WordPress powers over 40% of the web, making it a popular target for hackers and security threats. While the platform itself is secure, neglecting basic security practices can leave your site vulnerable. The good news? You don’t need to be a tech expert to protect your blog. In this guide, we’ll cover simple step you can take to keep your WordPress site safe from common threats. Whether you’re a beginner or just looking to tighten your defenses, these tips will help you secure your blog with confidence.

Basics of WordPress Security

Why Website Security is Important

A hacked WordPress website can cause serious damage to your business’s revenue and reputation. Hackers can steal user information and passwords, install malicious software, and even distribute malware to your users.
Worst, you may find yourself paying ransomware to hackers just to regain access to your website. Every day, Google warns 12-14 million users that a website they are trying to visit may contain malware or steal information.
Furthermore, Google blacklists around 10,000+ websites each day for malware or phishing.
Just as business owners with a physical location are responsible for safeguarding their property, online business owners need to pay extra attention to their WordPress security.

Keep WordPress Updated

WordPress is open-source software and is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers, which regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

Use Strong Passwords & User Permissions

The most common WordPress hacking attempts use stolen passwords. However, you can make that difficult by using stronger, unique passwords for your website.
We are not just talking about the WordPress admin area. Remember to create strong passwords for your FTP accounts, databases, WordPress hosting accounts, and custom email addresses that use your site’s domain name.
Many beginners don’t like using strong passwords because they are hard to remember. The good thing is that you don’t need to remember passwords anymore because you can just use a password manager.

Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to.
If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

WordPress Security in a Few Steps

1. Install a Backup Solution

Backups are your last defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account). We recommend storing it on a cloud service like Amazon or Dropbox, or in private cloud like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.
Thankfully this can be easily done by using plugins like Duplicator or BlogVault. They are both reliable and most importantly easy to use.

For more about WordPress Plugins, check out handy guide to some of the most useful ones HERE.

2. Install a Good WordPress Security Plugin

After backups, the next thing you need to do is set up a way to keep track of all the activity happening on your website. This includes file integrity monitoring, failed login attempts, SQL injection attempts and lots more. Thankfully, you can easily take care of this by installing a security plugin. There are plenty available but the one we recommend is WordFence because it is both capable and simple. You don’t nee to be a network engineer to configure it.

Once you have installed your new plugin, you should head over to it’s Dashboard page see if the plugin found any immediate issues with your WordPress site. Whilst here you can click around and get comfortable with your new plugin’s capabilities. The default settings should work well for most websites, but if you are feeling confident, you can go ahead and tweak some settings to see what happens. You can always change things back later on.

one thing we recommend you customise right now is the email alerts feature. By default, you will receive a lot of email alerts that can clutter your inbox so go ahead and change these settings to whatever level of alert you feel comfortable with. We recommend enabling alerts only for key actions you wish to be notified about, such as plugin changes and new user registrations.

3. Enable a Web Application Firewall (WAF)

The next thing you should do is enable a Web Application Firewall to block malicious traffic before it even reaches your website. Firewall software works on one of two levels:

• A DNS-level website firewall routes your website traffic through a proxy server hosted by the software vendor. This server screens out known malicious traffic sources and passes on the valid traffic to your website.
• An application-level firewall examines the traffic once it reaches your site but before loading most WordPress scripts. This method is not as efficient as the DNS-level firewall in reducing the server load.

A DNS-level Firewall is the preferred option. Fortunately for you, you just installed WordFence, which includes a DNS-level WAF with a handy learning mode which allows it to partially configure itself based on your average content and traffic.

4. Make Sure Your Site is Using HTTPS

SSL (Secure Sockets Layer) is a protocol that encrypts data transfer between your website and the user’s browser. This encryption makes it harder for someone to steal your data. Once you enable SSL, your website address will use HTTPS instead of HTTP.

SSL certificates are typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners in the past opted to keep using the insecure protocol. To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.

Many hosting companies now offer a free, or very cheap, SSL certificate for use with WordPress websites. If your hosting company does not offer one, then you can purchase an SSL certificate from Domain.com. They have the best and most reliable SSL deals on the market. The certificate comes with a $10,000 security warranty and a TrustLogo security seal.

5. Change the Default Admin Username

In the old days, the default WordPress admin username was ‘admin’. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks. Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers still set the default admin username to ‘admin’. If you notice that to be the case, then it’s probably a good idea to switch your web hosting. Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

1. Create a new admin username and delete the old one.
2. Use the Username Changer plugin
3. Update username from phpMyAdmin

You can find our detailed guide to how to change your WordPress username HERE

6. Disable File Editing

WordPress comes with a built-in code editor that allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk, which is why we recommend turning it off. You can easily do this by adding the following code to your
wp-config.php file or with a code snippet plugin like WPCode.

7. Disable PHP File Execution

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed, such as /wp-content/uploads/.
You can do this by opening a text editor like Notepad and pasting this code:

Next, you need to save this file as .htaccess and upload it to the /wp-content/uploads/ folder on your website using an FTP client.

For a more detailed explanation, see our guide on how to disable PHP execution, HERE.

8. Limit Login Attempts

By default, WordPress allows users to try to log in as many times as they want. This leaves your WordPress site vulnerable to brute-force attacks. This is where hackers try to crack passwords by trying to log in over and over again with different combinations of characters in the hope of hitting the correct password by guesswork. This can be easily fixed by limiting the failed login attempts a user can make.

Some versions of a Web Application Firewall, include this feature. If you have chosen one of these, then this is automatically taken care of. However, if you don’t have a firewall set up. Or you chose a WAF which doesn’t have this facility,  then you can use a separate plugin to limit login attempts. We’re using Loginizer for this example:

• First, you need to install and activate the free Loginizer plugin.
• Once activated and Configured, the plugin will start to limit the number of login attempts users can take.

The default settings will work for most websites. However, you can customize them by visiting the Loginizer Security tab in the sidebar. This plugin will also allow you to enable other advanced login features like 2 Factor Authentication and Single Sign-On.

9. Disable XML-RPC in WordPress

XML-RPC is a core WordPress API that helps connect your WordPress site with web and mobile apps. It has been enabled by default since WordPress 3.5. However, because of its powerful nature, XML-RPC can significantly amplify brute-force attacks. For example, if a hacker traditionally wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of passwords with say 20 or 50 requests. This is why if you are not using XML-RPC, then we recommend that you disable it. There are 3 ways to disable XML-RPC in WordPress, and we take you through them in our details article on the subject which you can find HERE.

10. Hire Professionals Instead

As a busy small business owner, you may not have time to monitor your website security and protect it from vulnerabilities. So, to ease your mind and lighten your workload, you can hire a managed service provider to monitor and maintain your WordPress site for you 24/7.

In The Sky IT offers comprehensive WordPress website maintenance at an affordable price. It includes security monitoring, routine cloud backups, WordPress updates, uptime monitoring, and much more. Find out more HERE.