Posted at September 12, 2018 at 7:26 pm by Ylber Popaj
WordPress is a powerful platform. In fact, it’s so powerful that it runs 25% of the all the websites today. Given how easy it is to build a website with WordPress, it’s no surprise that the platform is popular with beginners.
Due to the nature of how simple it is to start a website with WordPress, many beginners often ignore performing basic security measures to keep themselves safe from being attacked by hackers.
As a business owner, you can’t overlook how important security is for your website. With over 90,000 attacks happening per minute, it doesn’t matter whether you’re a huge online retailer or a small blog, having a secured WordPress website should be a major priority.
In this article, we give you some of the basic and beginner tips that you should know AND follow in order to improve your WordPress security. If you follow all the tips below, short of performing human error, your WordPress website will be safe from the majority of attacks.
The best part? You don’t need to be a technical wizard to perform any of the tips below. So without further ado, here are the beginner tips for improving your WordPress website security.
There is a myriad of ways for your site to be attacked but one of the most common methods is called brute force hacking. Brute force is essentially when the hacker attempts to figure out your site’s login details by guessing it multiple times.
One of the ways to overcome it is to create unique passwords but if you really want to ensure your website’s safety, you’ll need to put in a lockdown feature for your website.
The way a lockdown works is that, when a hacker attempts to log into your site at multiple times with wrong passwords, then the website will automatically lock out anyone from logging in and you’ll get a notification regarding the suspicious activity.
To set a lockdown feature, you can use a number of plugins available on WordPress. Some of the ones that we recommend are iThemes Security, which lets you put a lockdown feature, set the number of failed login attempts, and even to automatically ban the hacker’s IP address.
The other one to check out is Login Lockdown, which also offers a number of customizable configurations for your WordPress website.
Show of hands, how many of you are still using “Admin” as your username?
Using “admin” as a username is quite possibly one of the biggest mistakes that beginners often make. When you create a WordPress website, they will automatically set the username for an administrator account as “admin”.
You need to change this as soon as possible. Why?
Think of it this way. Your username and password both serve as locks to your door. When you use a predictable username such as “admin”, you’re practically leaving one of the locks on your door unlocked to intruders. All that’s left to do is to figure out your password and your website will be compromised..
Change your username by logging into your WordPress dashboard and head over to the Users section to create a new administrator account with a better username. Once you’ve done that, delete the old “admin” user account immediately.
If you’re running a website for your business, then having a 2-factor authentication (2FA) is an absolute necessity for your security measure. Not only does it provide you with an extra layer of security by requiring users to provide login details for separate components, it’s also very easy to set up.
Given that the fact that you can dictate the two different components, you can have a mix of regular passwords along with either secret/specific questions, specialized characters, or even a set of codes.
To set up a 2-factor authentication for your website, you can easily use the Google Authenticator plugin, which allows you to set it up with just a few simple clicks.
You might not realize this but your WordPress login page URL can also be a security liability.
Consider this, your login page serves as a door to your website. When you use a common login page such as wp-login.php or wp-admin, you’re basically showing intruders the front door of your website with a huge neon sign.
With such an easy-to-access login page, you’re practically inviting hackers to come and brute force their way into your website. Don’t let something as simple as an admin URL be the reason for your website getting compromised.
Changing your login URL can be done manually, however, it’s not recommended for those who are beginners since it requires accessing and changing your site’s files directly. Instead, you’d be better off using plugins to do all the work.
Plugins such as WPS Hide Login can easily and safely change your login URL to whatever you want it to be. Since it doesn’t change or rename your core files, you won’t have to worry about it affecting your site’s data.
A report from WP White Security states that 41% of WordPress attacks happened due to a security vulnerability from the host. This means that sometimes, regardless of much security you put on your website, if your web host provider has terrible security then you’ll end up getting attacked either way.
Given the high number of attacks that occur on web host providers, it’s clear that you need to go for the best WordPress hosting that you can afford so that you get the best security available.
When it comes to WordPress websites, going for a managed hosting provider that focuses on WordPress is recommended as they will offer the best security measures possible with WP firewalls, regular scans for malware, servers that are optimized for WordPress, and up-to-date PHP and MySQL.
SSL (or Secure Socket Layer) certificate is a popular security measure that’s becoming more important for those who have a website.
Why is it so important?
For starters, it helps to encrypt any data that are transferred between your servers and a user’s browser. With all the data being encrypted, this makes it harder for hackers to try and disrupt your connection to steal any pertinent or sensitive data.
The other big reason to apply for an SSL certificate is due to Google. Recently, Google has started to identify sites without any SSL certificates as “not secure”. This reason why this is important is because a website that’s “not secure” will be severely punished in Google’s ranking and it makes your website appear untrustworthy.
To apply for an SSL certificate, you can purchase it from sites such SSL Comodo or SSL.com which offers a range of certificates and security measures for all kinds of websites, such as blogs, eCommerce stores, company websites, and so forth.
Some web host also offers SSL services as part of their hosting plan, so be sure to check them out. Hosting companies such as InterServer, give SSL certificates for free as part of their hosting plans.
The ultimate failsafe for any website owner is to have a backup offsite that you can load up and revert back to. That way, regardless of what happens, you won’t have to rebuild your website and all of its data from scratch.
The advantage of having a backup is that you can always return your website to a working state should something bad happens, such as getting a virus in your system or experiencing a malware attack.
In most cases, your web host provider will offer some form of backup for your website, but if you want to be extra safe, you can use plugins such as BackUp Buddy to perform automatic backups for your website.
WordPress security is more than just using a couple of security plugins and calling it a day. There are many ways that a hacker can exploit your website’s security if you’re not careful and did not plug all of your leaks.
With all the WordPress security tips we’ve given you, it can be the major difference between having a website with a mediocre security and a website with a impenetrable security.
Written by Azreen Azmi
Azreen Azmi is a writer with a penchant for writing about content marketing and technology. From YouTube to Twitch, he tries to keep in touch with latest in content creation and finding out the best way to market your brand.