WordPress is the most popular CMS in the world with almost 75 million sites depending on it. Unfortunately, it’s popularity makes it a prime target for hackers and malware. After all, if a cybercriminal gains access to one WordPress site, they then have the wherewithal to possibly access millions of to other business sites. So how can you keep your WordPress website safe from attack?
10 Ways to Keep Your WordPress Website Safe From Attack
#1 – Update your username and password.
Once your site launches, you should change your username from ADMIN to something unique to you. You should also make sure you regularly update your password. All too often, administrators just go with the default login which makes it twice as easy for hackers to gain access to the backend of your site.
#2 – Create a nickname that’s different than your username.
If you write blog posts for your WordPress site, your name will probably appear as the author. WordPress allows users to specify how their name will appear. Make sure it differs from your login ID.
#3 – Turn on 2-step verification for all logins.
It’s true that 2-step verification can be a bit tedious. However, if your site stores sensitive information or you’ve been the victim of previous hacks, this will make it virtually impossible to access your site for anyone but you. You log onto the site using your username and password. Then, a verification code is sent to your phone. Without that code, you can’t gain access to the Dashboard.
#4 – Block certain IP addresses from logging on.
Certain WordPress plugins can record the IP address of every failed login attempt. You can then block those IP addresses. Admins also have the option of blacklisting all IP addresses but their own. Make sure you allow for a backup in case your device fails or you are working remotely. Otherwise, you may find yourself locked out of your WordPress website.
#5 – Install a Security Plugin
You can install a third-party plugin to block bot traffic and monitor your site for security issues. Make sure you update your plugin regularly and ensure that it’s compatible with your version of WordPress.
#6 – Use Google Webmaster Tools to Scan for Malware
Google offers a free set of webmaster tools. You can log in using the same login as you would for Google Analytics or Search Console. Select “Health” from the menu and then click on “Malware.” You can request Google to scan your site for malicious code.
#7 – Back Up Your Website Regularly
One of the easiest ways to remove malware from your site is to restore a backup of your site before the code was installed. However, you do not want to lose content you might have added, so backup regularly. The frequency depends on how often your website content changes.
#8 – Host with a Reputable Company
As many as two-thirds of all WordPress websites are hacked because of a vulnerability at their hosting site. If you use a shared hosting plan, ask if your plan includes account isolation. This will keep other sites on the shared plan from affecting your site. Our recommended WordPress hosting provider for security and performance is WP Engine.
#9 – Update Your Computer Software
Since most sites are accessed using laptops, it’s very important that you keep your computer free from malware. Make sure you update your operating system with any new security patches.
#10 – Rename Your Login Page
Every WordPress website is accessed through the www.sitename/wp-admin page. If you rename this page, it makes it more difficult for hackers to find a way into your site. Your web designer can help with this or there are third-party plugins that lock down the login page.
Signs You’ve Been Hacked
Following these tips for protecting your site will prevent most common hackers from getting into your site. However, if you find that a breach did occur, then you need to know how to recover your website. Here are some common ways hackers take control of WordPress websites.
- They redirect your site to another.
- There are unknown links installed on your landing pages.
- Visitors see advertisements in your header or footer that you did not authorize.
- A pop-up displays when visitors access your site.
The first step in taking back your website is to restore a backup. If you’ve been following Tip #7, then you should have a current backup ready for just such an emergency. Many times, restoring a previous version will take care of the issue.
Your second best course of action is to contact your web hosting company. They employ professionals specifically tasked with fighting off cybercriminals. Plus, if the breach occurred at the host, then they have a responsibility to help you restore your site.
Once you have regained control of your WordPress website, make sure you change all passwords, eliminate unknown users, and update all plugins.
If your site handles sensitive information, you might consider a website redesign that focuses on securing your information. A web designer can help you develop password-protected pages and add extra levels of security on the backend.