site in all those cases when someone, somehow gets hold of some valid login credentials for your site. The person won’t be able to login if you’ve set up a two factor authentication mechanism on your site, whether based on SMS verification or some other form of verification (i.e. a secret question). There’re decent plugins available in WordPress repository to help you implement this feature (i.e. Google Authenticator) as well.
Set Login Limits
If someone needs more than 5 attempts to login to an account, most probably that person is not logging in to his/her own account. There’s no point in allowing unlimited login attempts on your site when real users can almost always login in less than 3-4 attempts. Enable login attempt limits on your WordPress site and you’ll be safe from Brute Force and guessing based cyber attacks. There’re plugins available for implementing this feature as well, like WP Limit Login Attempts.
Change Your Login URL
Wp-admin and Wp-login.php are two of the most well-known real estates in cyber world. You’ll be better off if you replace them with something else. Guessing a custom login URL can be extremely difficult for a hacker as long as you also implement the other tips mentioned in this list. It’ll significantly reduce the chances of your WordPress website being hacked. You can change your login URL to anything – my_login.php, my_custom_login.php or anything else that you want to keep. iThemes Security plugin can help you do this easily.
Protect Your Wp-admin Directory
WP-admin is unarguably the most important directory of your WordPress installation. Pretty much everything related to admin access resides right there in it. The password is “uuencoded” using strong HTTP digest authentication, it means your password is proceeding through unencrypted format but not passed over the network as plain text. Therefore, It will enable another robust layer of security to your WordPress site. Keep one password for logging in and one for WordPress administrator area and that’ll be great. You can do that with help of AskApache Password Protect plugin.
Now, there may be circumstances when you often need to visit a certain wp-admin directory depending on the nature of your WordPress installation and website. In those cases you can keep such directories unprotected while protecting the remaining content of directory.
Use A Firewall
Another important step that you can take to protect your WordPress installation is to make use of firewalls. They protect the systems on which they’re installed from all sort of threats by examining every single piece of code before it runs. Malicious requests are filtered and kept away, so your system can stay secure.
To ensure full protection for your site you should install a local firewall on your computer as well as another firewall on server of your WordPress site. The local firewall, while it has no direct connection with your WordPress site, is still necessary because you use your PC to access the administration area of your WordPress site. Any good firewall from a well-known cyber security company will do: Norton, ZoneAlarm, Comodo etc.
Now coming to the WordPress firewalls, there’re a few good names like Wordfence, iThemes Security etc. These firewalls will protect your WordPress site from malware, viruses, trojan and other threats.
Actively Monitor Your WordPress Files
If you start monitoring your WordPress installation files actively, you’ll come to know immediately when someone tries to mess up with any of them. This can be a life saver when someone breaks into your site, because the earlier you come to know about an intrusion the better steps you can take to protect yourself. Security plugins like Wordfence can help you accomplish this task easily.
Take Regular Backups
Lastly, the old good requirement of backing up your WordPress site regularly can go a long way in those circumstances when something goes wrong and your site gets hacked. In all those cases if you need to change your server the backup that you did will help restore the site to a previous position. Regular backups can help ensure that you suffer from little-to-no loss of data in any such case. You can do this manually using options already included in WordPress, or you can take help of some plugins to automate the process for you. In my opinion second option will be better. Some popular plugins for this purpose include Backup Buddy, Vaultpress and blogVault.
So this was our list of top 11 WordPress security tips that you must implement to protect your site. Do them today and your WordPress site will be way more secure from all kind of cyber attacks than it is now.