In the WordPress community, the process of improving a WordPress website security is referred to as “hardening”. Why? Because the entire process kind of like adding reinforcements to your stronghold.
Just like how bolstering the gates and adding lookouts on every watchtower makes your stronghold safer, doing the following security measures on your WordPress site will ultimately reduce the chances of it getting attacked by hackers or viruses.
If you haven’t taken any steps to improve your security, then you’re putting your website at risk. Especially if you’re an eCommerce store or handle customer information.
When you’re ready to “harden” your WordPress security, read on:
1. Implement website lockdown
Brute force hacking is a common method used by hackers to figure out a site’s login details. To overcome this problem, you’ll need to implement a lockdown feature for your website.
A lockdown feature will basically lock the site down whenever a hacker attempts to log in multiple times with repetitive wrong passwords. When that happens, the site will be locked and you’ll receive a notification from the unauthorized activity.
Certain WordPress plugin, such as iThemes Security, lets you set up a lockdown feature for your site. You can even set the number of failed login attempts on it, after which the plugin will automatically ban the hacker’s IP address.
2. Set up 2-factor authentication
A great security measure that you should add is the 2-factor authentication (2FA) process on the login page. With 2FA, the user will have to provide login details for two different components which can be decided by the website owner.
The two components can be a mix of a regular password followed by a specific code, secret questions, a set of characters, etc. The easiest way to set up a 2-factor authentication is to use the Google Authenticator plugin, which can be done in just a few clicks.
3. Changing your login URL
A WordPress login page can easily be accessed by adding a wp-login.php or wp-admin to your site’s main URL. Having an easy-to-access login page is basically akin to showing hackers the front door to your house and letting them brute force their way in.
To avoid having hackers at your door, you’ll need to customize the WordPress login page. Thankfully, changing the admin URL is quick easy to do. Plugins such as the iThemes Security plugin can help you change your login URL.
By changing your login URL, you’ll be able to restrict unauthorized entities from accessing the login page, thus greatly reduce the threat of a brute force hacking.
4. Encrypting data with SSL
An SSL (Secure Socket Layer) certificate is another security measure that’s important for any WordPress website owner. For starters, an SSL certificate ensures that any data transfers that occur between a user’s browser and your server are encrypted, thus making it difficult for hackers to disrupt your connection or steal your info.
Another reason to get an SSL certificate for your is to improve your ranking on Google. Sites without SSL certificates will be labeled as “not secure” which makes your website appear untrustworthy.
You can purchase an SSL certificate from websites such as SSL Comodo which offers certificates and security measure for all sorts of websites, ranging from small (blogs, portfolio sites, etc.) to big (eCommerce stores, company website, etc.).
Conversely, you can also check if your web host offers SSL services. Some hosting company offers SSL certificates as an add-on service while others, such as SiteGround or Exabytes, offers them for free.
5. Change your admin username
One common mistake that WordPress beginners often make is to not change their admin username. When WordPress creates your administrator account, they will use “admin” as the username.
Here’s the thing, if you still have “admin” as your username, you’re basically leaving one of your doors unlocked to intruders. All they have to do is figure out your password and then your website will end up in the wrong hands.
We recommend creating a new admin account with a different username and deleting the old “admin” account as soon as possible.
6. Constantly perform site backups
When it comes to website security, there’s always room for improvements. However, one of the best failsafe for any business or website owner is to have an off-site backup that you can revert back to.
With a backup, you can always revert your WordPress website to a working state should anything bad happen, such as a malware attack or a virus in your system.
There are various ways that you can perform backup for your website. Plugins such as BackUp Buddy can be used to automatically back your website up if you don’t want to do it manually or rely on backup services from hosting companies.
7. Go for the best hosting you can afford
At the end of the day, no matter how much security you put on to your website, if you don’t have a good hosting provider at the other end, all of your efforts will go to waste. Based on a report from WP White Security, 41% of WordPress attacks happened due to a security vulnerability from the host.
With that high of a number, it’s important that you choose the best WordPress hosting that you can afford to ensure that your website is properly secured.
Particularly for WordPress websites, a managed hosting provider that specializes in WordPress will more likely include better security measures such as WP firewalls, up-to-date PHP and MySQL, regular malware scanning, and servers that are better suited for running WordPress.
There’s more to secure a WordPress blog than just installing a security plugin and just leaving it at that. There are many crooks and nannies that a hacker can exploit if you’re not cautious and don’t harden your WordPress security constantly.
Following all the steps we’ve listed above is the key difference for taking your website from a mediocre security strategy to a great one.