Do i really think that now i’m in the mood of writing a lot of blogs day-in and day-out or week-in and week-out. Probably not and still i need to make a badass habit of writing regular blog post here. Somehow now i’m making a habit of writing post week-in and week-out and now this post is all about how you can secure your WordPress site. As we all know that internet is really unsafe place to be in and increasingly dangerous if you are not really prepared for it and at the same time this same internet gives you a lot of increasing opportunity. However, just don’t take it for a grant.
We are well aware of variety of hackers and they take different approaches to exploit and hack into your website and steal all the information including your users credentials which can be dangerous for your business. The last thing you want is to wake up to find your site hacked, suspended for hosting blacklisted by Google, malware or sending phishing emails. The cost of fixing your hacked and restoring site to a safe and secure level can be extremely higher side and can seriously hurt your reputation.
Whilst you cannot stop hackers trying to attack your website you can improve your security and stop hackers at the gates. Here are few ways where you can increase your website security.
Switching to HTTPS (SSL/TLS)
Yeah here we go, switching your WordPress site to HTTPS means having an SSL certificate. And you know now it’s the de-facto standard and must nowadays. Having SSL certificate means it basically provides more security to your site than just encryption. Your site’s traffic is encrypted and can’t be intercepted and read your data by a thrid or unknown person. And without HTTPS your data sent between two parties can easily be intercepted by an eavesdropper. So now it’s the high time to go for HTTPS.
Keep your WordPress Core, Theme and Plugins Updated
Trust me this is one of the most common security issue we see day-in and day-out and there are many people around us who are realty not bothered to update their WordPress core or their theme or even their plugin. Plugins that haven’t been updated or patched for longer time makes an easy way for hackers who can hack into your WordPress site quite easily by finding loopholes or vulnerabilities in the plugin. So it’s always advisable to activate “automatic” update in your WordPress install for your core files and plugins. When you looking for a theme or plugins please make sure that you check the change log of your choosen theme and plugins and it’s date and to install it you should be able to see the latest update date in the change log. If it haven’t updated for a long time then better you drop it out.
NOTE: Please do not download any nulled theme or plugin from the nulled source. Delete or remove any plugins or themes you’re not using.
Take a Regular Back-Ups
Hey whenever you make a changes to your site or whenever you update your core files, theme files or plugins just take a regular backup of your WordPress site including database and store it in multiple location (like one in your local system, and few on clouds like DropBox or Google Drive). If something goes wrong you can always restore your website back to it’s original shape.
Why backups are darn so important? You might think that nothing gonna happen to your site, but disaster might be waiting to happen and it can happen in anyways including easily your server getting crashed, your site got hacked (including a bigger one) or your developer made a fatal mistake or even something worse. Before something happens just be serious about your site and make to setup some decent backups. Even though if your hosting company takes a regular backups, still i advise you to not to rely on them every time. Even i do take regular backups manually and i use plugin to do backup jobs for me.
Now no need to get scared on how to take a regular backups of your site as there are a number of plugins available that can help you to do this backup task for you VaultPress | Backup Buddy | blogValult | UpDraftPlus
2 Factor Authentication (2FA)
Usually we all keep our passwords across various websites are one and the same and quite easy to keep it in our mind and can easily be hackable. And hackers are all around the WordPress. This is where you can consider using Two-Factor Authentication or 2FA plugins and enable it for all users. Implementing 2FA for your users logging is quite simple and very effective way to prevent brute force attacks. 2FA just adds up extra (another) layer of security when you or your users login then it helps in requesting a proof of proper authentication to make sure that legit user is attempting to login. It means the hackers just can’t access to your WordPress site with just password, they need a secret key that was sent to a registered mobile device or phone call or to email and you’d need to type that secret key and thereafter legit user logged in.
Changing your Login URL
WordPress has a standard login URL – “yoursite.com/wp-login.php.” You can change this/”wp-login.php” to a URL that is unique to your WordPress website. If you change this domain name to a unique URL then hackers will be less likely to be able to find where to log in to your website or else your site will start getting bombarded with too many login attempts even though if you have “Limit Login Attempts” plugin activated.
Install WordPress Security Plugin
Well by installing WordPress security plugin for your site can be covered some of the points easily without any developers help. We at Themesfinity we highly recommend to go for iThemes Security particularly Pro version and whereas even free version do good amount of job as well. This plugin claims to provide 30+ ways to secure and protect your WordPress website from attacks. It strengthens user credentials by fixing common vulnerabilities and automated attacks. We have already implemented this plugin on many of our client site and they all are Pro versions.
Choose the Well-Known Hosting Company
Most of the WordPress sites were hacked due to a security vulnerability on the host end and choosing the quality host should be your higher priority. We strictly advise you to not run behind the cheap hosting plans anymore. Managed WordPress hosting is what all you need who specializes in WordPress and more likely they will be having a WP firewall, latest PHP versions (yes PHP 7+), malware scanner and server that’s specifically designed to host WordPress sites.
Tweak your WordPress database table prefix
By default WordPress employs a “wp_” table prefix to all the database tables of a site and it is quite easy for a hackers to steal your database just with the help of SQL injection attacks. To prevent from this all you need to do is to change your database table prefix to something more unique and reliable and which is easy to remember for you. A unique database table prefix will always be difficult for hackers to guess it around and your site and database remains safe. Just be careful while changing your database table prefix as you will be editing your “wp-config.php” file and before doing this please take a backup of your site.
Here how you can change the prefix to something more unique:
$table-prefix = ‘wp_OH77&K”; or even something like this
$table-prefix = ‘zem_OH77&K”;
While you are in your wp-config.php file, find your database name as well, so that you would know which database you need to edit. Look for
Secure the wp-config.php file
Easily, the single most important file in your WordPress installation as it serves your site’s base configuration file and confidential information, controlling key aspects of WordPress functionality and it do some mission-critical work like connecting to the database. Its your own responsibility to protect your “wp-config.php” file from hackers and other security attacks.
Use a Unique Username and Strong Password
First step please avoid using the “admin” username. This is probably the first choice for a hacker when trying to break into your site. You can make this task for him more difficult by choosing a unique username. The same rule applies to passwords. I believe you are not using such passwords like “123456” or “admin”. Instead of them, you should use a strong password. What does the strong password mean? Strong password is a string of letters, numbers and other characters that has no meaning and is hard to guess.