15 ways to secure your WordPress site
WordPress is an excellent, secure platform out of the box, but there’s certainly more you can do to keep your site safe from malicious intent. Many of these security enhancements are easy to implement and can be performed manually in mere minutes. Others simply require installing a particular plugin.
In this article, I’ll guide you through 15 different strategies for upping the defenses on your WordPress fortress. But first, let’s go a little more into the weeds on why website security should matter to you.
Why security matters for SEO
Website security is often overlooked. However, site security is essential for SEO and digital marketing.
WordPress is the most popular content management system (CMS), powering millions of websites.
However, WordPress sites are also susceptible to attacks which can lead to:
- Site hijacking.
- Malware injection.
- Phishing scams.
All of these can damage your reputation, hurt your SEO, and cost you money. That’s why it’s important to take proactive steps to secure your WordPress site.
There are a number of reasons why WordPress is a target for hackers.
- Because the CMS is so popular, there are more potential targets.
- As it is open source, the code is available for anyone to view and study. This makes it easier for hackers to find vulnerabilities.
- Due to its ease of use, many people don’t take the time to properly secure their WordPress site.
As a result, hacked WordPress sites are a major source of malware and spam.
Why WordPress Security Matters
In the first half of 2021, there were more than 86 billion password attack attempts blocked, and it is estimated that there are an average of 30,000 new websites hacked every day.
Hackers and various types of malware are relentless in their attempts to gain access to websites and their sensitive data.
We are currently seeing an unprecedented amount of cyber security attacks.
This issue affects businesses of all sizes, including yours.
In fact, 43% of online attacks now are aimed at small businesses, and only 14% of those businesses are prepared to defend themselves.
Many hackers target large companies for a bigger payoff.
15 ways to secure your WordPress site
How to secure your WordPress site
When setting up your WordPress site security, there are some basic things you can do to beef up your protection.
Here are some of the first things you should implement to help protect your website.
1. Add a CDN-level firewall
Any website is susceptible to attacks from bots and other malicious actors. A distributed denial of service (DDoS) attack can overload a server with requests, causing it to crash and making the site inaccessible.
A CDN-level firewall adds an additional layer of security by identifying and filtering out suspicious traffic before it reaches the server. This can help to protect your site from DDoS and other bot attacks.
In addition, a CDN-level firewall can also improve the performance of your website by caching static content and delivering it more quickly to visitors. As a result, adding a CDN-level firewall is an effective way to secure your website and improve its performance.
2. Require & Use Strong Passwords
Along with obtaining an SSL certificate, one of the very first things you can do to protect your site is to use and require strong passwords for all your logins.
It might be tempting to use or reuse a familiar or easy-to-remember password, but doing so puts you, your users, and your website at risk.
Improving your password strength and security decreases your chances of being hacked.
The stronger your password, the less likely you are to be a victim of a cyberattack.
3. Hide WordPress Version
We talked about keeping your website up to date, but what if that’s not an option? We know how reluctant people have been with updating Microsoft Windows…
Well, Security through Obscurity– if they can’t find it, they can’t hack it! Hide which version of WordPress you’re using, or hide that you’re using WordPress altogether. You can hide your WordPress information by altering the header code. While you can go into your theme settings and edit the display information there, those snippets of code will only return during the next theme update.
But, of course, there’s a plugin for that. WPCode is a free plugin that allows you to enter a variety of code snippets, including one for removing the version number, no matter how many times that pesky theme tries to write it back in.
4. Secure Your Database
Leaving anything at the default settings is a boon for hackers, and by default, WordPress uses wp_ as the prefix for All of your related tables. Good news! If you’re using the One-Click Installer there is already a prefix of random letters and numbers. As long as it ends with an underscore, the system is happy. Better News! Even if your WordPress is already installed, it may be eligible for the One-Click Installer as long as the website is fully hosted, and meets a few other guidelines.
This is a big step for security, and breaking something can be as easy as a missing underscore. Luckily, there is a default version of the wp-config.php file available at WordPress Core available, so you can rebuild whether you tried to change the database prefix manually, or with a service like phpMyAdmin.
5. Install A Security Plugin
WordPress plugins are a great way to quickly add useful features to your website, and there are several great security plugins available.
Installing a security plugin can add some extra layers of protection to your website without requiring much effort.
To get you started, check out this list of recommended WordPress security plugins.
- Wordfence Security – Firewall & Malware Scan
- All In One WP Security & Firewall
- iThemes Security
- Jetpack – WP Security, Backup, Speed, & Growth
6. Change your login page URL regularly
Regularly changing your login URL may seem like a small security measure, but it can actually deter hackers from finding easy access to your website.
By constantly changing your login URL, you make it more difficult for hackers to guess or brute force their way into your site.
There are ways to change the URL manually, but most hosting providers recommend using plugins to manage this.
7. Limit login attempts
It is crucial to limit the number of allowable login attempts to deter hackers from using brute force methods and gaining access to accounts. Doing so makes it more difficult for hackers to guess your password and prevent them from accessing your account even if they have your username.
In addition, limiting login attempts helps to protect your account from being locked out if someone else tries to guess your password.
8. Never Use The “Admin” Username
Because “admin” is such a common username, it is easily guessed and makes it much easier for scammers to trick people into giving away their login credentials.
Never use the “admin” username.
Doing so makes you susceptible to brute force attacks and social engineering scams.
Much like having a strong password, using a unique username for your logins is a good idea because it makes it much harder for hackers to crack your login info.
9. Disable XML-RPC
WordPress uses an implementation of the XML-RPC protocol to extend functionality to software clients.
This Remote Procedure Calling protocol allows commands to be run, with data returned formatted in XML.
Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common vulnerabilities that open users up for exploits.
10. Add Security Questions
While not the most common solution, security questions give that extra oomph to your security. Depending on the plugin you choose, you may need to choose from already existing security questions or be able to create your own. This feature often comes bundled with another feature, for example, two-factor authentication. Don’t underestimate the abundance of methods available to protect your login page from nefarious actors!
11. Track Your Admin Area Activity
If you’ve got multiple users, it can be a good idea to keep tabs on what they’re all doing on the site. Tracking activity in your WordPress admin area will help you spot when other users are doing things they shouldn’t and can indicate whether unauthorized users have gained access.
When a weird change has been made or something suspicious is installed, you’ll want to be able to find out who was behind the activity. Plugins got you covered.
Most larger security plugins don’t provide this functionality out of the box, so you’ll want to find a dedicated solution. If you’d like to take a hands-off approach, Simple History lives up to its name by creating a streamlined, easy-to-understand log of important changes and events on your site.
12. Run A Security Scanning Tool
Sometimes your WordPress website might have a vulnerability that you had no idea existed.
It’s wise to use tools that can find vulnerabilities and fix them for you.
The WPScan plugin scans for known vulnerabilities in WordPress core files, plugins, and themes.
The plugin also notifies you by email when new security vulnerabilities are found.
13. Backup Your Site Regularly
I’d be lying if I said there was a magic solution for protecting your website from all threats. Even if you implement every suggestion on this list, there’s still a chance you may experience a security breach on your site.
Hackers are good at what they do. You’ve just got to beat them at their game.
A comprehensive security plan means preparing for what you’ll do if the worst happens, even while you’re trying to ensure it never does.
Backing up your site on a regular basis is the simplest and best way to safeguard it in the event of a disaster. If you have a recent backup handy, you can restore your site to the way it was before it was hacked or otherwise harmed. This will help you fix the issue and move on as quickly as possible.
14. Disable comments
The comment section is among the most vulnerable parts of any website. As this section is often left unmoderated, it can be easy for hackers to insert malicious code into otherwise innocent-looking comments.
As a result, website owners need to be vigilant in moderating the comment section and ensuring that only safe content is allowed.
15. Switch Your Site to HTTPS
Let’s talk more about an SSL/TLS certificate. This enables you to switch your site to HyperText Transfer Protocol Secure (HTTPS) — a more secure version of HTTP. These are important security concepts to understand but simple to grasp, even if you’ve never heard of them before.
HTTP is the protocol that transfers data between your website and any browser trying to access it. When a visitor clicks on your home page, all of your content, media, and website code are sent through this protocol to the visitor’s location.
While this is necessary, of course, it does introduce some potential security issues. Baddies can try to intercept the data while it is in transit and use it for their own nefarious purposes.
HTTPS solves this problem! It does the same thing as HTTP but also encrypts your site’s data while it’s traveling from one point to another, so it can’t be easily accessed.
Read more related posts about Google Adsense
