WordPress powers millions of websites. How many exactly? Well, according to W3Techs, 31% of the top 10 million. Now that’s some number, isn’t it? What makes WordPress so popular is the combination of many splendid features. But we won’t go into them as you probably know them (why else would you be using WordPress?). Instead, we’ll talk about one of the—if not the—most ignored parts of a WordPress site: Security. When was the last time you considered security as a factor? Never? Well, let’s do it now.
We know that you’re probably ignoring security thinking: “Who’s going to attack my site anyway?” Well, I know that the odds of your site getting attacked are pretty low but so were the odds of life on earth, and we all know how that turned out, don’t we? So don’t play by the odds, especially when it’s a matter of security.
To keep your website safe from hackers, I’ve prepared a quick 11-point checklist. This checklist consists of ten basic security steps that everyone can and should implement. Let’s get the ball rolling
Here’s the checklist:
Migrate to HTTPS
Do you want your site to suffer in SEO rankings? Do you want leading browsers to warn users when they land on your site? Do you want to be a victim of man-in-the-middle (MiTM) attack?
Don’t display your WordPress version
One thing that I don’t like about WordPress is that it displays its version by default. That’s because if a site is running an insecure version of WordPress, a hacker can use this information to execute cyber-attacks. Here’s an easy-to-implement guide on hiding your WP version.
Update your WordPress& Plugins
If there’s one thing that every WordPress website admin can do and should do, then it’s running the latest version of WordPress & its plugins. Updates come with patches for susceptibilities found in the older versions. That’s why it’s never a good idea to procrastinate an update. If possible, turn on automatic updates.
Remove ‘admin’ as your username & keep a strong password
A brute-force attack is one of the most widely used tools in a hacker’s toolkit. In simple words, a Brute-force attack is a guessing game, a guessing game in which a hacker tries all sorts of different combinations in hope to get it right. This can be a useful technique when it comes to cracking someone’s login credentials.
As you know, WordPress by default assigns ‘admin’ as the username, half work of a hacker is already done if you have ‘admin’ as your username. So, it’s highly advisable to remove it and to keep something more unpredictable as the username. And of course, you must compliment it with a strong password that incorporates alphabets, numbers and special characters.
Protect the wp-config.php file
wp-config.php file is one of the most important files as far as your WordPress site is concerned. That’s because it consists of sensitive installation information. Protecting this file is of paramount importance. To do so, you’ll need to include the following code in the .htaccess file:
deny from all
Use two-factor authentication
The best thing you could do to secure your login page is implementing two-factor authentication. Once applied, the possibility of an unauthorized 3rd-party getting through your login page is almost nil. That’s why many big names such as Google, Apple, Dropbox, etc. have enabled 2FA on their platforms. It’s a straightforward solution that fortifies the gate of your WordPress site.
Install a good security plugin
A security plugin is to a WordPress site what antivirus is to a PC. These plugins scan your website and provide you with basic security reports. However, you must do proper research while choosing the right plugin as there are thousands of them. If possible, go for a malware or vulnerability scanner; they have proved to be highly effective
Define user roles
If you have a website with multiple admins, then you must define what an admin can and can’t do. Any tiniest of mistakes by a user could wreak havoc. For example, someone—unknowingly—might install a plugin that is insecure. Such errors could prove fatal as far as website security is concerned. That’s why it’s highly recommended not giving everyone permission to do everything. Define user roles, and give them rights & permissions accordingly.
Let’s get this straight; nobody likes backing up—whether it’s messages or website data. But there’s another thing that no one likes, and that is losing essential data—years of hard work in case of a website. So as a logical person, you should overcome your dislike for backups so that you don’t have to bang your head against a wall when you lose your data.
Use IP Whitelist
If you want to give access to specific people, you can use IP whitelist. IP Whitelist allows you to whitelist the trusted users so that no unauthorized person can get through. Doing IP Whitelisting on the login page is definitely an idea worth considering.
Remove outdated plugins & themes
We all love WordPress plugins and if you’re like me, you have a ton of them installed on your website. As useful as plugins are, they often act as a gateway for security troubles. I’d suggest doing a quick audit for all the plugins & themes you have and remove the ones that you haven’t been using. While doing the audit, check the date of last update of a plugin or theme. If it was a long time ago, it’s time to ditch it (even if you don’t like it).
Website security is not a matter of implementing a few steps that will keep your site secured for years. It doesn’t work that way because no matter how much you do, it won’t be enough. Moreover, it requires constant efforts and attention from your side. So, don’t sit back and relax thinking these 11 steps will do wonders for your site, it won’t. However, you need to start somewhere, and this 11-point checklist is the perfect way to do so.