Tips to secure your WordPress website

6 Jan' 20 | By christian

Even though WordPress is the most popular CMS used, many still believe they are insecure and vulnerable to hacking. In part, this is true, but with the correct setup and implementations, WordPress is as secure as any other CMS. Below are a few tips and tricks I like to use when securing a WordPress website. Follow them to secure your site too.

1. Rename and use strong name for your database information. This means having hard to guess database names, usernames and passwords. Don’t forget to change the table prefix. A lot of people don’t, and it gets left as the standard wp_, which means hackers will know all of your table names. Try something like wp_fuhncDF34_, which would be much harder for someone to access. If you’re installing WordPress yourself, define your salt keys in the wp-config.php file, these will encrypt your password when it’s saved in WordPress.

2. Rename your login URL. The first thing a hacker will try to do is gain access to your login page in order to brute force their way in. If you change the URL, only someone who knows it, would be able to try and attack it.

3. Block users for multiple failed login attempts. Brute force attempts can be when people spam the login with various username/password combinations to try and guess the login. If you limit the failed attempts and ban the user from logging in, you stop them accessing the page and prevent the brute force attack.

4. Implement 2-step authentication. This adds an extra layer of security to your account. After entering your username and password, you’ll be shown a second step. This is usually to enter a verification code that is sent to you via a text or accessed through an authenticator app like the Google Authenticator. Having this extra layer of authentication means someone won’t be able to access your site unless they your phone.

5. Disallow file editing in the WordPress dashboard. WordPress has a Theme Editor in the dashboard. Anyone who is able to login will be able to edit all of your theme files Disallowing this will prevent people from accessing it and making any changes they shouldn’t.

6. Disallow comments. As with the login form and any other form on your site, people can use the comments form to inject malicious code. Disabling comments prevents people from doing this. If you need to have comments enabled, you can implement settings that will require a user is logged in to post and limit the amount of links a comment can contain. This can help against spam too.

7. Update WordPress and plugins. Hackers are continually evolving and trying to find new ways to hack WordPress and its plugins. Luckily, WordPress evolves just as quickly to patch any fixes that are required. It’s not good sitting on version 4 of WordPress and being vulnerable to hackers, you need to keep your WordPress instance and all plugins up to date with the latest versions to make sure you have the latest security and bug fixes.

8. Implement a security plugin. My personal favourite is Wordfence, but there are many others out there. These plugins come with a whole host of features to help secure your site. These include file scanning for malware, filewalls and brute force protection.

9. Disable hotlinking. This is when someone takes an image from your site and put it on their own website. So, the source of your file is on your server, meaning they’re using your bandwidth. If multiple images are being shown on multiple sites, it can affect the speed on your own website and slow it down.

10. Implement an SSL certificate. Implementing an SSL certificate means when data is transferred between your browser and the server (e.g. when logging in) the data is encrypted making it difficult for hackers to access the information and make any sense of it.

These are just a few tips and tricks. If you want to secure your WordPress website even more, with one of our maintenance plans we will be able to implement all of these and more, giving you peace of mind knowing your website is in good hands.