WordPress is the world’s most popular website platform. Providing a solid baseline that can be further enhanced with thousands of community-sourced plugins, it can do almost everything you can think of. But success can draw the wrong kind of attention, with many WordPress website owners finding their sites under attack.
Fortunately, there are plenty of ways to up the security of your WordPress site that don’t require a lot of know-how. Below, we look at how you can improve the security of your WordPress website, whether you’re just starting out or well established.
1. Use the right WordPress security plugins
You likely have a number of plugins installed on your site, covering everything from basic features to fully-fledged ecommerce capabilities. With all the possibilities available, it’s no surprise that plugins can be used to help you secure your WordPress site, too. Here are some essential WordPress plugins to consider:
All-in-one security plugins
Wordfence, Cerber Security and iThemes Security are security plugins that act as all-in-one firewalls for your WordPress site. They scan the files of your website to ensure there’s no malware hidden in anything that’s been uploaded. They also mitigate brute force attacks by limiting login attempts to the site, among many other features. If you’re serious about protecting your site, using at least one of these plugins is a must.
Audit log plugins
An audit log plugin, such as WP Security Audit Log, is also a very helpful tool for managing your server. These plugins will show you a log of any activity on your website, including showing when users log in or out, and any changes to your site’s files. By collecting this information into one place, they help you keep an eye on what’s happening to your site.
Two-factor authentication plugins
Two-factor authentication (2FA) isn’t implemented in WordPress sites by default, but you can get a plugin to do it. Two-factor authentication adds a crucial extra step to logging into your website, preventing unauthorised logins even if they crack your password. All-encompassing plugins such as Wordfence also include 2FA within their functionality, and as you’ll find out, it’s best to limit your number of plugins where possible.
2. Upgrade to HTTPS
Where having an SSL certificate used to be something reserved for ‘proper’ websites, initiatives from web giants like Google to push sites towards HTTPS have had a huge effect on the prevalence of site encryption. Now, sites with only HTTP are flagged as insecure when visited, which can be problematic when you’re trying to draw visitors to your site.
But looking good for potential visitors isn’t the only reason why HTTPS is so vital. Having HTTPS in place prevents data being intercepted while it’s being transmitted across connections by encrypting it while in transit. This protects it from not only malicious attackers, but also intrusive companies and ISPs that seek to monitor the data.
You’ll need to choose whether you go for a free or paid SSL certificate, but what you choose will depend on the site you have. Whichever method you decide, HTTPS is a must for your website.
3. Move away from default settings
By default, the URL of the page you use to log into and administer your website will be www.example.com/wp-login. It may also refer to /login or /admin. The issue with these URLs is that they’re easy to guess for someone who isn’t familiar with your site. All they need to access your login form is the address of the website, which they can easily see if it’s public. They can then get to your login page using one of the above URLs, then proceed to make any number of attempts at breaching your account.
Furthermore, the default administrator login is set to ‘admin’. That means that if your site is left using the defaults, someone can reach your login page and enter the correct username without needing to crack anything. They only have the password to get past at that point before gaining access to your site.
That’s why we recommend using one of the security plugins above, which will automatically detect if a user is named admin and allow the username to be changed to make it more difficult to guess the login details. They also enable you to adjust the login URL of the site to make it harder for unauthorised users to locate it.
While a strong password and 2FA setup will prevent many attempts to access your account, every step you can take to prevent attackers even getting that far is a no-brainer.
4. Keep up to date
Even if you have no plugins installed, there are a few things powering your site that will be updated every so often, including your WordPress install itself. And no matter what cocktail of plugins you decide to add to your setup, they will all need updating at some point or another.
It’s critical that you ensure your WordPress install and all of your plugins are always updated to the latest version. While this seems like a hassle at times, especially when you have a lot of plugins, it’s vital that any patches are applied as soon as possible. To find out why that is, simply take a look at the patch notes released with each update. You’re likely to come across a number of bug fixes – and many of those represent vulnerabilities within the plugin or within WordPress itself.
When vulnerabilities are discovered, the plugin creators are often very quick to fix them, announcing the latest version as soon as they can. However, as users do not update their plugins often enough, many are left without the fix – and with a gaping hole in their security.
If you are running quite a lot of plugins, a further plugin such as Easy Updates Manager allows you to click a single button to check for, and install, all available updates. This makes it far easier to ensure that all possible holes are patched.
5. Minimise your footprint
Contrary to many of the suggestions in this post, another effective method of increasing your WordPress site’s security is to try and use as few plugins as possible. Rather than using a completely different plugin for each feature, try and find a plugin that encompasses all of those features into one. These multi-functional plugins also tend to have better support behind them than those that only fulfil one function, with many of the larger security and management plugins even having whole teams of people working on them.
Every separate plugin or theme you have installed on your WordPress site should be treated like another door you need to lock, and another potential entryway for malicious attackers. Therefore, minimising your number of plugins is a surefire way of reducing the likelihood of an unauthorised user accessing your site.
And vulnerabilities being found in plugins is not rare – in 2020 three popular plugins were found to contain vulnerabilities, and more recently other plugins like User Submitted Posts and Abandoned Cart Lite for WooCommerce have been under the spotlight for their security risks. which allowed unauthorised users to gain admin access. The compromised versions of these plugins affected a combined 400,000+ websites.
6. Create secure accounts
Still using a weak password or using the same one for all of your accounts? It’s time to switch to a strong, unique username and password to keep your WordPress site secure. If a hacker can guess your login credentials, this could give them unfettered access to your website, where they can steal data, install malware, reduce your revenue and severely damage your reputation.
The key to a strong password is to make it very hard to guess – your password should have lots of characters, including a mix of uppercase letters, lowercase letters, numbers and symbols. If you’ve got a team of employees, make sure you highlight the importance of setting a strong password and not sharing it with anyone else.
Team training can go a long way towards improving your site’s security, but to be extra safe, you should always set the appropriate permissions for each account. This will prevent junior employees from accessing important files they don’t need to see, reducing the risk of security breaches and accidental file deletion. Plus, if you create accounts for freelancers and developers, you should always remember to remove them after their work is complete. Inactive accounts can easily become potential entry points for hackers, so don’t get complacent with them.
7. Create backups
In the unfortunate event that your WordPress website is hacked, you’ll need to mitigate the damage to your business as much as possible. Data is your most valuable asset, so protect it by creating off-site data backups you can access if data on your site is deleted, compromised or held hostage by cybercriminals.
There are multiple types of backups you can create, and the more backups you have, the more protected your data will be. For example, you could store copies of your data in both the cloud (using a cloud backup solution) and on a physical device – just make sure that these backup locations are secure too! You should back up your website daily or at least weekly so that you always have a recent version of your WordPress site to fall back on.
8. Scan for malware
Security breaches aren’t always easy to spot. To ensure that no hackers slip through the cracks, you need to consistently and automatically scan for malware on your WordPress website. This will instantly alert you if the worst should happen.
There are plenty of malware scanning plugins you can download to constantly monitor your site’s security, or you can install an all-in-one WordPress security plugin that includes this feature. With automatic malware scanning, you can rest easy knowing that hackers won’t be able to get past your defences undetected.
9. Implement downtime monitoring
Security breaches can lead to website downtime, which can seriously damage your reputation and profits if it isn’t resolved quickly. However, you certainly don’t have time to constantly check the status of your website, so how can you ensure that you respond quickly enough if your website goes down?
This is where downtime monitoring can be extremely helpful. Website monitoring and all-in-one plugins like Jetpack will contain downtime monitoring tools that make it super simple to keep track of the current status of your site. You’ll receive instant alerts if something goes wrong, and you can check the detailed activity log to pinpoint exactly how, when and why downtime occurred.
10. Install a WordPress firewall
You should already have a firewall for your server if you’ve chosen a reputable web hosting provider, but have you installed one for your WordPress site? WordPress firewall plugins like Shield Security and Security Ninja will monitor the traffic coming to your site, blocking potentially harmful visits by scanning for suspicious IP addresses and bots. Installing a WordPress firewall is a quick and easy way to instantly block harmful traffic from your website and reduce your overall vulnerability to security breaches.
11. Choose the right hosting provider
Finally, don’t forget to choose carefully when selecting a hosting provider for your website. Not all hosting companies are equal when it comes to security, so make sure you choose a reputable provider that offers great security features and technical support. Key features to look out for include:
- 24/7 support
- Secure data centres
- Built-in firewalls
- Regular data backups
- Free SSL certificates
- Security scans
While WordPress with its customisability is a powerful platform when running your own website, it’s worth bearing in mind that installing third-party code onto your site is always a security risk. But with these tips and common sense, you can minimise the risk considerably.
We offer WordPress Hosting here at Fasthosts, which will automatically apply WordPress patches and hotfixes to your install, as well as allow you to enable auto-updates for full versions. You can take care of keeping your site up to date without lifting a finger, and all your sites will be hosted in our secure UK data centres.
