WordPress security is a topic of enormous importance to every website owner. Although WordPress’s core software is extremely secure and audited regularly by hundreds of developers, there is a lot you can do to strengthen your WordPress website. If you are serious about your website, then you need to pay attention to the WordPress security best practices.
“60,000 Sites will be hacked today and each week, Google blacklists another 20,000 websites for malware and around 50,000 for phishing.”
Why Is Website Security Important?
A hacked WordPress site can seriously damage your business revenue and reputation. Hackers can steal user information and passwords, install malicious software, and even distribute malware to your users. Worst of all, you may find yourself paying ransomware to hackers just to regain access to your site.
WordPress Security
The following is a list of steps you can take to improve your WordPress security.
The Basics
Keeping WordPress Updated
This is your first line of defense and the most neglected. Set WP to update automatically and check theme and plugins at least one a month.
Passwords and User Permissions
Use strong passwords! This is so simple and the most common vulnerability. Assign only necessary permissions to users, not everybody needs to be an admin.
More Advanced
Enable Web Application Firewall (WAF)
A firewall for a website. These do offer a high level of protection. There are several plugins with SiteGuard and Cloudflare being the current favorites.
Change the Default “Admin” Username
Defaults are the first thing hackers go for. Can be changed manually or, you guessed it, with a plugin.
Disable Theme and Plugin Editors
By default, WordPress allows users to edit the theme and plugins. Disable the “Editor” function to prevent hackers from editing and copying files. Can be changed with a edit to the .htaccess file or a plugin.
Disable PHP File Execution
This one takes a little skill but will lock a specific directory like ‘uploads’ for example. Prevents the execution of scripts.
Limit Login Attempts
Prevents a repeated password attack. Hackers just keep trying until something works. Limiting the number of attempts prevents this. There are plugins.
Change the WordPress Database Prefix
There is some argument here and should not be done lightly. Some say it offers no protection at all. This is best done at setup but there are ways to change an existing database.
Password Protect WP-Admin and Login
Password a page that already has a password? Think about it. An extra layer of authentication for the admin login page.
Disable Directory Indexing and Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities. Takes an edit to the .htaccess file.
Disable XML-RPC
XML-RPC is a remote procedure call (RPC) protocol that uses XML. I know that may be Greek, but “remote procedure” should be enough. Takes an edit to the .htaccess file.
Automatically Log Out Idle Users
Inactive users pose a session hijacking threat. Use a plugin to set a time period and log them out.
Add Security Questions to WordPress Login
For multi user sites. Again, there are plugins that will add a security question to the login.
Have a Professional Do It for You
Security is a serious matter. If you’re not comfortable dealing with code and the backside of WordPress, then it’s always better to have a professional do it. That’s where Webguy.tech comes in.
