WordPress security guide to keep your site safe

Security threats aren’t just for WordPress.

All platforms, private or open source, are under attack 24/7.

Luckily, the WordPress community offers many solutions to make your job easier.

Below are some important steps to keep your WordPress site safe from security threats.

How to secure your WordPress site

There are eight basic actions every WordPress publisher should consider in order to mitigate malicious activity and vulnerabilities.

By following these best practices, your WordPress site will be ready for the onslaught of hackers that probe your website every day.

• Use HTTPS.
• Do not use the word “admin” as an administrator username.
• Enforce the use of strong passwords.
• Update plugins and themes.
• Website backup plan.
• Minimize the use of plugins.
• Two-factor authentication.
• Install a WordPress firewall and vulnerability scanner.

Let’s look at each of these in a little more detail.

1. Add HTTPS/SSL

Most sites now use HTTPS. However, if your site doesn’t use HTTPS, check with your web host about adding a free SSL certificate.

Simply set your WordPress address and site address using https://. this is,[一般設定]You can do it in tabs.

If your site is upgrading from insecure to secure, the Really Simple SSL plugin (used by over 5 million websites) is worth considering. This is because it really simplifies the conversion to HTTPS by handling redirects and other related tasks.

Really Simple SSL also helps mitigate security threats like clickjacking and cross-site forgery attacks by giving you the option to add security headers.

Installing an SSL certificate is a trivial task these days.

Many web hosts offer free SSL certificates. Additionally, this is known as a Google ranking factor.

After converting to HTTPS, we recommend verifying that no pages request HTTP links or content.

Checking for mixed content is mandatory.

Mixed content is when insecure website assets (scripts, images, videos, etc.) are linked from HTTPS pages.

Crawl your site with Missing Padlock to quickly identify instances of mixed content, link to HTTPS assets, and fix errors.

2. Use a secure admin username

Security attacks on the WordPress login screen are overwhelmingly done with the username “Admin”.

There are two main types of attacks that attempt to crack login passwords:

• Brute force.
• dictionary attack.

A brute force attack is one in which automated hacking software attempts to guess administrator passwords using various combinations of words, letters, and numbers.

A dictionary attack is when hacking software attempts to guess administrator logins using common passwords.

The administrator username used by these software is often “Admin”.

Not using the word “admin” in your username is a simple step to secure your WordPress site.

To go one step further, you can use the Wordfence security plugin to create firewall rules to automatically block humans or bots trying to log in with the username Admin.

3. Enforce strong passwords

Do not allow anyone, especially users with administrator-level privileges, to create weak passwords.

Even low-privileged users of a website, such as subscriber level, can be attack vectors. That’s why it’s important to enforce strong passwords for everyone who can log in to your WordPress site.

Used by over 1 million users, the popular iThemes Security WordPress plugin offers enhanced login password strength and two-factor authentication.

A password security policy that enforces strong passwords can also be enabled using the Wordfence WordPress security plugin.

4. Update plugins and themes

Some updates to plugins, themes, and the core WordPress installation itself are intended to fix (patch) vulnerabilities.

Not updating your software can make your site vulnerable.

Most updates work fine. In rare cases, an update can change something in the software and start conflicting with another plugin or theme, causing your site to crash.

In that case, if your site is backed up, you can easily rollback your site to its previous state.

The best way to update plugins and themes is to stage your site and see if it works fine with the updated software.

However, if you haven’t staged your site, your second option is to back up your site and then update it.

Test your site to make sure everything works. If your site malfunctions, use your backups to roll back.

A third option is to set all plugins to auto-update so you don’t even have to think about it. When something breaks, roll back to restore it to its original state.

5. Backup your WordPress website

It is very important to back up your website daily.

There are many things that can go wrong, but having a backup can save your life when something catastrophic happens to your site.

The UpdraftPlus WordPress Backup Plugin is a popular and trusted solution used by over 3 million users.

I use it on all of my websites and can confidently recommend it.

In the event of a website redesign that didn’t go your way, you can now easily restore your site to a previous version.

Another popular solution is called WP Rollback.

WP Rollback has over 200,000 installs and the people who create the software are expert WordPress developers you can trust.

Works well with themes and plugins downloaded from WordPress.org.

6. Minimize plugin usage

Every plugin installed increases the chances of one of them exposing your site to vulnerabilities.

Aside from security reasons, using too many plugins not only impacts your site’s performance, but also increases the chances of your site crashing due to code conflicts between two or more plugins. Become.

Plan ahead which plugins you will use to accomplish what you want.

Some plugins can perform multiple tasks, eliminating the need to install a standalone plugin to accomplish one thing.

7. Implement two-factor authentication

Two-factor authentication is what we call two-factor authentication because you need two forms of identity to log into a WordPress site that has this feature turned on.

The first element is the username and password.

The second factor is a second form of authentication, usually using an app such as Authy or Google Authenticator on the user’s mobile phone.

So even if a hacker has access to your username and password, they won’t be able to log in without a second authentication.

There are many WordPress plugins you can choose to add this functionality.

WP 2FA

WP 2FA is a popular choice for adding two-factor authentication.

We support multiple two-factor authentication methods including Google Authenticator, Authy, email link, email OTP, and push notification.

Additional methods such as voice authentication and WhatsApp authentication are available in the Pro version.

Wordfence login security

Wordfence is a brand you can trust. Its standalone two-factor authentication plugin supports Authenticator, Authy, 1Password, and FreeOTP.

Additionally, security plugins like Wordfence and iThemes Security also have the option to enable two-factor authentication.

8. Install a WordPress Security Plugin

Security plugins are useful because they can close security holes and block hackers from trying to exploit those vulnerabilities.

There are two types of WordPress security plugins.

• Enhanced security and scanning.
• firewall.

Here are some tools that we recommend.

scri security

Sucuri is a reliable choice for security plugins. Owned by GoDaddy.

Sucuri scans your site for malware and gives you options to harden your site against exploits.

Choosing Sucuri is easy as it complements firewall plugins such as Wordfence.

The paid version also includes a firewall.

jetpack protect

Jetpack Protect is made by Automattic, behind WordPress.com, Akismet, WPScan, WooCommerce, and more.

Jetpack Protect runs daily malware scans of WordPress core, plugins and themes.

This free plugin is relatively new and was spun off as an independent plugin in 2022.

Wordfence Security – Firewall, Malware Scanning & Login Security

Wordfence is a popular choice for WordPress security. Over 4 million active installations.

Wordfence acts as a firewall to protect your website from hacking attacks, and can ban automated hacking bots and real hackers in real time if their activity matches the hacker’s patterns.

Users can configure the Wordfence firewall with rules that can block hackers instantly.

Wordfence also helps harden your site against hacks by providing two-factor authentication and disabling PHP from running in folders it shouldn’t run.

Another advantage of Wordfence is that the plugin will send you email reminders when you need to update the plugin.

The paid version of Wordfence receives firewall rules to protect against the latest exploits as soon as Wordfence recognizes them.

iThemes security

iThemes Security is an all-in-one plugin that scans and hardens websites and blocks malicious bots as a firewall. It has over 1 million active installs.

iThemes handles a lot of security-related activities, making it a popular choice for those who want one plugin to do it all.

Take additional WordPress security steps

These are additional steps to building a strong security posture.

Check your PHP version

PHP is the software that WordPress runs on.

Outdated PHP versions can expose your site to security vulnerabilities.

Make sure the PHP version used has not reached end of life (EOL).

Scan for online vulnerabilities

Here are three online tools to scan for vulnerabilities or check if your site has been hacked.

The future of WordPress security

Hackers attack all sites regardless of the content management system (CMS) used.

WordPress is the world’s most popular CMS and a target for hackers.

Luckily, WordPress has a large community working to keep it secure, which is an advantage other platforms lack.

Every WordPress website owner should consider taking the time to ensure that measures are in place to keep their WordPress site completely secure.

Other resources:

Featured image: Shutterstock/fizkes