10 tips to improve basic website security on WordPress
- Set up a unique and secure login and password
- Activate two-factor authentication
- Ensure human identification of the user
- Protect the wp-login.php file with a password
- Keep WordPress up-to-date on a regular basis
- Choose themes and plugins carefully
- Develop themes and plugins with care
- Use managed hosting
- Make sure that the access rights to files and folders are correct
- Conduct server-side security enhancements
After you have bought hosting, registered a domain and created a website, it’s time to think about its protection, because no one is immune to cyberattacks. The security of a website created on Wordpress is becoming more and more relevant, given the popularity of this CMS and the development of cyberattacks. We will share with you ten tips to help improve it.
Set up a unique and secure login and password
Without proper protection, your account becomes easy prey for hackers, and a username and password is the first and most important step to preventing such a scenario. So stick to the simple rules:
- Choose a unique username that is hard to guess. Avoid common names such as “admin” or your own name. Use a combination of letters in different case, numbers and special characters.
- Choose a complex and unique password. The combination should consist of 8, or preferably 10 or more characters, and include upper and lower case letters, numbers and special characters. Such a password will be difficult to crack.
Using a unique and strong username and password is a simple but effective way to protect yourself. It is important to update your credentials regularly and not use the same password on different sites.
Activate two-factor authentication
Two-factor (two-phase) authentication is a security method that requires users to prove their identity in two different ways before they can access their account. In simple words, two-factor authentication involves something you know (like your password) and something you have (like your phone).
You can activate it in the following way:
- Log in to your account.
- Go to the security settings section.
- Locate the “Two-Factor Authentication” or “2FA” option.
- Follow the instructions on the screen. This usually involves downloading an authentication app to your phone and scanning a QR code.
- Once set up, you will enter the code from the app every time you log into your account.
Activating two-factor authentication increases the security of your account, making it more difficult to hack.
Ensure human identification of the user
Identifying a user as a human, not a bot, is an important security measure, especially when signing up new users or submitting requests through forms on your site. Using a CAPTCHA system will help with this.
WordPress has many plugins that you can use to add CAPTCHAs to your site. For example, Google’s reCAPTCHA, Really Simple CAPTCHA, and WPBruiser.
Installing and activating a CAPTCHA is usually pretty straightforward:
- Log in to your Wordpress account.
- Go to the “Plugins” section.
- Click “Add New” and find the desired CAPTCHA plugin (you can use the ones mentioned above).
- Install and activate the plugin.
- Follow the instructions for configuring the plugin.
CAPTCHA is just one of many steps to improve the security of your WordPress site. To maximize the safety of the project, you need to use a whole set of measures, which can include all the recommendations from this article.
Protect the wp-login.php file with a password
Password protecting the wp-login.php file is another way to strengthen the security of your WordPress site. This can be done by using basic HTTP authorizations in the .htaccess file. For this purpose, you should create a hidden file called .htpasswd inside the /etc/apache2 settings directory. The password file can be created with the htpasswd.exe utility. This file will store usernames and passwords. If Apache is installed on the server, the utility is located in the Apache directory in the bin subdirectory. The command line interface is used to work with htpasswd.exe.
You can also use online .htpasswd generators to create the contents of the file.
- Create a .htpasswd file. This file will store usernames and passwords.
- Upload the .htpasswd file to a directory above the site root directory – visitors cannot access it.
- Add the following code to the .htaccess file, which is located in the root directory of your WordPress site:
AuthType Basic
AuthName “Private access”
AuthUserFile /path to/.htpasswd
Require valid-user
“AuthName” in this code stands for the name of the authentication, and “/path to/” stands for the path to the .htpasswd file.
Now every time someone tries to access the wp-login.php file, the browser will ask for a username and password.
Keep WordPress up-to-date on a regular basis
Not all users update WordPress on a regular basis, and for nothing. After all, this is an important step to ensure the security of the site. Updates often include fixes for vulnerabilities that can be exploited by hackers to attack a website. Updating Wordpress is pretty simple:
- Create a backup of the site. This will give you the ability to quickly restore it if something goes wrong during the upgrade.
- Check for updates. Log into your WordPress admin and go to the “Updates” section. Here you will see if there are any updates available for WordPress, themes or plugins.
- Update WordPress. If an update is available, click the “Update Now” button. This process usually only takes a few minutes.
- Update themes and plugins. After updating WordPress, check to see if there are updates for your themes or plugins. This can be done in the same “Updates” section.
After the update, check the main functions of the site and make sure there are no issues and everything is working correctly.
Choose themes and plugins carefully
When choosing WordPress themes and plugins, it’s important to be cautious as they can pose potential security risks. Therefore, it is important to follow the tips below:
- Download themes and plugins only from reliable sources such as the official WordPress directory. Avoid “free” versions of paid themes and plugins offered on unscrupulous sites – they may contain malicious code.
- Before installing a theme or plugin, check reviews and ratings. If they have a lot of negative reviews or a low rating, that could be a red flag.
- Check when the theme or plugin was last updated. If it was a long time ago, this may indicate that they are no longer supported and may contain vulnerabilities.
It is also advisable to minimize the number of plugins used. The more plugins you use, the more “entry points” you have for potential hackers. So only use the ones that are really necessary for your website. In addition, a site overloaded with plugins runs slower.
Develop themes and plugins with care
When developing themes and plugins for WordPress, it’s important to follow best practices to ensure site security and performance. If you are creating themes or plugins on your own, follow a few rules:
- Follow WordPress coding standards. WordPress provides official coding standards that help ensure code compatibility and security. Following these standards will help avoid common errors and vulnerabilities.
- Utilize proven safety features. WordPress offers a number of built-in security features, such as utilities for data cleansing and checking user privileges. Utilizing these features will help protect the site.
- Test the code. Before publishing a new theme or plugin, make sure you thoroughly test them on different WordPress configurations.
- Update themes and plugins. Once a theme or plugin is published, it is important to keep releasing updates to fix bugs that may be discovered in the future. The best themes and plugins continue to be developed by developers for years.
Well, naturally, don’t forget the golden rule – before making any changes to themes or plugins, always back up your site. This will keep your data safe if something goes wrong.
Use managed hosting
Managed WordPress hosting is great for those who want to focus on growing their business rather than technically managing their website. Here are a few of the main benefits that make it worth considering using managed hosting:
- Safety. Managed hosting offers enhanced security measures including automatic updates, backups, and protection against DDoS attacks. This will help keep your website safe from cyberattacks.
- Performance. Managed hosting services are typically optimized to work with WordPress, which can improve page load speeds and overall performance of your site.
- Support. Most managed hosting services offer 24/7 support for WordPress. This means you can always reach out and get help when you need it.
- Convenience. With managed hosting, you don’t have to worry about website maintenance. All server updates, backups and other tasks are performed without your direct involvement. You can focus on the development of the project.
When choosing a managed hosting service, it is important to consider several factors including cost, security features, quality of support, and reviews from other users.
Make sure that the access rights to files and folders are correct
Properly configuring file and folder permissions on your WordPress server is a critical part of securing your site. Improperly set permissions can give hackers the ability to modify the content of a website or even gain full control of it. So let’s take a look at the recommended permissions for WordPress:
- All files must be set to 644 or 640. This means that the owner of the file can read and edit it, while all other users can only read it.
- All folders and directories must be set to 755 or 750. This implies that the owner can read, edit and view the contents of the folder, while all other users can only view the contents.
- The wp-config.php file should be set to 400 or 440. This access code stipulates that only the owner can view and edit this file.
You can use an FTP client such as FileZilla to check and change permissions on files and folders. Remember that changing these settings can affect the performance of your site, so always make a backup before making any changes.
Conduct server-side security enhancements
Increasing server-side security is another key aspect of security. Here are a few strategies to help you secure your server:
- Update the operating system and server software regularly. Updates often include fixes for vulnerabilities that can be exploited by hackers.
- Set up a firewall. It will help protect the server from unwanted traffic and attacks. Turn it on and make sure it is set up correctly.
- Use SSL. It encrypts the data transmitted between your server and your visitors’ browsers. Make sure you have a valid SSL certificate installed from a verified publisher.
- Restrict access to the server. Use complex passwords and two-factor authentication to strengthen security.
- Conduct monitoring and audits. Check the server logs regularly for suspicious activity. This will help you quickly detect and respond to potential threats.
And where can you go without backups? It is important to back up all of your server content on a regular basis. In the event of an attack or outage, you’ll be able to quickly restore your site. Backups are like saves in games, only it’s not the fate of your virtual character that’s at stake, but a very real website that contains valuable information and brings you profit.
Securing a website is a rather complex and multi-step process, but a necessary one. We hope that from this article, you have learned better how to protect your Wordpress website. By using the above tips and combining them, you can protect yourself from hacker attacks and other threats.