With more than 90,000 attacks against WordPress sites every minute, website security becomes ever more crucial in today’s technology-driven world.
Your website is your greatest asset. It tells customers who you are and what you sell. Almost like a home in the digital space.
Therefore, you should put some measures in place. Here are some tips on how to keep your WordPress website secure.
Disclosure: Some of the links below are affiliate links. I will earn a small commission, at no extra cost to you, if you purchase through these links. Your support encourages me to continue blogging and help with the costs of hosting this site. Thank you!
1. Don’t Use ‘Admin’ As Your WordPress Username
This is by far one of the most important advice you’ll get.
I’ve lost count of how many times people tried to log in to my WordPress website (this site itself!) using the ‘admin’ username. If I really did have an ‘admin’ user, my site would have been compromised a long time ago.
By default, WordPress will suggest ‘admin’ as your admin’s username. I highly recommend that you change ‘admin’ to something else.
- Should not be similar to your name, pen name (if you’re an author like me), brand/company/website name
- Unusual/Unexpected username
The key is to use a username that no one will be able to guess, especially for your administrators who have complete access to your site and can add or remove other users.
2. Don’t Let Your Administrators Create Or Publish Posts
Take me for instance. I’m the only person behind this website. However, I created 2 users: an administrator and a non-administrator. I publish posts like this one as a non-administrator. On the other hand, I use my administrator user to check for updates for plugins, themes and WordPress versions as well as configure settings.
So why did I create 2 users and make things difficult for myself?
If you look at the big picture, the hassle of managing 2 users is a small cost to pay for your website security.
My site visitors will only see this non-administrator who publishes blog articles. They won’t be able to see my hidden administrator.
This makes it harder for hackers to guess the username of your administrator since there are no details or clues anywhere.
If you installed Yoast SEO plugin, you’ll have the option to Do not allow search engines to show this author’s archives in search results. This will prevent your admin users from appearing in the author sitemap.
3. Use A Strong Password
Okay, I’m sure you’ve heard this a million times. But let me repeat once more, please use a strong password for your WordPress account.
And of course, I hope you do this for all other accounts you created for your brand. Everything from your domain registrar to your web hosting provider.
By strong password, I mean that the password should
- Be long
- Include both upper & lower case letters
- Include numbers, punctuation & special characters
- Be nonsensical (shouldn’t make any sense)
- Not contain personal information
You can use a password manager to auto-generate and store strong passwords.
Also, do change your password regularly.
4. Keep Your Domain & Web Hosting Separate
Rather than buying both domain and web hosting from the same provider, I decided to buy from two different providers.
This way, even if someone manages to hack into my web hosting account, he wouldn’t have access to my domain (and vice versa). It’s also unlikely to have both hacked at the same time.
On the contrary, your website might be compromised if you bought your domain and web hosting from the same provider. This is because the hacker only needs to figure out 1 username and password, rather than 2 usernames and passwords if you buy them separately.
5. Enable Two-Factor Authentication (2FA)
Two-factor authentication adds another layer of security. On top of the username and password, you’ll also need a code that only you have access to.
For instance, Namecheap allows me to choose among device authentication, authentication app and text message authentication.
6. Set Up SSL So Your Site Changes From http to https
Depending on your web hosting provider, you might be able to get an SSL certificate.
SiteGround, for example, offers a free SSL certificate for all plans (whether you sign up for the basic or advanced web hosting plan).
SSL encrypts communication and creates secure connections between the web server and the browser.
In addition, SSL is a Google ranking signal. Google will rank https sites higher than http in search results. So if you need a boost in SEO ranking, do convert your site to https.
Check out the step-by-step guide for detailed instructions on how to set up SSL.
7. Install WordPress Security Plugin
There are many WordPress security plugins in the market that have various features:
- Scan your site for malware
- Block unauthorized WordPress administrator login attempts (hence protecting your site from brute force attacks)
- Alert you when there are security vulnerabilities (eg. plugins that have been abandoned)
- Identify and block malicious traffic
Do your research and install the WordPress security plugin that has all the features you need.
I installed Wordfence because it has many features for a free plugin (including all the features above!).
7a. Adjust WordPress Security Plugin Settings
After you install the WordPress security plugin, do adjust its settings according to your needs.
All Options under Wordfence lists all the settings.
There are Brute Force Protection settings where you can choose to lock out after how many login failures/forgot password attempts and the amount of time a user is locked out.
I also enabled the Immediately lock out invalid usernames. But of course, I understand that there may be people who mistype their username. If so, you can go to the Blocking tab in Wordfence Firewall and delete the active block on your users. I enabled this setting because I’m the only person posting on this website and I won’t misspell my username.
I’ve also checked the Enforce strong passwords option to force admins and publishers to use strong passwords.
You should also enable Don’t let WordPress reveal valid users in login errors. This way, WordPress won’t tell users whether it’s the username or password that is incorrect. Instead a generic message will appear: “The username or password you entered is incorrect.” This can protect usernames and not let hackers know that they’ve correctly guessed a valid username.
Again, do check the Prevent users registering ‘admin’ username if it doesn’t exist option. This way, no users can register as admin and hackers won’t be able to log in with ‘admin’.
Another important setting is Prevent discovery of usernames. Knowing the administrator’s username is half the battle won for hackers. Thus, enable this option to lower the chance of hackers discovering your administrator’s username and gaining access to your website.
Finally, one of the greatest features of the free Wordfence plugin is two-factor authentication (2FA). I strongly suggest that you enable this. Go to the Settings tab under Login Security and choose to enable 2FA for the roles you want.
8. Keep Your WordPress Version, Plugins & Themes Up To Date
Outdated software puts your site at risk where hackers will exploit these security vulnerabilities.
Hence, always update your WordPress version, plugins and themes. In addition to fixing bugs and errors, these updates also patch vulnerabilities and strengthen them against attacks.
9. Back Up Your Website Frequently
Ensure that you regularly back up your website. Or even better install a WordPress backup plugin like UpdraftPlus that creates a backup before any update. The premium version also allows you to set backup time and scheduling.
This way, if your website ever gets compromised, you’ll still be able to restore backups.
Here are some features and benefits of UpdraftPlus
- Performs complete manual or scheduled backups of all your WordPress files, databases, plugins and themes
- Backup schedules every 4, 8 or 12 hours, daily, weekly, fortnightly or monthly
- Restores backups directly from your WordPress control panel
Now It’s Your Turn
As the saying goes, “Prevention is better than cure”. It’s easier to prevent your website from getting hacked than fixing a hacked website. By spending some time to implement these security measures, it’ll go a long way in keeping your website safe.
What other steps have you taken to secure your WordPress website? Do you have any security tips that you would like to share with fellow website owners?