WordPress security is a growing concern growth of WordPress popularity with the Currently, WordPress the most commonly used Content Management System (CMS) platform and it powers 43% of websites on the internet. Its popularity has made it the most common target for hacking.
100% security is to myth for us. Not only WordPress, but other web platforms also cannot provide us with 100% security. It means every platform has vulnerabilities and they can be hacked. But it does not mean that we cannot strengthen our security.
Here, I have shared some of the security tips that can strengthen your WordPress security. It will also cover your website vulnerabilities and prevent your website from being hacked.
Table of Contents
Basic WordPress Security Tips
Basic WordPress security tips are related to simple and easy tips that do not require coding. These tips are simple but effective. They are as follows:
1. Change Initial “Admin” Administrator Username to other Username
Most of us enter our Administrator Username as “Admin” which is very much common in practice. Thus that creates an opening for hackers. They just have to figure out the password of your dashboard.
What you can do is, you have to change your administrator username “admin” into other names with administration privileges. You can also place capital letters in that username. It is basic but effective way of keeping your WordPress security tight. Be sure to change the username form blog posts and pages also.
2. Set Strong Password
Weak WordPress security password creates vulnerability in your website. We know a weak password has a higher possibility of being hacked than strong ones. We set a weak password cause it will be easy for us to remember. But weak password has a pattern such as 123456, 696969, 123456789, 123123, 111111, 7777777, 0000000, or other numbers pattern or simple words like baseball, password, shadow, dragon, batman, killer, hunter, superman, Michael, etc.
So, how to set Strong Password?
To set a strong password
First, you must have to make your WordPress security password lengthy (at least 15 characters) and hard to guess. Meaning it must be unique.
Second, use alphabet, numbers and symbols. (Mixing)
Note: Do not use your pet name, date of birth or any of your personal information in your password.
3. Pick trustworthy hosting providers
To break through your website first hackers must pass through your hosting providers. Weak hosting companies cannot provide you with strong WordPress security features.
Therefore, you must pick the right hosting company for your website. Right hosting companies can provide you with better security features with 24/7 security monitoring. Choose those hosting providers that support firewall, the latest version of MySQL, PHP, and Apache.
There are many hosting companies with DDOS prevention measures. It will be better if your hosting companies scan malware regularly and perform daily backups.
If you do not know which hosting company is better for security then check out Best managed WordPress hosting providers.
4. Keep your WordPress Updated
Updating WordPress dashboard is necessary for WordPress security purpose. According to the data of 2020, out of 4000 known vulnerabilities, 31.5% of WordPress websites are hacked from core WordPress. It means if WordPress dashboard is not updated and you are still using an older version then your WordPress website will be easily hacked.
For WordPress security purpose, you have to update your WordPress dashboard. It is not only precaution measure but it also helps to maintain your website. Don’t be afraid of WordPress update just cope with it. If you cope with the update your website design will not be affected.
5. Keep themes and plugins Updated
Themes and plugins must be updated in time. The update refers to new additional features and fixes of old errors. Updates are done not only to provide new features to users but also to fix bugs and problems created by new updates of WordPress. It also helps to avoid bugs, potential WordPress security risks, and vulnerabilities. Outdated plugins and themes are a major weakness to WordPress websites.
Therefore update your themes and plugins in time. Do not be afraid of update of themes and plugins. Just contact to the developer if any problem arises. They will help you to fix the error and as well as it will help the developer if there are any problems in there theme and plugins.
6. Download themes and plugins from authentic sources only
Do not download themes and plugins from unknown websites. The downloaded themes and plugins may be faked or nulled. According to data 2020, out of 4000 WordPress websites, 54 % are hacked using facked plugins and 14.5% are hacked using fake WordPress themes. I will explain below how nulled themes will destroy your website security.
Therefore download themes that are found in WordPress.org search results or you can go to the link to the real website of developers or you can download themes from well-known sources.
7. Install firewall on Your Computer
Your computer must be free from any kinds of potential threats of being hacked. Installing firewall on your computer helps protects your computer from online threats and other suspicious activities that attempt to connect with your computer.
If your computer is safe from hackers then your website will be also safe from those hackers who try to connect a link to your computer.
8. Use WordPress Security Plugins
WordPress security plugins are created to protect WordPress dashboard and websites secure from potential hacking and threats. They build an extra defending wall for hackers. They identify and blocks any malicious or malware traffics. Security plugins reduce security risks.
Therefore use WordPress security plugins build an additional wall for hackers. You can use security plugins like All in One WP Security & Firewall, Wordfence, Plugin Security, etc.
9. Enable Security scans
Enable security scans of your security plugins. Security scanning is needed for your website. Although it takes time you have to scan through your website as a precaution. Enabling security scans will scan your whole websites to make sure there are not any suspicious activities going on.
These security scans will work as anti-virus on your websites that removes all the suspicious activities and notify you immediately. Enable security scans when you need scans. The shorter scanning time period the more it will be effective. I recommend at least monthly. If you think your hosting company and has vulnerabilities then it will be better to do weekly or daily.
10. Don’t use nulled themes and plugins
If you download themes form unknown and unauthentic websites without having knowledge is considerable but by knowing if you are using nulled WordPress themes and plugins then you must be looking for trouble.
Nulled WordPress and plugins are those themes and plugins that are a modified version of pro or premium WordPress themes and plugins (No copyright). They are uploaded in online for people to use it for free. But remember many of the nulled themes contains malware that can destroy your entire website.
In short, do not use nulled WordPress themes and plugins. Many of them contains malware infections and destroy your websites. For more learn it from Why you should avoid nulled WordPress themes & plugins.
11. Ensure regular backups
Make sure you have backup or copy of your website data. If anything goes wrong with your website you can still able to build your website like before. It is the best precaution for you. You can easily restore your website. If you do not have then start it right now.
There are lots of plugins that will help you to recover your website in WordPress.org, such as UpdraftPlus, Backup WordPress, etc.
12. Monitor login History
Your login history can tell a lot about your activities in your dashboard and website. Keep tracking your login and monitor all your activities yourself and look if there are any suspicious activities.
It is simple but effective. If you found any irregular time of login then change your password and username. It’s auditing your website login history.
Technical Security Tips
Technical security tips refer to the default settings of WordPress dashboard. In some case, you need codes and deep knowledge of those settings. These tips are not hard to deal with. But takes your little time and effort. It is better to know and it provides additional security of your websites. They are as follows:
1. Always use two authentication factor for login
You must use two authentication factor for login. Even though your password is strong, they might get hacked by hackers. Therefore having two authentication factors for login will help you prevent from hackers by establishing a verification process while login.
For two factor authentication, you must download plugins. Then by installing the plugin, you can connect it to your email address. While login, you have to enter the code that is in your email address.
2. Be sure to hide your WordPress update version number
You must hide your WordPress version number. Hackers who are looking for an opportunity can see your WordPress version number by inspecting source codes.
You can install plugins to hide your WordPress version number or you can add codes in your dashboard.
3. Automatically Logout idle users
If you have a habit of leaving your user Id and password logged in your browser then that can create a massive problem. It makes easy for anyone to go through your dashboard and change the existing settings.
Either you have to logout your Id manually or you have to install a plugin in your dashboard that will automatically log out your Id after a certain time period.
4. Disable PHP Error Reports
Php error reports will help you to find an error on your website. It displays the error in your screen. But it is not a good idea cause it exposes your server path to potential threats and dangers.
Therefore you have to disable Php reports. Copy the code
error_reporting(0)
@ini_set('display_errors', 0);
Paste this above code somewhere in your wp-config.php file.
5. Use SSL and HTTPS
HTTPS refers to the Hypertext Transfer Protocol Secure and SSL refers to Secure Socket Layers. Using HTTPS and SSL allows your visitors to have a secure connection to your website. The information between your websites and visitor browser will be encrypted. Additionally, it also provides benefits in your Google search engine.
6. Customize your login URL
In WordPress, we find our login URL as yoursitename.com/wp-admin or yoursitename.com/ wp-login.php. It is the default of WordPress and many of the hackers take advantage of this case. They have access to your login page. Then they start to crack your password to get the login.
Hence we have to change our login URL. You can find security plugins for changing your website login URL.
7. Disable your login hints
While login you may enter wrong password or username or the password is changed or older password or password has been changed etc. Your login page may give you a hint about your username and password. This makes an opportunity for hackers. It makes their work easier to crack your username and password.
Thus you should disable your login hints. To disable it, insert it in the functions.php file
function no_wordpress_errors(){
return 'Access Denied';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
8. Disable trackbacks
Go to your dashboard>Settings>Dicussion and unchecked the ” pingbacks and trackbacks ” option. It’s for newcomers. Hackers can use trackbacks to hack other websites. It is related to DDoS attacks.
It is best for new websites or newcomers to have trackbacks disable although it provides some merits.
9. Protect your wp-config.php file
Wp-config.php file is the core file of our WordPress. We put all our data on our wp-config.php file in the process of installing WordPress. The file is the root directory of our websites and it consists of important data about your website.
If you secure the wp-config.php file by moving it to your other higher-level root directory, your core file is hard to access for hackers and they can not breach your website security.
10. Disable XML-RPC
XML-RPC helps to connect WordPress mobile applications and plugins. Using HTTP protocols, it passes data from a client device to a server device. It provides an opening for hackers to send commands to gain access to your website.
Hence disable XML-RPC. You can search plugins in WordPress.org to disable XML-RPC. Just enter disable XML-RPC.
11. Disable the WordPress theme and plugin editing
You may have other users who have access to your WordPress dashboard. They may change your theme and plugins or install other similar plugins and themes by removing the existing one. That can create lots of headache to us if someone changes our current themes and plugins.
If you disable the editing of the WordPress theme and plugin in your dashboard then you can have much more control over your theme setting and plugin setting. Enter the following code at the end of your wp-config.php file.
// Disable file edit
define('DISALLOW_FILE_EDIT', true);
12. Turnoff Directory Browsing
You should block the path of your directory files. Its where we keep our data or information about our website. If someone has got access inside your directory, they can leave malicious codes and start to hack your website.
You have to add code at the bottom of your .htaccess file to turn off your directory browsing.
13. Limit Dashboard Accessibility
Dashboard accessibility should be maintained. There may be multiple authors, contributors, editors, and users to access the dashboard. Being the administration you must maintain the accessibility of your dashboard and classify your user’s accessibility in such a way that you will have full control over your dashboard.
Note limiting dashboard accessibility provides full control to administration and the role of editors, contributors, authors and users are clearly defined.
14. Limit logins based on number of fail attempts
If someone wants to log in and fails, again and again, provides an opening to attempt more for forceful login. It is not a good sign to login after so many attempts. Hackers will be benefited if you do not set a limitation on the number of failed attempts.
Therefore, you must set a limitation on the number of attempts or wrong password like Facebook, Gmail, etc. The wrong password is a trial and error approach for hackers so it is better to limit the attempt.
Conclusion
Even though you cannot have full 100% tight security, you can always reduce the percentage of getting hacked from hackers. If you follow the above WordPress security tips, your website will have fewer vulnerabilities that also reduces the chance of getting hacked. The security of your WordPress websites heavily depends on how you take precaution measures.
Besides those tips, you can change your password regularly, keeping your WordPress clean (remove unnecessary plugins or files), block hotlinks, use security plugins, changing and WordPress database table prefix.
You can leave your comment and suggestion down below in comment section.