Securing a WordPress site is unfortunately something people only think about after tragedy strikes. But there are some very simple things you can do right now to significantly improve the security of your WordPress site.
First, it’s important to understand that if an experienced hacker really wants to compromise your website, they probably will regardless of how much security you have. Think about all the Fortune 500 companies and government agencies that get hacked. And they have teams of people solely dedicated to information security.
Instead, you should aim to secure your website from hackers who are just looking for a fast, easy opportunity. These hackers generally want to compromise a website to use its mail servers for spamming or to lock out the owner and hold it for ransom. These hackers aren’t looking for a fight– they’re combing through a high volume of websites looking for easy targets.
Don’t be an easy target.
According to WP WhiteSecurity, WordPress hacks are carried out in four ways:
41% were hacked via a security vulnerability with their hosting provider
29% were hacked via a security issue in their WordPress Theme
22% were hacked via a security issue in their WordPress Plugins
8% were hacked because they had a weak password
Here are nine ways you can secure your WordPress site so hackers would rather move on to the next site rather than focus on yours:
1. Make Sure Your Site Isn’t Already Blacklisted
One telltale sign your site has already been compromised is if the domain or mail servers have been blacklisted. The first thing you should do is quickly check if your domain has been blacklisted and if your mailservers have been blacklisted to make sure you’re starting from a clean slate.
2. Choose A Trusted Theme And Keep It Up-To-Date
Nearly one-third of all WordPress hacks are due to security issues with their theme. This can be from one of two reasons– either the theme wasn’t kept up-to-date, or the theme itself was compromised. These are easy fixes.
The main reason people don’t keep their themes up-to-date is because they’ve tweaked their theme’s core files in a way where they know if they update it, they will lose their tweaks. Don’t put yourself in this situation. Keeping your themes and plugins up-to-date should be a top priority. You can prevent this by making sure you choose a theme with plenty of customizability — ideally custom css code support — so you never have to hardcode your own tweaks into the theme files.
Additionally, always download themes from trusted sources, ideally directly from WordPress.
To make it easier, we’ve put together lists of themes that not only meet these security requirements, but look and function great:
3. Use Secure & Trusted Hosting Providers
Vulnerabilities from an insecure hosting provider was the leading cause of WordPress hacks. This is more-or-less out of your hands once your site is live, so the best thing you can do is to host your website with a trusted provider.
We’ve also made it easier to choose a website host by compiling these lists of the recommended hosts:
Not only do we recommend these hosting providers due to their security features, but they also provide world-class speed and page load times, and are the most competitively priced.
4. Install Wordfence
There are plenty of security measures you can take by custom-coding them into your website, and there are also plenty of security plugins that accomplish various tasks to secure your website. But since 22% of WordPress sites are hacked due to a vulnerability in one of their plugins, it’s best to use as few plugins as possible. Wordfence is one of the best all-in-one security plugins you can get, and does things like limit login attempts, hide your WordPress version, scan your files and notifies you of changes or available updates. This is a must-have.
5. Install 2-Factor Authentication Login
The only necessary feature not available in the free Wordfence plugin is 2-factor authentication for logging in. Google Authenticator is a wonderful free plugin that provides this exact functionality.
6. Strong Usernames And Passwords For Admins
This should be obvious, but making sure all admins have very strong usernames and passwords helps prevent brute force attacks. This is where a hacker uses a program to try every combination of letters and numbers possible. Having a long, complex username and password will keep your account secure.
7. Change Your WordPress Database Prefix
A vulnerability within WordPress is that all sites have the same MySQL database prefix by default, so a hacker has some initial information to work with right from the start. You can change this, however it’s much easier to change while first installing WordPress. If your website is already up-and-running, then you’ll have to follow somewhat complex directions or install a plugin to do this.
8. Constantly Backup Your Database And Files
Should something ever go wrong, having backups is a great safety net to limit your downside. There are three ways we prefer to keep backups, all of which are fast, easy and secure–
- Use VaultPress, a plugin owned by Automattic
- Use Duplicator Plugin
- Manually export database files via MySQL and website files via FTP client
Regardless of which method you use, yet another safety measure to incorporate would be to keep redundant backup files locally on your computer as well as in the cloud on Dropbox.
9. Keep Your Computer Safe And Secure
Last but not least, it’s important to keep your computer secure. Regardless of how many safety measures your WordPress site has, if you login to your site on a compromised computer, you can forget about all those security measures!
By addressing the four main security vulnerabilities responsible for all WordPress hacks, hackers will most likely move on to the next potential target rather than try and breach your website specifically. It’s a numbers game for them, and these nine strategies will tip the scales in your favor.
Did we forget any? Have any other good ones? Let us know in the comments!