5 Tips to Improve WordPress Security
WordPress is by far the most popular content management system (CMS) in existence (they powered 32% of the Internet), primarily due to its tremendous ease-of-use, and the fact that even a novice can be posting blogs on the very same day after setting up a WordPress site.
It’s this very popularity that makes WordPress such an inviting target for hackers. Sucuri report shows that 83% of the 34,271 infected websites are WordPress. This being the case, it’s very important for every WordPress site owner to do everything possible to make your site secure.
Below are described five of the most important steps you can take to make your WordPress site as secure as it can be against attack.
The role of WordPress hosting
Most of the website hacks are originate through the website hosting company, which means that a great many WordPress hosts provide very little, and sometimes no security whatsoever for your website. The problem is that website hosting is a very competitive business, and many of the potential hosts out there offer very low rates which are attractive to site owners, often at $5 per month or less.
These are almost always the hosting companies which provide very little security service for you, so that even your $5 is wasted!
It is far better for you to invest in a strong website host, even WordPress itself, and pay a little more money each month for protection built into the WordPress template. If you are a site owner with limited expertise, it’s much better to leave security to the professionals.
The screenshot above shows the WordPress hosting company that hires up to 200 WordPress experts to support their customers. Rather than relying on the “all-rounded” tech supports who brand themselves of knowing everything, WordPress hosting company often comes with experts that offer WordPress specific support that you need.
By paying an extra $10 or $15 a month, you can get great WordPress hosting deals that have the maintenance and security job done by the professionals, rather than having to do it yourself.
Use strong passwords and avoid “Admin” as username
You have undoubtedly been advised many times to use strong passwords when trying to protect your private data and personal information from prying attempts by hackers. Even though it’s been harped on forever, it’s still a very valid point, because hackers certainly do spend plenty of time trying to guess easy passwords.
Once they know a certain amount of personal information about you, it can be quite easy for them to guess your birthday or your children’s names, or any other piece of personal information which could be used as a password.
Do you know which password is the most common? You will be surprised: “123456”,”password”,”12345678”,”qwerty” and “123456789” are the most used passwords.
To make a strong password, you can include the following:
- A string of characters which shouldn’t really make any sense whatsoever.
- It should not be a recognizable word.
- It should definitely not be a name or number which is part of your personal life.
- You should string together some combination of letters, numbers, and special characters, ideally in a random order.
Yes, this will be a much more difficult password for you to remember, but that’s the whole point – it’s very difficult for cyber attackers or anyone to remember or to guess.
If you need help to come up with a strong password, just use the services like strongpasswordgenerator.com or try Secure Password Generator, which can do the work for you. Once you’ve come up with this random string of characters, jot it down if you need to, or load it into your smartphone for easy retrieval.
The second part of this security effort is to avoid using ‘admin’ as a username, which is a very common mistake among WordPress site owners.
‘Admin’ should never be used as an administrator ID, because that is the very first thing that a hacker would guess as your admin ID. When setting up your admin ID, you should take the same steps that you did for your password, you should:
- Create a new user with administrator privileges.
- String together a random series of letters, numbers and special characters.
- Capitalize one or two of the letters used in your admin ID to make it even a little more difficult.
- Don’t forget to delete the “old admin” user from your WordPress.
The whole point of taking these precautions is to make your password and your administrator ID virtually unbreakable.
Use SSL for data encryption
When messages are sent between two parties, it’s possible for a cyber criminal to be waiting and intercept that message in between the two participants. In most cases, neither party is aware that their message has been hijacked, and that information has been stolen.
By using secure socket layers (SSL), this possibility can be prevented. To get a secure socket layer certificate, your website has to be moved over to HTTPS, and that means your website host will probably have to become involved to make the switch.
SSL certificates have a public key and a private key which work together to establish a connection which is encrypted. This pair of keys is established on your server once you have applied for a certificate signing request, and the SSL certificate issuer will then issue a private key to you while retaining the public key.
The certificate issuer never sees the private key, and that helps to ensure that the entire arrangement stays secure. Once this is set up on your server, it cannot be hacked by a cyber criminal, and all your communications will be secure.
To accomplish the move to SSL manually, it’s necessary to edit the wp-config.php file, so that the change can be reflected there. Once you’ve accomplished this, you can move the rest of your website over to HTTPS simply by using the appropriate settings in WordPress.
The beginning of your site URL must be changed to https://, for both your WordPress address and your site address.
Use two-factor authentication
One of the simplest security steps you can take to improve the overall safety of your web WordPress website is to implement two-factor authentication.
What is meant by this term is that in addition to providing users with the opportunity to log into your site using a password, they would also need to go through an additional security step to gain access. This is most often set up as a specially generated code which is sent to the user via email.
By implementing two-factor authentication, virtually all brute force attacks will be eliminated, and your site will be secure against such powerful attacks.
Two-Factor is one of the WordPress two-factor authentication plugins that you can use for free. Once you’ve installed and activated the plugin, you can configure the following 2FA methods:
- Email (send the authentication code via email)
- Time Based One-Time Password (codes are generated via the Google Authenticator app)
- Universal 2nd Factor (require a third party device)
If you are looking for alternatives, there are also a number of WordPress plugins that you can use in order to implement two-factor authentication. All these plugins will make the implementation of two-factor authentication very easy.
Apply updates frequently
Another of the very best things you can do to prevent attacks from cyber criminals is to keep your WordPress site updated frequently. Again, Sucuri’s 2017 report shows that 39.3% of hacked WordPress websites recorded out-dated installations.
Whenever updates are issued, they are generally in response to weaknesses or flaws which have been identified from previous versions of WordPress, and the updates help close up those loopholes or replace them entirely. If you don’t apply these updates as quickly as you receive them, your site will be left vulnerable to attack, since all those same vulnerabilities will then be known to the criminal minded elements on the Internet.
Hackers love attacking older versions of WordPress, since they have become relatively obsolete, and are generally defenseless against a determined attack. When updates are issued by WordPress, they will usually be displayed in the notification section of your dashboard, and when you notice that some are available, these updates should be applied at the earliest opportunity.
You should also ensure that all of your plugins are updated, so that they are likewise secure against cyber attack. Many older versions of plugins are targeted by cyber criminals for this very reason, i.e. they recognize that older versions of plugins are exploitable.
In order to make sure that you don’t overlook any updates which are available, you should have your site set to automatically download any available updates, and apply them immediately. These updates made available through WordPress are generally only major updates however, and all of the relatively minor WordPress updates will still have to be applied manually by yourself.
In order to do this, you simply need to navigate to your WordPress dashboard and click on the menu selection for Updates. This will show all available updates, and you can choose which ones you want to apply, but you should certainly apply all the ones which have anything to do with security.
You don’t have to worry about any potential hack when you can shore up the security with little effort. But remember, securing your WordPress website is an on-going process and should be one of the most important tasks on your list.