How to secure Wordpress

How to secure Wordpress

WordPress security - everything you need to know

Wordpress is the most popular way to create your own website. However, it only takes a few careless moves to attract the attention of hackers. Learn how to secure websites and which elements to pay attention to and how to keep your site secure. See how to secure wordpress and how to take care of the system.

From this article you will learn:

  1. How to secure a site on WordPress
  2. How to take care of WordPress login security
  3. Are plug-ins sure to increase security?
  4. What are the consequences for not securing WordPress sufficiently?

Spis treści


Why is WordPress security so important?

The huge popularity of WordPress makes it the most vulnerable CMS to hacking attacks. However, most of them are due to inadequate security, so the webmaster should do everything possible to avoid the threat.

Today, 42% of the web and sites run on Wordpress

In addition to smaller incidents, which occur quite frequently, there is no shortage of massive attacks.

130 million attacks on 1.3 million sites

By the end of May 2020, hackers had launched as many as 130 million attacks on 1.3 million sites. Cybercriminals exploited XSS vulnerabilities in plug-ins and image templates, allowing them to gain access to configuration files.

34 million Brute Force attacks

Meanwhile, Wordfence - the maker of one of the security plug-ins - recorded as many as 34 million Brute Forre attacks in one month alone. Meanwhile, attacks that exploit security vulnerabilities reach numbers as high as 3.8 million per day.

While it's difficult to ensure a site is 100% secure today, the risks can be greatly reduced. Just keep in mind some good practices that can protect your site from data leakage or security breaches. Learn the details!

Don't have time ? Order a remote administrator to assist you

We provide care and administration of your website in convenient and flexible hourly packages.

More about administration and care service for websites

If you don't know how to go about it, entrust the creation of Wordpress websites to our interactive agency.


How to secure WordPress?

Securing a site on WordPress largely depends precisely on its maintainer. We suggest what you should do yourself to protect yourself from hacker attacks. The methods presented are very simple, but extremely effective. Learn a few rules that you can't pass by.

WordPress update

A key role for securing WordPress is keeping the CMS, PHP, themes and plugins up-to-date. Each new version includes fixes that reduce the risk of attacks. On the other hand, using older solutions opens the door to hackers.

You can update plugins from the WordPress admin panel (the "cockpit" and "updates" section). On the other hand, you can find the current PHP version in the section related to managing hosting services. Take care to perform updates regularly, as the developers are constantly working to improve WordPress security.

Single plugin updates

A good practice is to do plug-in updates one at a time. If you do it at the same time, in case at least one of them fails, you will be faced with a time-consuming search for the non-functioning one. It's also a good idea to remember to download plugins from verified sources, although we'll talk more about that in time.

Manual method of updating wordpress

To update WordPress to the latest system, you should also use the manual method. To do this, disable all plugins, unzip the archive, and then copy the files, agreeing to overwrite them. Later, just go to the administration panel and confirm the update.

See also Elementor known bugs and issues

Frequency of backups

Wordpress security is affected not only by updates but also by proper care of the system.

The frequency of backups depends on, among other things, the frequency of content updates or the degree of change. If you update content once every few months, you don't need to worry about more frequent backups. The same goes for minor changes to the site (such as correcting typos). However, it's completely different if you update plugins, make significant changes to content or add or remove pages. Then a backup will be necessary and will allow you to restore the last version of your site in case of failure.

Remember also that it doesn't always make sense to update right after the latest version is released. If you're running a sales campaign or an important webinar on the site, it's safe to wait to take care of conversions first.

Find out what hours the hosting provider's support is available - on weekends, even with 24/7 support, the company may have limited capacity and you will have to wait for help.

It is worth noting that it is best to carry out the update at a time when the site has as few visitors as possible. You can check this indicator in Google Analytics, although our experience suggests that night will be the ideal time.

Strong passwords - Wordpress login security

Everyone knows that a strong password is the cornerstone of online security. However, not everyone realizes what a strong password should look like. Meanwhile, it is this string of letters and numbers that very often falls prey to hackers, so the more difficult it is, the better.

The best WordPress login security will be a combination of lowercase and uppercase letters, numbers and special characters. With that said, you should absolutely not use the same passwords with all sites.

Wordpress password manager

To create a difficult password and still have access to it, use the password manager. The easy-to-use function will allow you to create and save them. However, if you want to create a string yourself, do not use simple sentences or words for this purpose, and avoid dates.

Security Copies

Performing regular backups is one of the primary tasks of anyone responsible for securing your WordPres. Thus, a security copy will help undo the effects of a possible hacking attack. Most often, copies are provided by hosting account providers. However, it is worth remembering additional plug-ins that will allow you to protect your own accounts by performing periodic backups.

Take care to set the plugin so that copies are sent to the cloud (such as DropBox or GoogleDrive). In addition, they should not be stored on your hosting account, as you could lose access to the site's resources in the event of a hacking attack. It also happens that cybercriminals demand money for restoring the site's state.

Worth knowing:

A number of plug-ins will allow you to use the cloud. Choose one that guarantees one-click database restoration. UpDraftPlus, for example, will be perfect for this purpose. This plugin will find use for sites of different sizes, allow you to manually schedule backups, as well as manage copies of multiple sites with one practical panel.

Your wordpress is running slowly?

See how to gain speed by optimizing your database and optimizing your images accordingly

Don't know how to use the cockpit - see wordpress tutorial

Choose a proven web host for your wordpress site

While it's your job to ensure the security of your site on WordPress, it's hard not to mention the role of hosting operators, who employ various protection systems. Some implement only minimal security measures, while others offer much more effective methods. Remember to keep your site running in a segregated environment, so you don't have to worry about attacks from a neighboring account.

What exactly is good web hosting?

The primary criterion you need to consider when choosing hosting is security. The service provider should provide monitoring for viruses, malware, or brute force. In addition, security features must block access to the site when they detect the activity of a dangerous robot. Another important element is an SSL certificate.

40% of users abandon site if it loads more than 3 seconds

Page speed is also a key aspect. Kissmetrics reports that as many as 40% of users leave a site when its loading time exceeds 3 seconds. This means that with a daily profit of £100,000, a one-second difference in page loading can translate into a £2.5 million loss in a year.

In addition, before choosing hosting, pay attention to support issues. Find out what hours it is available and whether it meets customer expectations. It's a good idea then to take a look at customer reviews, as failure to provide adequate support during a failure generates further losses.

Dedicated Wordpress hosting

If you are the owner of a large online store and are looking for a solution tailored just for your site, use dedicated hosting. Then you will get a tool exclusively for your own use. This is a low-failure method, as you don't have to worry about the actions of third parties. In addition, you can choose the software yourself, control the amount of RAM or disk capacity.

Another solution could be VPS hosting - Virtual Private Server. Then you get a part of the server, which you share with other users, but you can still adjust many settings to individual preferences. So the unquestionable advantage is the high degree of independence, security and dedicated disk space.

Worth knowing:

Hosting services sometimes include as many as thousands of sites gathered on a single server and on a single IP address. If even one of them accumulates malicious content, problems could theoretically affect your site as well. However, Google understands very well that many sites are on shared servers, so penalties are awarded quite rarely. However, inappropriate content from the "neighborhood" after a while can affect the reputation of your site - it may, for example, be blocked by virus scanners.

See the process and optimization of wordpress

Securing files on the server

To secure the files, all you need to do is set permissions to them on the server. Then cybercriminals will not be able to view and edit them. The most important data is contained in the wp-config.php file, which should be inaccessible to others. So you can change the rights to it, as well as move it to another directory.

SSL certificate, and Wordpress security

If the domain has a Secyre Socket Layer certificate, you can count on a higher level of security. This means that the transmission of data between the user and the server is encrypted. However, be sure to get the certificate from a verified source, as there are many automation companies on the market, and not all of them have gained recognition in the eyes of Google.

Note that failure to redirect all pages to a single main ie over the https protocol will negatively affect your site. If you have HTTP and HTTPS pages, Google will identify mixed content, which may result in your site being flagged. To avoid this, take a look at your settings and the "general" panel. You can then change the URLs to HTTPS.

So all pages should be redirected to one version, for example, from https:// to https://www. Exactly the same applies to the version with the index.php suffix which should move to the main selected domain address. In this way we avoid duplication of the main page from four versions to one base version.

This simple action will help you avoid duplication and a penalty from Google.

Changing the default admin login improves security

This is a very simple action that will ensure that no unauthorized person, will not be able to log into the admin account. To change the default login, just log into the MySQL database and edit the user named "admin". Be sure to choose a hard-to-guess name.

You can also delete the original user and create a new one. An alternative solution would be the easy-to-use All In One WP Security & Firewall plugin.

An additional advantage of the plug-in is the ability to detect if any accounts have the same login and display names. This is definitely worth checking, as in such a case, it will be much easier for a hacker to launch an attack. In addition, the plugin has a built-in password strength tool, so it is a universal and very useful solution.

Wordpress - login security

If you share the ability to create accounts with third parties, it is a good idea to change the login page. In addition, scripts that perform Brute Force attacks often use the /wp-admin path. When a bot visits this address, it can overload the server and even shut down the site.

The easiest solution to this problem will be to use the Custom Login URL plugin. With the help of the plugin, you will very simply change the address associated with the registration and login of users. This is another step towards the security of your site.

Disabling XML-RPC

In the case of WordPress, security should apply not only to the standard site, but also to the XML-RPC channel and system.multicall. If a hacker uses such options, he can test a lot of passwords with little effort. This is why XML-RPC should be disabled.

You can do this by using the WAF Firewall or placing the following rule in your .htaccess file:

<Files xmlrpc.php>

order deny,allow

deny from all

allow from [here insert the IP from which you allow the file to run].

</Files>

Hiding WordPress

To take care of the security of your site on WordPress, you can hide the login page. You can do it very quickly and efficiently.

  1. Log in to the admin panel
  2. Go to Pages or Entries
  3. Edit an entry or create a new one
  4. Use the Display option
  5. Change the visibility of the publication to private, which will only be available to administrators.

This convenient option is an excellent alternative to plug-ins, which should be installed only when necessary. If you can perform certain actions through the panel, it is definitely better to use this solution.


WordPress security plugins

Before we give the perks of some helpful plugins, note that we are talking about plugins that will HELP secure, but will NOT secure WordPress. In short, they will be useless if you don't take care of the aspects we discussed above.

Where to find a security plugin for wordpress?

However, used properly, they will make your site easier to manage. You can find a list of trusted plugins here: https://pl.wordpress.org/plugins/.

Attention:

Under no circumstances install plug-ins from untrusted sources or pirated versions of paid tools. You won't be able to update them and they most likely contain code designed to make hackers' tasks easier. This is another gateway for cybercriminals.

Permanent iThemes Security

This easy-to-use plugin will allow you to increase WordPress security. With it, you can enable protection options in a few moments. All you need to do is click the "Enable" button next to the individual modules. Although the plugin offers paid features, its free version is enough to take care of proper site security. The tool is highly regarded among webmasters.

Two-step login verification - Jetpack

Jetpack is a plugin that includes many solutions, one of which is the ability to set up two-step login verification. In addition, it will allow you to create backups for WordPress and WooCommerce. In the opinions of many users, this is one of the best plugins. It is definitely worth taking a closer look at it.

Malware Scan - Wordfence Security - Firewall & Malware Scan.

This useful plugin is capable of performing a scan for malware. In addition, it will let you take a look at your firewall or monitor visits and intrusion attempts in real time. And these are just some of the many useful features.  So, we are dealing with a very versatile solution to improve security on WordPress.

Comprehensive Security - All In One WP Security & Firewall

As the name says, the plugin can really do a lot. It only takes a few minutes to put in place mechanisms that will increase protection for WordPress. The plugin will allow you to change the database prefix, check the security of your password or username, change the default login page, and set blocking of the site due to unsuccessful entry attempts. There are quite a lot of functions, so you should think carefully about which solutions you implement.

Remove unnecessary plug-ins

Remember that unnecessary plugins can do more harm than good. An excess of plug-ins negatively affects your site's crawling speed, Google rankings, and makes it difficult to manage your site. That's why it's a good idea to control the number of plugins and remember that they are not a remedy for hacking attacks. Note that WordPress has as many as 55,000 plugins! With that said, thoughtlessly installing many will do more harm than good.

Check the number of downloads of the plugin

If you find an up-to-date plugin on the list whose features will make your site easier to manage, you can confidently use it. The best recommendation will be the number of downloads listed next to each one.

Yoast SEO or Jetpack plugins have been downloaded as many as 5 million times.

And Advanced Editor Tools - more than 2 million times.

This is a sufficient recommendation

Here are some of the basics to implement on your site:

  1. Yoast SEO - makes it easy to optimize your site for SEO.
  2. Oxygen Builder - allows you to easily design your site from a graphical perspective as well
  3. UpdraftPlus - will allow you to create backups of your sites
  4. All In One WP Security & Firewall - a set of tools that will increase the security of your site.
  5. P3 - with this plugin you will get a report on the speed of the site


FAQ

To make our guide to improving WordPress protection and security complete, it's still worth answering some frequently asked questions.


How to secure a wordpress site ?

To talk about the correct and effective security of a site on Wordpress, you need to take a number of steps described in this article. Simply uploading a security plugin is not enough to protect your site from hacker attacks or a virus.

Is wordpress safe ?

There is no perfect way to make your site on Wordpress secure. However, keep in mind that developers are constantly working to greatly improve protection and they are doing a great job of it. With regular WordPress updates and using the other best practices we've outlined, the risk of a hacker attack will be minimal.

So remember the importance of keeping WordPress updated, backed up or keeping the number of plugins to a minimum. Also, don't forget about strong passwords and changing your login address and username. Proper security consists of a number of details that you should always keep in mind. Then you can feel safe!

What are the consequences for not securing wordpress ?

Unsecured WordPress is an open gateway for cybercriminals. As a result of an attack, you can lose files on the server or content on the site, and data leaks also happen. The consequences also affect your Google position or the stability of your site's work. In addition, the site may be blocked by the hosting.

Do plug-ins increase security?

Plug-ins are useful, but they are only a support for the actions you can perform on your own. Many of them provide additional protection and are definitely worth taking care of, as long as you are talking about proven plug-ins. Download them from an official source - https://pl.wordpress.org/plugins/ and pay attention to which ones are installed most frequently and have been placed in the "featured" tab. However, avoid plug-ins that have not been updated for a long time and remember to exercise moderation.

See also:

Best free wordpress templates - ranking 2023