Thousands of WordPress sites get hacked every single day. According to a study, there is an attack every 39 seconds on average on the web.
So if you’re not taking your WordPress site’s security seriously, you may also soon become another victim of a security attack.
Fortunately securing a WordPress site is not a big deal as there are many security precautions you can take. You can also take the help of WordPress security plugins and tools to secure your site from all the security vulnerabilities.
If you’re looking to secure your WordPress site in 2020, this detailed post is exclusively for you where you will discover 9 of the essential WordPress security tips.
Top 9 Essential WordPress Security Tips to Implement In 2020
1. Get the basics right
First things first: make sure to get the following things right if you want to safeguard your WordPress site from hackers.
Don’t use nulled themes: Many beginners search for nulled themes to install on their sites. If you’re also one among them, stop doing it as 99% of those nulled themes may contain malicious code injected into them. Either use free WordPress themes from trusted sources or invest a couple of bucks on premium themes like Elegant themes.
Use a strong password: Most bloggers don’t create strong passwords because they think they often forget their passwords. Are you also one among them? We now have so many password manager tools like LastPass which can help easily manage all your passwords at one place. So use strong passwords and make sure to change them regularly for better safety.
Change your admin username and password: If you want to make it extremely easy for a hacker or bot to get in your WordPress site, all you need to do is keep your admin username as “ADMIN” and also use a generate password that is commonly known. A perfect example of this would be “password” or “abc123”. This is common knowledge, but you would be surprised with how many people are still using these silly passwords when setting up their accounts.
As for leaving the Admin username as “admin”, this is just giving hackers and bots one less thing they need to figure out. Since nearly all WordPress administrators are set up with the default name of ‘admin’, this is something all WP users should change immediately.
If coming up with and remembering unique usernames and passwords is a problem, there are plenty of password reminder tools out that that can store your password and even change it up every once in a while. And with this in mind, be sure to change your password often and make it more complex with numbers and capitalization.
Limit your login attempts: Brute force attacks is a common technique used by hackers to get access to a site (they usually try several combinations of usernames and passwords to login).
Here’s where you need a plugin like Limit Login Attempts which keeps you secure from brute force attacks when someone tries to login repeatedly with variations of common passwords.
Disable file editing: We all know that WordPress comes with an in-built editor that allows you to easily edit your themes, files etc. it’s a huge security vulnerability if a hacker gets access to your site. So disable file editing by adding the following simple code in your wp-config.php file.
- // Disallow file edit
- define( ‘DISALLOW_FILE_EDIT’, true );
Update, update, update: You might be using a lot of plugins on your site, most of which frequently gets updated. You should always update your plugins whenever there’s a new version available. Also, make sure to update WordPress to the latest version. Be sure to take a backup of your files before updating (in case if something goes wrong).
Use a backup plugin: If things go wrong, you should be able to easily restore all your files. You can use plugins like VaultPress, UpdraftPlus etc for taking backups. There are web hosts like WPX Hosting, SiteGround etc that offer free website backups as well!
2. Install a WordPress security plugin
Here’s a list of top 5 WordPress security plugins which are essential for any WordPress site.
1. All In One WP Security & Firewall: As the name suggests, it’s an all in one security plugin and firewall for all WordPress sites. It offers everything from the ability to change the default username to password strength tool to secure your sites from all security threats.
2. Wordfence Security – Firewall & Malware Scan: This is another popular WordPress security plugin which offers real-time firewalls and easily identifies and blocks malicious traffic.
3. BulletProof Security: From malware scanner and firewall to login security, this plugin offers you almost every single thing that you need to secure your site. It also offers you other useful features like database backup, Anti-Spam features etc to take your website’s security to the next level.
4. Anti-Malware Security and Brute-Force Firewall: Using this plugin, you can easily run a full scan of your WordPress sites to automatically remove known security threats, backdoor scripts, database injections and so on. If you’re afraid of malicious attacks on your site, this one’s a must for you.
5. iThemes Security: Another incredible plugin which is available both in free and paid versions and offers amazing features like locking down WordPress, fixing common security holes, stopping automated attacks and so on.
3. Invest in a secure web host
A lot of beginners use cheap or free web hosting. If you’re really serious about securing your WordPress sites, it’s essential to invest in a proper web hosting provider that’s fully secure and reliable.
A secure web host provides you with a ton of benefits including;
- 24/7 constant network monitoring
- Uses strong firewalls and network to combat DDoS attacks
- Always keeps their server software and hardware up to date to safeguard from hackers
- They usually offer fixed for you guarantee in case of security issues (just like WPX Hosting does)
Not just that, most secure web hosts offer you free SSL certificates as you need to move your site from HTTP version to HTTPS version if you want to encrypt your data.
To put it simply SSL (Secure Sockets Layer) is a protocol which encrypts the data transfer between your website and users browser and gives you extra protection.
4. Enable Two-Factor Authentication
Two-factor authentication (also known as 2FA) is a must for most WordPress sites as it adds an extra layer of security when logging into your WordPress websites. It simply means every time someone is trying to login, they should go through the two-factor authentication.
Here’s how it works.
After you open your login page on WordPress and enter your login details, you are asked to insert a code. The unique code is sent to your smartphone or email. Only when this 2-step authentication is done, you’ll be able to login.
That way, you are making it almost impossible for hackers to get access to your site because they need a verification code as well (apart from your login credentials). That’s why 2FA is so essential.
Implementing two-factor authentication is extremely easy thanks to plugins like Google Authenticator.
Here’s how it looks like:
As you can see above, this plugin provides 2-factor authentication whenever you login to your WordPress website ensuring no unauthorised access to your website.
5. Change your WordPress login URL
If you’re using the default login URL to log into your WordPress site like everyone else, you’re making a big mistake. Why? Most hackers can easily get access to login URL and use brute force attacks to hack into your site.
By default, the URL you use to log into your WordPress dashboard is either wp-login.php or wp-admin, added after your site’s main URL.
For instance, yourdomain.com/wp-login.php or yourdomain.com/wp-admin
Guess what, those two URLs are the most accessed URLs by hackers all around the world who want to get access to a WordPress site.
If you change that default URL into a custom long URL, guessing it would take a lot of time and effort for most hackers (and they eventually give up and try other sites).
So how can you change your WordPress login URL? You can simply install a plugin called WPS Hide Login. Although you can change it without any plugins but you need bit coding skills to do that.
If you’re a beginner, I recommend you to use free plugins like WPS Hide Login to turn your default long URL into something like yourdomain.com/I_love_my_site.
Here’s how it looks like;
As you can see above, it’s so much easier. The best part about using this plugin is that it’s a really light plugin which helps you easily change the URL of the login form page to anything you want. You don’t have to rename or change files in your WordPress site’s or rewrite rules.
6. Have an Automatic Backup of Your Site
Few things are worse than having your site hacked or lost. The only thing worse would be to have everything hacked, lost and never having access to all of the value site data and content you’ve written and published over the years.
It’s a horrible scenerio, but definitely does happen. Even worse, is that there are very simple steps that could have been put in place to make daily backups of your site in case something bad was to happen. Heck, even a common WordPress update can cause an error and wipe out your files.
For times like this, a WordPress automatic backup solution like Snapshot Pro is a dream come through.
Created by WPMU Dev, Snapshot Pro is loaded with features to keep your site updated, backed up and safe at all times. Such features include scheduled backups, hosted and stored backups on The Hub, mega storage at super low prices, direct to cloud backup files and the ability to control when, where and how your backup data is being stored. Even better, if you have a network of sites or running multi-site, the plugin covers that as well.
Snapshot Pro is just one of the many premium plugins offered by WPMU Dev. If you would like to keep your site safe and secure no matter what, it’s definitely worth the time to check out.
7. Update Any Old WP Themes or Plugins
As a WP user, you are probably familiar with all of the ‘updates’ messages whenever you log into your dashboard. These aren’t in place to keep you annoyed with constantly updating different components of your site, but to instead keep your site safe.
WordPress plugins and themes need updates all of the time, simply because WordPress is also updating all the time. When new patches or versions of WordPress come out, plugins and themes need to make sure they are updated and compliant as well. If not, leaving such plugins and themes as is and not updating can leave open vulnerabilities for bots and hackers to find their way in.
The good news is, many web hosting solutions now offer auto-update for all WordPress core, in addition to plugins and themes as well. If your current web host doesn’t offer these features, another option to explore is The Hub — which is a WordPress management tool hosted by WPMU DEV. This solution also includes access to Automate, which is a service that is included within the Hub to make scheduling updates super easy.
As with all updates, it’s always recommended that you have an updated backup file in place.
8. Protect Your Home Computer and Devices
Just as important as the health of your online sites and data, is that of the data and health of your desktop and home computer. Since you are likely using your computer to create content for your blog and accessing your WP dashboard, your data could be at risk should your computer, laptop or mobile device be compromised.
Some quick and simple ways to make sure you are protected are as follows:
- Use virus protection software and make sure it’s always up to date
- Change your passwords often and make sure they all aren’t the same
- Only use trusted software downloads and browser extenstions
- Clear your browsing cookies weekly
- Run weekly virus and malware checks on your computer
The last thing you want is for your site to be fully protected and safe, and then later find out your home computer has a key stroke checker and someone was able to gain access to your site or WordPress admin by watching what you do online. It’s rare, but it does happen.
9. Use Captcha Verifications Where Possible
CAPTCHA forms are super annoying, but they work very well. Having to type in those random letters or choose silly pictures in boxes are just the latest defence when it comes to security, bots and hackers.
Knowing how to set these options up on your site and where is also half the battle.
For example, it’s definitel a good idea to add a CAPTCHA to the main log in page for your WordPress dashboard.
Another good location is on any forms that you might have on your site. By leaving these forms open with a generic submit button only, not only will you see a lot more spam come through, there are also options for security leaks and robot hacks as well.
This can easily be accomplished by using the Google Captcha plugin for WordPress.
While such methods might be annoying on other sites when trying to fill out a form, they might just be a life saver when protecting your own site.
WordPress security checklist for 2020
Are you looking for an easy to use WordPress security checklist for 2020?
Here’s an incredible checklist of actions that you need to take to provide bulletproof security to your WordPress sites.
- ALWAYS keep your WordPress version (along with plugins and themes) up to date. Make sure to take backups before you update anything. That’s the basic rule.
- Never install nulled premium themes. They always contain malicious code.
- Always use strong passwords that are hard to guess. Make sure to change your passwords regularly.
- Change your default WordPress login URL (and admin username). You can do it manually or use plugins like WPS Hide Login, iThemes Security etc to create your own login URLs.
- Limit your login attempts as it helps you prevent brute force attacks performed on your site using tools or guessing methods.
- Install a firewall and disable file editing.
- Enable two-factor authentication for added security.
- Backups are essential for any WordPress site. If something goes wrong, you should be quickly able to restore all your files. You can either use tools like VaultPress or purchase a hosting that provides automatic backups (such as WPX Hosting, SiteGround and so on)
- Always clean up your spam comments and databases as it not only prevents spam but also speeds up your overall site loading speed.
- Remove inactive or unused plugins if any. Also, don’t install a plugin that’s not been updated since the last 3 WordPress core updates.
- Ensure your site is running on HTTPS version. You need to install SSL certificates to move your site from http to https.
- Make sure to install at least one WordPress security plugin like Wordfence
- Use a malware scanner and set up email alerts (so if something goes wrong, you will get notified immediately).
Final Thoughts On WordPress Security Tips
Most of the hackers use bots to automate the process of hacking into other sites. If your site is not safely guarded, it becomes so much easier for hackers to get access to your site.
That’s why you need to implement the RIGHT security measurements such as limiting login attempts, using strong passwords, using a secure web host, implementing two-factor authentication etc to secure your WordPress sites.
So what are your thoughts? Are you taking any security precautions to secure your sites? Share your thoughts in the comments.