WordPress security: Protect your WordPress website

Products mentioned
Take precaution

About 34 percent of the world’s websites are powered by WordPress. There are those who think that their websites are too small and will not be attacked by hackers. However, WordPress security is a topic that all website owners should address. Why? Because hackers don’t distinguish between targets.

Why is WordPress security important?

WordPress – the most popular content management system in the world – is a very popular target for hackers. Hackers attack tens of thousands of WordPress websites every day, steal valuable data, infect malware, scam, and use the servers they capture to send spam.  Some websites fall victim to targeted attacks, as many hackers try to attack thousands of websites every day with fully automated tools.

So you shouldn’t be thinking: “Who would attack my website?” And fall into the trap thinking that your website is small or insignificant.

If you’re a WordPress user, you don’t need to be a security expert to protect yourself from all of these, but there are a few things you should be aware of to ensure WordPress security.

Precautions for WordPress security

There are a few steps you need to take to protect your WordPress website. Now let’s go through them one by one.

1. Don’t forget the updates

This is perhaps the most important point! WordPress is actually a secure software, but you can’t stay safe, unless you do periodic updates. Occasionally, vulnerabilities are detected in WordPress software. So, WordPress developers address these gaps in a short time and release a new version of WordPress. It is up to you to install this update on your site as soon as possible. Otherwise, hackers can hack your site using newly discovered vulnerabilities.

By default, WordPress is set to automatically install minor version updates. Your hosting provider may also offer a feature like “automatic WordPress update”. We recommend that you keep these features turned on. Similarly, you need to keep the plugins and themes you have installed on your site up to date, because they may have security vulnerabilities too.

If you manage multiple WordPress sites, it may be difficult to keep track of them all and make updates manually. In this case, a free service like ManageWP can help you keep track of all your websites’ plugin and theme updates from a single application.

2. Choose strong passwords

This is actually something that most people know, but do not practice. Hackers have tools that can automatically try thousands of passwords in seconds. Therefore, short and sloppy selected passwords can be easily broken. To ensure WordPress security, your password must be at least 10 characters long and contain lowercase letters, uppercase letters, numbers, and special characters.

It is also important that you use a different password on each site. Otherwise, the hacker who seizes your password on a site can confiscate all of your accounts using the same password.

We recommend that you use WordPress’s automatic password generation tool. Of course, it is not possible to memorize lengthy and complicated passwords. You can safely store these passwords in a password manager such as LastPass, Dashlane, 1Password or KeePass.

Remember that if you have other users on your WordPress websites, choosing a strong password is essential for them too. You can prevent your users from choosing bad passwords with the help of plugins.

3. Choose a secure hosting company

For WordPress security, the precautions that your hosting provider will take are as important as the precautions you will take. Your hosting provider must keep their servers and software used on the servers up-to-date, as well as adjust some security settings so that you can’t intervene with. This means that a hosting company that is inexperienced or doesn’t do its job well can cause your website to be hacked. That’s why you should choose reputable and reliable companies for WordPress hosting.

Some hosting providers offer additional security features in WordPress hosting packages. For example, GoDaddy WordPress Hosting customers can benefit from bot and spam comment protection, automatic updates, plugin blacklist. Some packages offer malware scanning and removal.

4. Use a firewall

Web application firewall (abbreviation: WAF) solutions. These firewalls consist of several rules that protect your site against common hacker techniques such as XSS and SQL injection attacks. These rules prevent malicious users from reaching your site. There is probably a firewall in your hosting provider that already runs and controls network traffic, but in addition, you can use a WAF specially developed for WordPress.

If you choose to use a firewall for more powerful WordPress security, your free options include Shield, All In One WP Security, MalCare and NinjaFirewall. Among the paid options are Sucuri and Wordfence. Sucuri is a cloud-based firewall that runs at the DNS level unlike its competitors. So unlike others, it doesn’t slow your website down and tire your server, but you might need to make a DNS change and change your SSL certificate to work.

5. Use SSL certificates

SSL is a protocol that encrypts data communication between a user’s browser and your website. Websites that use SSL start with HTTPS instead of HTTP, and a lock icon appears in the browser’s address bar. Modern browsers may show a “not secure” warning on websites that don’t use SSL.

Since July 2018, Google’s browser Chrome has marked all HTTP sites as “Not Safe”.

SSL prevents your user name and password from being compromised by others when logging in to your website. It’s important to protect your data with a free and paid SSL certificate, even if you don’t do financial transactions through your website. Moreover, websites that use SSL are given priority in Google’s search results.

You can find out more about what an SSL certificate is and how to choose a certificate in our blog post.

6. Have a backup

No matter how strong WordPress security you have, sometimes things don’t work out. Your website may be hacked, your data may be deleted, the server can malfunction, and you may even accidentally damage your website yourself. In such cases, you must have a backup that you can return to.

Most hosting providers provide free or paid automatic backup services. Within the scope of this service, your website will be backed up periodically, and if needed, you can restore your choice from your hosting management panel with one click.

With free backup services, sometimes the backup interval can be very wide (e.g. once a month or biweekly). If the content of your website doesn’t change much, that’s enough, but if you update your website every day, you should make a backup every day. Otherwise, you will lose any changes made to your website since the last backup.

GoDaddy’s WordPress hosting packages provide free daily backups and keep your backups for the last 30 days.

In addition to the backups your hosting provider holds, it may be useful to download and store backups of your website from time to time.

Top 7 WordPress Security Plugin

There are several plugins you can use for WordPress security. We need to remind you that the most advanced and comprehensive plugins are paid, but you can use most of the basic functions for free. You do not need to install all the plugins listed below on your website. You will see that some already have similar features. Choosing the right ones for you and installing them, and of course adjusting them correctly, can significantly increase the security of your website.

1. Sucuri Security

wordpress security sucuri

One of the most popular and trusted plugins for WordPress security, Sucuri has both free and paid versions. The free version will be sufficient for most websites. The free version of Sucuri includes features such as file integrity monitoring, black list tracking, security notifications and security enhancement recommendations. This allows you to see if your WordPress core files have been modified, and whether your website contains non-WordPress files.

If you’re looking for an even more comprehensive security solution, you should turn to paid packages with regular malware and hacking, cloud-based firewalls, DDoS protection, CDN and free cleaning in case of hacking.

2. Wordfence Security

wordpress security wordfence

Wordfence may be the best option if you are looking for a free and comprehensive solution that includes a firewall. It tells you whether there is a malicious change by comparing your plugin and theme files with their originals as well as the WordPress core files. In addition to crawling your website for known security vulnerabilities, it can also scan website content and comments to identify dangerous and suspicious URLs. It also detects incorrect login attempts to your website and can block attackers. Adding two-factor verification (2FA) or CAPTCHA support to the WordPress home page can also make hacking into your website difficult.

The free version of Wordfence also includes a firewall, but firewall rules and malware signatures are updated with a 30-day delay. If you want to be protected against the most current threats, you can switch to Wordfence Premium and use the real-time firewall and the IP blacklist that blocks known attackers.

3. All In One WP Security & Firewall

all in one wp security

Unlike most competitors, All In One WP Security doesn’t have a paid version: it offers all security features for free. One of them is the firewall feature that competitors usually offer for a fee. You can operate the firewall in three different levels: “basic”, “medium” and “advanced”. In addition to many measures related to user login and registration, there are features such as checking file permissions, IP blacklist, database backup and spam protection. However, this plugin is not very user-friendly, and it is more appealing to experienced users.

4. iThemes Securityithemes dashboard

Offering more than 30 methods for WordPress security, iThemes Security has a free and a paid version. iThemes Security puts a lot of emphasis on blocking intruder attempts. Features such as general security checks, strong password usage, admin username change and login page address change are available in the free version. If you want to have features such as daily malware scan, two-factor verification, password timeout and recording all user actions, you need to upgrade to the paid version.

5. Defender

Defender stands out with its user-friendly interface. See the “Security issues” section to understand what you can do to improve the security of your website, and then implement most of them with a single click. The free version of Defender, includes protection against brute-force, IP blacklist, scanning WordPress core files and there are also features such as repairing and changing the home page address and 404 restrictor to prevent vulnerability scans. Competitive plugins usually come with paid Google Authenticator and double-factor verification and Defender support free of charge. In the paid version of Defender Pro, plugin and theme files include malware scanning, change tracking, backups and speed optimization.

6. Limit Login Attempts Reloaded

Under normal circumstances, WordPress allows you to make an unlimited number of incorrect login attempts. This is why hackers can try to break your admin password with brute force. Here’s the Limit Login Attempts Reloaded plugin that allows you to specify the maximum number of attempts that can be made from an IP address. The IP address is blocked when that number is exceeded. To ensure WordPress security, you can also blacklist or whitelist certain IPs and user names. For example, if you have changed the admin’s user name or you’re not using it, you can instantly block anyone trying to log in as admin.

7. Akismet Anti-Spam

Spam comments on WordPress websites are unfortunately inevitable. Akismet checks all comments on your website, filters out what appears to be spam and submits it for your approval. For Akismet to work, you need to enter the plugin settings and generate an API key. Akismet is free for personal sites and commercial sites can use Akismet for a fee.

Final words

With the digitalization of the world, cyber security continues to be an important issue. With the tips provided and WordPress plugins we’ve mentioned in this article, you can take solid steps in securing your WordPress website and protect yourself, your business and your customers from possible attacks.

Image by: Ennio Dybeli via Unsplash.