Keeping your WordPress installation secure should be your number one priority when it comes to managing a website. WordPress is one of the most popular content management systems available in the world of web development with a market share of over 27%. Similar to Windows, this popularity only encourages hackers to prefer attacking WordPress sites over sites built on other CMSs. To make matters worse, studies have shown that over 70% of WordPress installations are vulnerable to attacks.
Clearly, WordPress security is an issue, one far too many sites don’t take seriously enough. That’s why we’re going over our top WordPress security tips to ensure your site is safe from any type of attack hackers may throw at it. Let’s start with a few external resources you should consider using.
Get 5 Months Free & 30% Off All Plans.
Click the coupon code to copy and open the link »
Create a Secure Foundation
We’ll go over specific tips and tricks you can use to secure WordPress in a moment. Let’s talk about a few things you can do to build a solid foundation first. The purpose of this foundation is to keep the majority of hackers at bay. Think of it like a moat around a castle. It’s not 100% foolproof, but it’s the first line of defense hackers need to get through.
Choose Quality Hosting
Your WordPress installation exists as a folder on a server, a server you likely pay someone else to manage, such as a web host. Server security is vital to your site’s overall security strategy because of this. Similar to that moat, your server is your first line of defense.
You should choose a quality a web host that uses the best and most up to date technology because of this. Check out our post comparing the best managed WordPress and shared hosts if you need help deciding.
Use a Dedicated Security Solution
Sometimes, it’s better to pass off the management of certain things to someone else. This is one of those times. There are several services out there that will help keep your site free of malware and intruders. The top security plugins for WordPress are definitely Wordfence and iThemes Security.
You can also consult or rely on a service that integrates with WordPress but not exclusively. This includes Sucuri, a popular service that offers similar features to the plugins suggested above.
Create Regular Backups
We’ll get to our top WordPress security tips right below this section, but let’s be real. No security solution or strategy can ever be 100% secure. Hackers seem to always find a way. Let’s talk about what you can do to get your site back on track when that happens.
Well, if it has to do with malware, those security solutions mentioned above, particularly Wordfence and Sucuri, offer cleanup services that remove malware from your site. Unfortunately, when malware does find its way into your installation, it can cause permanent damage the simple removal of it cannot fix. This is where backups are useful.
If you create regular backups of your site, you won’t need to worry too much about hackers altering things. All you’ll need to do is remove the malware, secure the hackers’ entry points, and restore anything that was lost or changed. Most decent hosts create daily backups for you, but you can also take matters into your own hands by using a dedicated backup plugin.
Check out these articles if you need help deciding:
You can also use a plugin called WP Time Capsule alongside these solutions to create restore points for your site.
Let’s switch gears and get into our top security tips for WordPress.
Use Secure Login Information
This should be a given, but many users fail to take precautions when it comes to their login information. We’re going to go over basic and advanced login security tips because of this.
For starters, don’t use “admin” for any administrative username, and don’t use your author or display name, either. You should also use strong passwords for every admin account, and force users to create them as well. Many plugins allow you to do this, including Force Strong Passwords, Wordfence and iThemes Security. Consider using a password generator for this purpose.
Advanced Login Security Tips
Another thing you can do to keep hackers from accessing your administrative accounts is to enable two-step authentication. It’s similar to the one you can use for your Google account. All you need to do is connect your admin account to your phone. This requires you to provide your password as usual, but it adds an extra layer of security by requiring you to input a unique code it texts to your phone. You can do this with plugins like Duo, Rublon and Wordfence.
Another thing you can do is change the error message that appears when you enter an incorrect username or password. The default error messages tell you whether or not your username or password are invalid. You can change this message to any text you want by adding this code to your functions.php file:
function no_wordpress_errors(){
return ‘Sorry. Try again.’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );
Change the “Sorry. Try again.” text to anything you want.
Lastly, you can deter bots by adding CAPTCHA tools to all login modules and forms on your site as well as by limiting login attempts with plugins like WP Limit Login Attempts, Limit Login Attempts Reloaded, Wordfence and iThemes Security.
Develop Safe Downloading Habits
WordPress is an open-source CMS that has thousands upon thousands of wonderful themes and plugins you can download to enhance the way your site looks and functions. However, it’s important to keep in mind that what you’re doing when you install a theme or plugin is adding someone else’s code to your site. This can lead to a number of different issues.
For starters, this code may contain malicious content that can infect your installation with malware and other malicious content. Some of this content may even target your site’s visitors. It can also contain outdated code, bugs and security flaws that can have negative impacts on your site.
Here are a few tips you can use to prevent bugs and security issues from occurring when you install new themes and plugins:
- Only download WordPress products from trusted sources and developers.
- Only download products that have been updated in the last 12 months.
- Only download products that are well supported.
- Read the reviews of the products you want to download to see if other users have issued warnings.
It should also be noted that you should limit your reliance on plugins. If you can accomplish something without one, do so.
Keep Everything Up to Date
Bug fixes and security patches, i.e. updates, developers release for their products only work if you actually install them. This is why it’s important for you to keep everything, especially WordPress core, up to date. It may even be worth it to have WordPress itself update automatically.
Set up an update schedule for themes and plugins, such as once a week, every two weeks or every month, to keep everything up to date.
Create a Maintenance Schedule
Performing regular maintenance on your site can help it run in tip-top shape, but it can also ensure it’s as secure as possible. Go through your collection of themes and plugins every six months or so. Outdated themes and plugins can create huge security holes in your WordPress installation, so we recommend performing “audits” on your collection every now and then.
Make sure every theme and plugin you have installed on your site receives regular updates and support. You should also delete themes and plugins you aren’t using anymore. Just be sure to keep the most up-to-date default theme in your collection.
If you need help with WordPress maintenance, be sure to check out our article 8 WordPress Maintenance Tips to Make Your Site Run Smoothly.
Use Secure File Permissions
This is a bit of an advanced security tip, but it’s an important one if you have access to your site’s file system and use it often. You need to use secure file permission values for the folders and individual files in your WordPress installation to prevent unauthorized access to them.
Use 755 for folders and 644 for files. Also, be certain to never use 777 as this grants unrestricted access to your site’s file system.
Use a Secure Database Prefix
Some hackers are able to wage war against your server by attacking it through your site’s database prefix. Other security protocols are important for blocking attacks, but similar to your username and password, this merely provides an extra layer of security for you to use.
All you need to do is avoid using the default “wp_” database prefix. Treat it like your username, and pick something that’s unique, short and easy for you to remember and hard for hackers to guess. Also, keep in mind that some hosts handle this for you when you install WordPress by adding a random number and/or letter to the default prefix.
Final Thoughts
As you can see, securing your WordPress site comes down to a few basic things. This includes building a strong foundation that blocks the majority of attacks, but it also includes things like using secure login information and maintaining your site properly.
You should also cut back on plugin use, keep tabs on all of your products and dispose of outdated ones. If you find all of this overwhelming and wish to have these things handled for you, host your site with a managed WordPress host or consider using a WordPress maintenance service.