Security is the biggest concern for every site owner when it comes to running a business online. This huge burden is all on the site owner to ensure the security of its website. Whoever is responsible for the improper security measures at the end this burden will be all on your shoulders because you somehow failed to keep your site fully secured by not doing the essential security practices. So, this huge responsibility lies solely on the site owner to ensure his team or other members to implement high-security tactics. To make it easy, we have extracted out the 20 Best Tips to increase your WordPress Security in 2019 which you will see further in this article.
Tips to Increase WordPress Security
No doubt, WordPress is secure in itself but there are some practices you must do to make sure that your site is not prone to vulnerabilities or security threats. In this modern digital world, there do are site owners that do not adopt the best security practices which leads their site vulnerable to attacks. Though we cannot keep the foolproof security to our site, we can add extra layers of security to it by implementing the following security measures:
1. Change The WordPress Default Username
By default, WordPress automatically uses ‘admin’ as the default username. Never use this username. I repeat never because everyone knows this default username by WordPress. If you continue to use this default username with a weak password, there’s a very high chance that your website is vulnerable to malicious attacks. Still, there are people who use this default username as it is quite easy to remember but they are unaware that this username makes your site highly vulnerable to hackers.
There are different ways to change the default username for your site. One of which is using plugins. You can use the Username Changer plugin with which you can easily change your default username.
To change the username manually, log into your WordPress dashboard, click on ‘Users’ and choose ‘Add New’. Now here, write your new unique username, fill in the other required fields and select ‘Administrator’ in the ‘Role’ drop-down menu residing in the last. This new user ‘Administrator’ has the role of admin from now on. Hit ‘Add New User’ button lastly. Now, log out of your dashboard and again log in to it by using the new username. However, you also need to delete the default username. To do this, click on ‘All Users’ in the ‘Users’ option. There you will see the user ‘admin’, click on delete. Now, a small window will appear on the screen in order to confirm the deletion. Check the ‘Attribute all content to’ option and choose the new username from this drop-down menu and confirm the deletion. This way your username has been changed manually whilst deleting the default admin username.
You can also choose to change your admin username by using phpMyAdmin from cPanel. This is highly technical and complicated and can be risky for non-technical people. So, when we have an easy way to make changes why opting the complicated one? Avoid this and choose from the other two methods.
2. Employ Two-Factor Authentication
How to secure WordPress website from hackers? People often have this question in their minds. One of the best answers to this question is to employ two-factor authentication to the WordPress sites. This way hackers won’t be able to log in without authentication. The 2-Factor Authentication by miniorange is one of the best plugins that provides your site with an extra layer of security. The plugin also provides multi-site support including backup plans that come with different pricing plans.
However, it provides users with many authentication methods that include:
- Google Authenticator
- QR Code
- Push Notification
- Soft Token
- Security Questions (KBA)
- Authy Authenticator
- OTP Over Email
- OTP Over SMS
- OTP Over SMS and Email
- Email Verification
- Hardware Token
It depends on you which method you opt for the two-factor authentication.
3. Hide Your Username in the Author Archive URL
Same like the default username, this is another way with which hacker can easily get to your username. In the author archive URL, WordPress by default displays your username like this:
This can be quite risky for your site’s security. So, in order to protect your site, you need to hide your username in the author archive page. To do this, Click Here to take a guide on hiding the username from the author archive URL.
4. Limit The Number of Login Attempts
This is one of the useful WordPress security tips as it can solve the big problem of continuous brute force attempts. Brute force attacks are the guessing of usernames and passwords repeatedly in order to hack it. The hackers use a software that automatically tries to gain access to your website by repeatedly trying to guess the username and password until they finally get in. So, in order to avoid this kind of brute attack, you should limit the login attempts. Loginizer is a plugin that aid you to protect your site against brute force attacks by blocking the IP until it reaches the maximum allowed login attempts.
5. Change Your Login URL
Changing your WordPress login URL adds another security layer to your site. This is useful for your site’s security because hackers know the default login URL used by WordPress. So, to keep your site safe, you should change your login URL. Rename wp-login.php is an open-source plugin with which you can easily and safely change your WordPress site login URL. For a better understanding, watch the video below that guides you to change your login URL using Rename wp-login.php plugin:
6. Implement Strong Passwords
Implementing strong passwords is effective and one of the easiest ways to prevent brute force attacks. A mixture of uppercase and lowercase letters, numbers, symbols or special characters makes a password highly strong. It has been observed that most hacking related activities become successful due to weak passwords. So, this is a thing to work on and make these hacking activities fail by using strong passwords or by using a plugin ‘Force Strong Passwords’ that generates strong passwords for your site. However, WordPress gives an amazing article on ‘Selecting a Strong Password’ that guides to use better methods such as opting a password manager.
7. Password Protect the wp-admin Directory
The wp-admin folder in the directory is the place where all the functions are performed by the administrator. This, you can say, is the heart of WordPress site as the main file admin.php resides in this directory that enables connection with the database and performs key functions. If this directory gets attacked, then the whole website can get damaged. So, to protect the directory, you must have to put a strong password for giving access to the admin area. By implementing this, you will have to access the dashboard by giving two passwords: one for login and the other for the admin area (wp-admin). AskApache Password Protect plugin will prove to be highly useful in this regard.
8. Secure the wp-config.php
Likewise, strong password for your database ‘wp-config.php’ is also a must-have as this is the place where all your site’s data and the information is stored. You need to take care of it by implementing strong passwords so that no one can get access without permission. For this, you can use LastPass or Secure Password Generator for generating and storing strong passwords.
9. Get The SSL Certificate
One of the essential things to do for online businesses is to create a trusted platform or environment where the customers feel safe while making purchases. This can be done by getting SSL certificates. A Secure Socket Layer (SSL) certificate provides an end-to-end encryption to the server and the browser so that the third party in between or public cannot see their important credentials and credit card numbers. If revealed, this can create huge problems for both the buyer and the seller. So, you need to build a foundation of trust for your potential customers in order to keep the important information safe.
10. Change the wp_ Database Table Prefix
As the database holds all the important information and data in it, its security is highly essential. While password protecting the database is one way of securing this, the other way is changing the WordPress database table prefix. When installed, WordPress by default creates 12 tables in it naming each prefix with the wp_ prefix. This can be vulnerable for your site’s security as hackers know all these common prefixes. You will need to change each of the database table prefixes. But before doing anything with your database, always make a backup first then make changes. If you do not know how to change Database table prefix, Read this article which provides a comprehensive and useful guide to this.
11. Ensure Regular Backups
Even with high-security measures, your site can be exposed to attack when something unexpected happens. So, you need to always prepare for the worst. Backing up is like a security blanket for your site. If, for some reasons you lost your data or your site gets damaged or attacked, the backed up site will help you to go from where you stopped rather than start from the scratch. There are plenty of plugins for making backups for the WordPress sites. Updraft Plus is the most trusted backup plugin used by over 1 million WordPress sites. So, make regular backups using this plugin and you are good to go.
12. Set Your File Access Permission Carefully
Setting the correct directory permission is a good way to make your website more secure. The best file permission for fully securing the website is to set all the folders to ‘755’ and all the files to’644’. This way you will protect your whole system. We have explained the permission modes in one of our previous articles. Click Here to understand more about file permissions. However, you can change your file permissions by navigating to the file manager inside your hosting cPanel. Watch the video below to see how to change file permissions via your hosting Control Panel.
13. Disable File Editing
If any user has access to the WordPress dashboard, he can edit all files and make changes including themes and plugins. To restrict the users from making any changes, you will need to disallow file editing. By doing so, nobody will be able to edit anything except you. To do this, you will have to add a code in your wp-config.php file above this code /* That’s all, stop editing! Happy blogging. */.
The code you will have to add is:
define( ‘DISALLOW_FILE_EDIT’, true );
14. Prevent Hotlinking
Hotlinking is basically the stealing of an image or file through other websites just to embed it on your site. This means the embed image you have uploaded on your site is serving on that website’s server from where you have picked it. Instead of saving it and then uploading it, the embed image can be fatal because when that website decides to remove the image, then that embed image will automatically get broken on your end too as it was not serving on your server. This reflects that you have less control over your website’s visuals. So, this can happen to you too as other people can hotlink your images to their websites. This is why you need to block hotlinking. To do this, you can use ‘All In One WP Security & Firewall’ plugin that comes with a built-in ability to prevent hotlinking. However, there are also many other techniques to block hotlinking in which using a plugin is the easiest one. This is why we recommend this method.
15. Always Stay Up-to-Date
Staying up-to-date can solve a lot of problems. Websites are more prone to security issues if they haven’t been kept up with the latest time. These updates are specifically done to fix bugs. Not updating can prove to be risky for your site security. However, WordPress provides its users the privilege to notify them every time about the updates. Many users out there don’t bother to keep their plugins and themes updated, which hackers take advantage of. So, it is recommended to keep everything up-to-date, plugins and themes as well.
16. Remove The Version Written On WordPress
Displayed in your site source view, the WordPress version number can result in site’s hacking because it will be easier for attackers or hackers to attack the site perfectly. This is why it is recommended to remove WordPress version number. To do this manually, you will have to write the code in your theme’s functions.php as:
Another way to remove version number is by using Remove WordPress Version plugin with which you can easily get your work done.
17. Opt A Secure Hosting Service
According to the WP White Security, a WordPress security expert, 41% of the websites got hacked due to the security vulnerability on their hosting platform. This means all your efforts will be in vain if you do not have a secured hosting platform. While choosing a host, do not always go for the cheapest ones. So, make sure to opt a rich and secure platform. However, WordPress.org itself recommends some best hosts to opt from. You can click on this link https://wordpress.org/hosting/ to choose the best one among all.
18. Log Out Idle Users
Your WordPress site users can intentionally or unintentionally leave your site open that can lead to serious security issues. This way, your users are openly inviting hackers to hack or damage the site. But you can avoid this by logging out all the idle users from your site. BulletProof Security is a plugin that can help you out in resolving this issue. You can log out all the inactive users by applying a time limit with this plugin.
19. Use The Latest Version of WordPress
Every latest version of WordPress fixes the real security issues or anything vulnerable in it. Not upgrading with the latest version means you are missing out important features as well as leaving your site open to attacks. WordPress always updates its users to upgrade to the latest version whenever its new version comes. So, it will be not that difficult for you to upgrade you’re the WordPress itself. However, you can see in the WordPress Statistics that there are still many users out there who are not using the latest version of WordPress.
20. Download Plugins and Themes from Only the Known Sources
Always do a proper and careful research before downloading any theme or plugin. Also, avoid using free themes or plugins because there are more chances that these free things contain base64 encoding than can inject your site with spam links. This is why a thorough research is necessary and is recommended to download themes and plugins from only the trusted sources.
Before heading towards our final thoughts, let’s answer some of the queries often asked by the people:
What Is WordPress Security?
WordPress security as the word suggests is the protection of the WordPress site which carries huge importance. This thing should be carefully implemented and not be taken for granted because hackers and spammers are always finding their prey to attack. So, always make yourself ready to cope up with this.
Does WordPress have Security Issues?
WordPress itself is a very secure platform and will prove to be secured for your site only if necessary security measures are taken and followed carefully. WordPress is no doubt secure but there are certain security responsibilities to the site owner’s end to be followed as explained above in this article.
What is the Best WordPress Security Plugin?
There’s not only one best WordPress security plugin, in fact, there are numerous. Naming a few of them:
All these security plugins have their own distinguished features but personally, among all, I would recommend using ‘Sucuri’. This plugin not only helps you harden your WordPress site security but also provides the best WordPress firewall protection.
How do I Make my WordPress Site https?
You have seen different sites’ URL starting with HTTPS while some with HTTP. It looks like a minor difference but in reality that ‘S’ makes a huge difference which stands for the Security. Sites having HTTP at their start means they are not secured while HTTPS sites ensure security that provides end-to-end encryption between the server and the browser. If your site starts with HTTP, then you can make your WordPress site HTTPS by getting the SSL Certificate.
Locking It Down
Hardening the security of your WordPress site is not as tough now as you think. In fact, it has become easier with the advancement of tools and the availability of plugins. There are different ways that not only make your site security well but can make your WordPress website better as a whole. However, the above-mentioned tips contain the easiest practices to tighten your site’s security. If you have any queries regarding the security of your site, you can let us know in the comment section below. For further assistance, contact us at firstname.lastname@example.org or call us at 832-699-0088.