While WordPress is a popular CMS with more and more websites using it, it has a dark side too! As the WordPress site owners are continuously growing, chances of security violations and hacks are also on the rise.
Therefore, if you too own a WordPress site, checking and ensuring that your site is safe and secured is a must.
So, read on to know the security tips and tricks that you can follow to secure your WordPress site.
- Select the Hosting Provider Wisely
Always ensure that the hosting provider you invest in incorporates adequate security features.
A few of the features to look for while choosing a hosting provider are:
- Compatibility with the latest updated version of MySQL and PHP.
- Malware scan along with regular security backups
- DDOS prevention
- 24*7 security monitoring
Remember – your hosting provider can be the first and easy target for hackers.
So, always invest in an expensive and good-quality hosting provider that secures your site better.
- Update ‘Everything’ Regularly
Keeping everything – WordPress version, themes, and plugins updated is highly important. This is because the older our ‘outdated’ versions of WordPress, themes, and plugins are more vulnerable to security hacks.
On the other hand, the latest version of all of them come with enhanced security patches and strengthen your site security.
- Use Login Credentials Judiciously
Don’t just go for an easy username and password that anyone can guess.
While setting your login credentials, remember to make them strong and unique to mitigate any chances of easy guesses.
Here are a few tips you can consider while choosing a password for your site.
- Use a long password instead of a shorter one.
- Use some uncommon words. Avoid using digits or letters in a sequence like ‘1234’ or ‘abcd’. Also avoid using common interest-based words like ‘basketball’, ‘football’, etc.
- Never use publicly known details like your name, parent’s name, or house name, etc. as passwords.
- Use a combination of uppercase, lowercase and special characters judiciously.
- Move to SSL/HTTPS
Installing an SSL certificate is one of the most valuable steps in securing a WordPress site but is often overlooked. SSL stands for Secure Sockets Layer – a protocol encrypts your site and makes it really tough to intrude into it for hackers.
By installing an SSL certificate, run your site on HTTPS instead of HTTP (Hypertext Transfer Protocol). To check whether your site is running on HTTPS, check for a padlock next to your website address that shows your site has an SSL certificate installed.
Besides ensuring a safe connection between your website and browser, it also helps rank your site higher in Google search results. This is because Google also uses HTTPS as a ranking factor to rank your site high or low. Moreover, when your customers visit your site and see the padlock sign over there, they trust your site more and its credibility increases automatically.
- Use Two-Factor/Step Authentication
Though a strong password is always of vital importance, there are still chances that someone can steal it. To tackle such a situation, two-factor authentication can come to rescue.
Basically, this type of authentication involves two steps in which you don’t only need a password to log in to your site but also a secondary piece of information. This info can be anything – a phone call, an SMS, a time-based one-time password, etc.
In most cases, this method provides 100% protection against the stealth of passwords. Simply because a hacker generally can’t access both your primary password and secondary authentication method.
- Lockdown Your WordPress Admin
Sometimes, hackers can easily find certain backdoors to your site and attack it. However, if you lockdown your WordPress admin area, chances of these attacks get reduced drastically.
You can lockdown your WordPress admin in two ways –
- By changing your WordPress LogIn URL
- By limiting the number of login attempts
These two ways can help secure your WordPress site more strongly and efficiently.
- Backup Timely
A backup of your site content must always be there. Even in the worst-case scenario when your site data is lost or tampered with, you can restore your site in very less time if you have backed up your data.
On the contrary, in the absence of an accessible backup of your site data, you will have to start from scratch that can waste both your time and money.
So, always ensure taking backups of your site through using WordPress backup services like VaultPress, CodeGuard, etc. and plugins like Duplicator, BackupBuddy, etc.
- Secure Your Database
To strengthen your WordPress database security, there are a few methods listed below that you can follow.
- Use a well-thought database name. For instance, if your site is named FoodCourt, your WordPress database most likely will be named wp_foodcourt by default. To avoid the easy access to this database name, change it to some obscure database name. This will make identifying and accessing your database details more difficult for online hackers.
- A second method is using a different database table prefix. By default, WordPress uses wp_. Change this table prefix to something obscure, say – 93xy_. This will detract hackers and ensure far better security.
- Restrict Database Usage Privileges
Check for your file and server permissions on both your installation and the webserver.
Set the permissions correct across your employees.
Let’s look at all the file and directory permissions to give you a better understanding.
- Read permissions to assign the rights to read the file to the user.
- Write permissions to assign the rights to write or edit the file to the user.
- Execute permissions to assign the rights to run and/or execute the file as a script to the user.
Similarly, directory permissions can also be of three types including:
- Read permissions to assign the rights to access the contents of a file/folder to the user.
- Write permissions to assign the rights to add/delete files within a file/folder to the user.
- Execute permissions to access the actual directory and execute commands or perform different functions like deleting the data in the folder/directory, etc.
Therefore, take proper care while assigning the file or directory rights to your users to enhance and ensure security.
- Protect Your Site against Hotlinking
When any other website uses your site’s URL to point directly to an image or another media file, it is called hotlinking. Though not directly a security breach, it still is considered a ‘theft’. Consequently, hotlinking can result in unexpected costs that you may have to incur due to legal ramifications and a high hosting bill if the site that stole your image(s) is traffic-heavy. It further can result in slow site loading.
Though some manual techniques can also prevent hotlinking, an ideal and long-lasting solution is a security plugin that can block hotlinking effectively.
- Secure Your wp-config.php file
When it comes to WordPress security, your wp-config.php file is the most crucial file.
The reason is that this file has all the vital information about your WordPress and security keys responsible for handling the encryption of information in cookies.
To secure wp-config.php file, you can:
- Move wp-config.php
By default, your wp-config.php file is there in the root directory of WordPress. But you can move it to a non-www accessible directory.
- Update Security Keys
WordPress security keys are a set of random variables that help enhance encryption of information that users’ cookies store. After WordPress 2.7, there are four different keys in WordPress – AUTH_KEY, SECURE_AUTH KEY, LOGGED_IN KEY, and NONCE_KEY.
On installing WordPress, these keys get generated randomly. But in case you have gone through multiple migrations or bought a site from somebody else; using fresh WordPress keys is advisable. WordPress offers a free tool for generation of random keys that you can use to update your current keys your wp-config.php stores easily.
- Disable File Editing in Your WordPress Dashboard
If your WordPress site has multiple users or administrators, WordPress security can become even more complicated. Giving authors or contributors an ‘administrator’ access can be risky. Hence, giving users the correct roles and permissions so that they don’t break anything.
Simply disable the ‘Appearance Editor’ in WordPress to avoid this situation to prevent a hacker from editing files even if they gain access to your admin panel. You can add the following code to prevent hackers from editing a PHP file or theme using the Appearance Editor:
Define (‘DISALLOW_FILE_EDIT” true);
In a Nutshell
There are a lot of ways to make your WordPress secured. Using strong and clever passwords, keeping WordPress, themes and plugins up to date, selecting a hosting provider and some other steps as mentioned above can help enhance your WordPress security and keep your site up and running.
Good luck with your WordPress security!
Author Bio : Mr. Pratik Shah is Creative Head of Brush Your Ideas, a Web-to-Print technology solution offering custom Product design tool and Web-to-Print Storefront Solutions. He has been giving his valuable tips and suggestion about WooCommerce Product Designer