There’s no reliable way to fully make your point secure, but there are some simple ways you can take to boost security and put up a good fight. This ebook will educate you on why WordPress sites get targeted in the first place and also walk you through 11 easy ways to increase security. Ready? Let’s toughen up your site!
Why do sites get targeted?
To help you understand how to keep your site safe, it’s important to first understand why hackers attack websites in the first place. Especially if you only run a particular blog or small eCommerce shop, no one should want to mess with it, right?
Not necessarily. Hackers go after websites for three main reasons:
• They want to use your site to send spam messages.
• They want to steal access to your data, mailing list, credit card information, etc.
• They want to infect your site to download malware onto your visitors’ machines or your own machine.
Malware, or malicious software, can be installed in a way that makes it very hard to detect. Great for the hackers, not so great for your site. Hackers will frequently do this to use your site in larger scale attacks, such as a Denial of Service attack.
Why do hackers target WordPress, specifically?
The short answer – because it’s popular.
Put yourself in the mindset of a hacker for just a second. However, would you spend all of your time trying to find vulnerabilities on a platform only used by 500 websites, or would you try to break the platform with hundreds of millions of sites? Because WordPress is so extensively used, if you want to take over a lot of websites for your own unrighteous purposes.
The WordPress core is veritably secure, which makes it hard enough to hack into. But because anyone
can write fresh tools for WordPress, such as themes and plugins, it’s possible that not all extensions live up to the same security norms as the WordPress core. It’s possible for a very popular plugin to have security weaknesses that can impact thousands of WordPress sites all at once.
Don’t fret, however; the open-source nature of the platform is also what makes it strong. It’s what allows white hat hackers to find exploits and report them fluently so holes can be renovated. It’s what allows developers to help improve security over time. It’s what allows third parties to
produce indeed stronger security results that can be installed right on top of WordPress.
The bottom line is that your WordPress site could get targeted at any moment (that’s true for any site). But there are several things you can do to increase security and make it
a little harder for hackers to mess things up.
Here’s a list of some of those redundant ways to enhance your site’s security, starting with the most introductory (and essential), working up to the more advanced options that may not be necessary or practical for everyone.
01. Use smart usernames and passwords
It seems egregious, but numerous WordPress users overlook this vital security measure. Your username and password is to WordPress what locking your front door is to home security, and it doesn’t matter how good your security system is if you leave the door open for anyone to walk through.
As for the username, steer clear from picking something typical like “admin” or the name of your site. Those will be the first thing a hacker tries to guess. The same rule of thumb goes for the password; don’t pick anything obvious. However, something readable, used on multiple sites, or if your WordPress password is really short. If you have trouble coming up with a random password (or you want to be redundant secure) you could always try using a tool such as 1Password or LastPass.
Still, you can add the Force Strong Passwords plugin to make all users keep their passwords strong, if you have a site with multiple WordPress users or allow visitors to create their own accounts.
02. Keep themes, plugins, and WordPress streamlined
Updates can be a pain to keep up with, especially if you have lots of plugins installed on your WordPress site. But it’s critical that you try. Themes and plugins can sometimes have security vulnerabilities, which are fixed by the developer as soon as they’re discovered. It’s important to update regularly because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities. Plus, updates often patch other bugs and improve usability, so it’s a win-win situation!
And when installing new plugins, be sure to check if they have any known and unfixed issues. You don’t have to give up on a plugin that has a history of vulnerabilities – most of the popular plugins will show a warning – but it’s certainly
good to note when comparing options.
Aside from streamlining your themes and plugins regularly, staying on top of WordPress core updates is pivotal. In fact, wordpress.org recommends it for security protection. However, you’ll see an announcement in the WordPress dashboard if there’s an update ready.
03. Uninstall inactive plugins and themes
Inactive plugins and themes can still pose security vulnerabilities and take up server resources. It’s wise to uninstall any plugins or themes that are not actively being used.
However, keep in mind that you can always reinstall themes or plugins later if you need to. If this idea stresses you out, just remember that you have the option to reinstall them when necessary.
04. Add Captcha
There are several variants of Captcha available, but they all serve the same purpose: to verify that the user filling out a form is human. While Captcha may have been considered inconvenient in the past, it has improved greatly in recent times. It protects various forms on your website, helping to prevent spam and thwart hackers.
05. Limit the number of login attempts
Some hackers employ brute-force attacks by continuously attempting to guess usernames and passwords to gain access to your website. To counter this, there are plugins available that can limit the number of login attempts from a single IP address. These plugins block further attempts after a specified limit on retries is reached, making it difficult or even impossible to carry out a brute-force attack.
06. Add an SSL certificate
SSL, or Secure Sockets Layer, is a protocol used to secure and encrypt communication between computers. In other words, it helps keep sensitive information on your website incredibly secure. This includes data such as passwords, credit card information, and banking credentials—basically, any information that you and your users would want to keep safe. SSL is visually indicated by the little green padlock icon in the address bar of your web browser.
While SSL may not technically be necessary for all websites, it is highly beneficial (and essentially required) for any WordPress website that collects sensitive user information. Even if your website doesn’t collect sensitive data, an SSL certificate still helps to secure your website’s transmissions and builds trust with your users.
Another significant reason for adding an SSL certificate to your WordPress website is for SEO purposes. Google has announced that they will flag websites that store passwords or credit card information without SSL as insecure, as part of a long-term plan to mark all websites, whether they collect information or not, as insecure. In other words, if your website doesn’t have an SSL certificate installed, it could seriously harm your traffic and conversions.
07. Add two-factor authentication
Another way to enhance security against brute-force login attempts is by setting up two-factor authentication. This system requires two verifications—a password and an authentication code sent to your phone or email—to log in.
While it may take a little extra time for trusted individuals to log in, it significantly increases the difficulty for unauthorized users to gain access to your website. You can add two-factor authentication to your WordPress website login, and some hosts offer it for your hosting account as well.
Two-factor authentication may take some getting used to, but it’s definitely worth it in the long run!
08. Move your WordPress login screen
Numerous WordPress hacks come from vicious bots that are programmed to scan the web looking for WordPress sites. Once they find one, they’ll add “/wp-admin” to the end of the site’s URL to access the login screen and attempt to force their way in.
The Rename wp-login.php plugin allows you to change the location of your login screen from “/wp-admin” to whatever you prefer. You could use something like “/mysitelogin” or “/open-sesame” or anything else your heart desires! Regardless of your choice, any user who tries to use the old “/wp-admin” link will simply see an error message, which will help thwart bots and would-be hackers in their tracks.
Note: Moving your WordPress login screen will mean that you’ll need to share the new login URL with anyone who needs to log into WordPress on your site, or they won’t be able to access the admin area.
09. Use CloudFlare
This is more of an advanced option and not something that everyone needs, but CloudFlare is an external service that acts as a kind of “buffer” between your servers and your users. CloudFlare offers numerous security and performance options, many of which are available on their free plan.
While most sites don’t need to worry about DDoS attacks, CloudFlare is excellent at preventing those, since your server’s IP address will be effectively masked. CloudFlare also offers a variety of other security options, including blocking IP addresses or specific regions.
10. Back up your site regularly
Backing up your site regularly is a safety net that will make your life easier if hackers do find their way into your site. By having a recent copy of your site, you’ll be able to easily restore your content before it was compromised and won’t be stuck trying to figure out what to do next.
Moral of the story: While WordPress is generally secure, it’s important to be proactive with your site and have a plan in place for the day it does get compromised (AKA backups!). We promise it’ll all be OK.