Best 5 Pointers to Ensure WordPress Website Security
Recently, a WordPress blog owner complained to me that his website got hacked and strongly blamed WordPress for this. As I know, he is not the only person who is nagging about WordPress security. My answer was: ‘What have you done to protect your WordPress website from being hacked?’ The answer was that pretty much nothing.
WordPress by itself is pretty much solid. It’s just you, who have to do some job to prevent it from being hacked. The task of this article is to discuss 5 most important pointers to ensure WordPress website security and to give you tips on how to better protect your website from malicious attacks.
Pointer 1: Secure Login Page
With WordPress, there is no secret that backed login page is accessed by adding /wp-admin or /wp-login.php to website’s URL. This is so tempting to brute force attackers, as many website owners are pretty careless about their access details and use the trite ‘admin’, ‘admin123’ or some simple to remember details, such as admin name followed by the year of birth. What is left to brute force attackers is to use their database of guessed usernames and passwords to unlock you WP dashboard and do whatever they want.
Steps to ensure that your login page is secure:
- Ban users with repetitive unsuccessful login attempts. If a user enters access details wrong for 3 or 5 times, there should be something wrong with the user. Use a lockdown plugin, such as iThemes Security or Login LockDown, to block all users, who reach a chosen number of unsuccessful login attempts.
- Introduce two-factor authentication (2FA). 2FA is one more measure against brute force attacks. Such plugins as Google Authenticator add one more field to your login window, in which you should either an answer to a security question or enter a secret code.
- Rename your login page URL. With a plugin like iThemes Security, you can change /wp-admin and /wp-login.php to other strings of text like /mplogin17 and mp-login17.php. The less predictable your login URL, the less brute force attacks you’ll face.
- Your password should be secure. Intermingle uppercase and lowercase letter, sprinkle them with numerals and special characters and you’ll get a truly secure passwords. Change your password at least once a month and do not disclose it to every single person.
By following these simple steps, you can minimize the likelihood of a brute force attack to 1%. I guess that’s much less work than saving your website after a hacker attack, so go for securing your admin panel access right after reading this article.
Pointer 2: Secure Dashboard
It’s known that WordPress Admin Panel is not that vulnerable. However, more advanced hackers may go for it if they want to test their skills. In this case, damage caused to the website is pretty drastic. You can secure your WordPress Dashboard by doing this:
- First of all, password-protect your wp-admin directory. Use AskApache Password Protect plugin to set a separate password for your admin area and access it by entering WP login credentials, followed by this password.
- Secondly, buy SSL certificate to secure your data transfer between browser and server. Being a great security aid, SSL certificate also benefits your SEO, as Google ranks SSL-encrypted websites higher in search results.
- Thirdly, know whom you entrust access to your admin panel. If you have several authors writing for your website and having access to your dashboard, restrict their access to the needed areas only. Moreover, make them come up with secure passwords, using Force Strong Passwords plugin.
So, now you can be sure that no one gets to your admin panel without your permission. Good job! However, there are many other ways to attack your website. Let’s learn how to address them too.
Pointer 3: Secure Database
The next ‘soft spot’ of your WordPress website is your database. All the information that’s on your website gets stored there. So, it’s crucial to protect it from unauthorized access by following these steps:
- Firstly, your WP database prefix should be changed to a less predictable one. This can be carried out manually (that’s pretty time-consuming) or with the help of such plugins as WP-DBManager or iThemes Security. And don’t forget to make a back-up of your database before making any changes to it!Check out this detailed video-tutorial that shows how to change WordPress database prefix in your dashboard:
- Then, change your database access details to more secure ones. Again, use both uppercase and lowercase letters, numbers and special symbols.
Pointer 4: Stay Cool with a Backup
This should be a rule of the thumb that you should always have a fresh backup of your website stored on your PC. By having it, you can be sure that even if hackers get hold of your website, you have a way out and can just completely clear your website’s root folder and reinstall your website from scratch (and be more wary next time).
One more great thing about having a fresh website backup is that whenever something gets wrong when you’re customizing a website (to err is human), you can revert changes by simply restoring your backup.
WordPress plugin market provides a huge variety of backup plugins. Go for the one that makes backups automatically, and have backups done on hourly or daily basis.
This is the Sheduled Backup page of the BackUpWordPress plugin. This popular backup plugin allows to set your own schedules for files and database backups and to be sure that a fresh backup is always there in case it’s needed.
Pointer 5: Regularly Update your WordPress, Website Theme and Plugins
Are you familiar with this nagging update messages on top of your WordPress admin panel? If you tend to ignore them, you’re in danger.
- Update your WP to the latest version whenever an update is out (Make sure to back up your website first).The owner of this website has five pending updates, including a WordPress CMS update. I hope that when you see such a message, you proceed to creating a website backup and updating your website to ensure the maximum security level of your website.
- Go for a modern website template that works with new versions of WordPress and update it in time. Entrust you website to a template from a well-established provider, who guarantees that template’s code is clean and well-written.For instance, go for new WordPress themes by TemplateMonster that are built with clean and valid HTML5 and CSS code. With such a template you can lay back and be sure that your website is secure template-wise.
- Plugins are great, but, not updating them regularly, you’re also at risk. Whenever you see a corresponding message, update a plugin. If an automatic plugin update is for some reason not working for you, don’t be lazy to update the plugin manually.
Don’t blame WordPress for getting hacked, blame yourself. By implementing these simple security improvements, you’ll be able to prevent almost all hacker attacks that you’re likely to face. I wish you good luck in staying secure and having a thriving WordPress website!
If you have any questions or comment regarding WordPress security, I’ll be happy to address them below.