If you are like 90% of WordPress users, you might not think security is an important issue.
“Who is going to hack my website”?
This is the usual response when website owners are asked about security. Because of this attitude, securing a website is not a top priority for most bloggers or even webmasters.
It might sound too boring and technical, but it is quite important to secure your WordPress website. Securing your website doesn’t need to be a complicated task. With some basic knowledge of WordPress, you’ll be able to secure your website, and feel proud doing it!
Follow these steps to make your WordPress site free from malware and threats.
- Delete the default WP account
After your initial WordPress installation, the default account is most often named as the “admin”. The majority of users stick with this username.
This is a dead giveaway for hackers. It makes quite easy for them to guess your username (and also provides a tiny amount of motivation).
If you haven’t changed your username since the installation, now might be the time. In case your website has a single user, create a new user with administrator privileges. Log in to that account and delete the default “admin” account.
- Secure Your Passwords
According to WordPress’s security team, passwords are the least secure thing of anything that we do. This is because we don’t put much thought into making a new password. A secure password is one that
Uses a combination of:
- Upper case letters
- Lower case letters
- Special Characters
If you aren’t able to come up with one such password, you can try one of the many password generator tools (Random.org, for example.)
Clef is a security Plugin, which eliminates the need of using passwords (not quite entirely) and lets you change your login form into a „jumping bars“-based login form.
Once the plugin is activated, you need to sync bar patterns with a smartphone to log in. After you have a secure password, make sure you change it every 72 days or sooner.
- Be updated
Being a WordPress user, you have to keep everything up to date. “Everything” means all installed plugins, themes and the WordPress CMS version as well. This is because developers consistently work to sort out bugs and fix loopholes in plugins.
Even if you have a theme or plugin that you don’t use very often, you should update it as well. Many times, people don’t update the plugins they don’t use; this is an easy way for hackers to get in.
- Substitute Default Database Table’s prefix
The default prefix for tables in WordPress is wp_, and hackers know this.
What does it matter?
If your website is using the default prefix, hackers are going to know the table names. This makes hacking somewhat easier than if they have to find what the table name is.
While installing WordPress itself, you should change the “wp_” to something unique (of course not your domain name).
- Use Trusted Security Plugins and Tools
If you surf the Internet regularly, then you might noticed that there is a huge availability of various security tools, plugins, and other utilities. Some are more popular than others; pay attention to which ones are the most reliable and have the highest user ratings.
One of the many services you can trust are those which are offered by your web host itself; packages such as „Security & Acceleration“. Although they can’t serve as full-time security substitutes, they can work quite well as starters.
These services are useful, but you should not pay too much for these.
There are different plugins and tools you can utilize for securing your WordPress website. Incapsula CDN (Content delivery network) gives users a two-fold advantage:
- Accelerate your website
- Protect your website against DDoS attacks
However, being a WordPress user, you can secure your websites with several other plugins. Some recommended plugins include:-
- All In One WP Security & Firewall
- iThemes Security
- Wordfence Security
- Sucuri Security
- WP Antivirus Site Protection
You’ll just have to make sure that these plugins are configured correctly for the best results.
- Avoid Unauthorized Access
Many businesses find it quite hard to manage time for their blog. Usually, these companies tend to hire freelancers so that they can make a contribution on their respective WordPress blogs. In most of the cases, owners don’t care once they pay off the freelancer until the website gets hacked or something happens to their website.
This is easily avoided if the webmaster removes the users’s access after the job is done, or didn’t provide them access in the first place.
To make sure users don’t ruin your WordPress website, you can:
- Remove any authorization for a freelancer once his job is done.
- Use the password generators for randomized passwords.
- Don’t use any password based on words which are commonly used on the website.
- Add the freelancers with “Author” permission, not as an “administrator” or any other post that they are not working on.
- You can also ask freelancers to submit you their post in a separate document and upload them manually.
- Choose a Secure Web host
It seems people compromise security way too often. Shared hosting packages aren’t too secure, but free hosting packs are the easiest for hackers.
This doesn’t mean that you need to spend tons of money on web hosts. One can easily find reliable web hosting that is affordable.
If you are a professional webmaster, then you should be experienced in secure web hosting. If you are running any business online, then you may need to hire WP Experts to keep your hosting secured. It is up to you or your company to spend some time on research and come up with a reliable web host.
- Backup, Backup, & Backup
You can’t stop hackers all the time from infecting your website.
- Once, a 16-year-old boy in London named Richard Pryce hacked America’s most secure military systems.
- A 15-year-old boy once hacked NASA’s network.
- Gary McKinnon once managed to hack the most secured military computers of the USA, which also included Area 51.
So if you think that some plugins and protocols can always keep out hackers from your WordPress website, you might need to think twice.
The best thing for you to do on your end is backup your WordPress database and FTP. This way, if you are picked clean, you can flush everything out, restore everything, change all the passwords, and get back to business in under an hour!
If your web host offers backup solutions, that’s even better. However, you should use it only if it is provided free of cost. You just need the last 2-3 versions of your databases and FTP. Don’t eat up all your server space by keeping junk.
Luckily, there are plugins for this, too. An awesome and free solution to utilize is BackWPup. It is a free plugin, but if you are managing a company website, you should opt for the paid option.
- Remove WordPress Version
To make things a bit tedious for the hacker, you can remove your WordPress version from being displayed in public. Doing this isn’t rocket science, but it should be done with caution as it needs the functions file (one of the core theme files) to be edited.
You can find your functions.php file in Dashboard > Appearance > Editor > functions.php.
You need to add the following line:
Don’t forget the closing tag „?>“ at the end of your code.
Also, with a few small changes in the code, you can remove the WordPress version from places such as your RSS feed as well. Although, some plugins are available for this job, there is no need to install another plugin if you can perform the work yourself.
Managing a WordPress website isn’t too hard. You have a lot of guides and resources at your disposal. Keep your website updated, everything from plugins, themes, to the WordPress version itself. Go with a secure web host and follow the above tips to keep your website secure.