Why the topic of WordPress security tips? Because all sites are vulnerable.
No matter how much work you’ve put into launching your site, it can always find itself in harm’s way. Even though you might have done nothing wrong, random attacks do happen. Unfortunately, this is just how the internet works. That’s the bad news.
👉 The good news is that most threats can be prevented if you just set aside a little bit of time to implement the following simple WordPress security tips:
- Update WordPress regularly
- Update your themes and plugins
- Back up your site regularly
- Limit login attempts and change your password often
- Install a firewall
- Limit user access to your site
- Rename your login URL
- Enable security scans
- Use SSL
- Protect your wp-config.php
10 WordPress security tips to keep your site secure
There are a few things you should put on the list when it comes to doing a routine check. Reviewing these steps once a month or so should be enough to keep you safe.
We’re going to be focusing on certain, key site areas. To some extent, a website is like the human body. If a certain part is damaged, it affects the whole system.
⌛ Here’s what to do:
1. Update WordPress regularly
With any new release, WordPress gets improved and its security is improved too. Lots of bugs and vulnerabilities are fixed every time a new version comes out. Also, if any particularly malicious bug gets discovered, the WordPress core team will take care of it right away, and force a new safe version promptly. If you don’t update, you will be at risk.
To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.
2. Update your themes and plugins
The same goes for plugins and themes. You should update your current theme and the plugins you have installed on your site. This helps you avoid vulnerabilities, bugs, and potential security breach points.
Just like it is with most software products, every once in a while certain plugins might get breached or security holes might be discovered in them. For example, in the past, plugins such as Ninja Forms and WooCommerce were hit with quite nasty problems.
So, how to update your themes and plugins?
Let’s start with the plugins. Go to Plugins / Installed Plugins the list of all your plugins will appear. If a certain plugin is not on its latest version, WordPress will let you know:
For example, I have two old plugin versions, so all I need to do is click on “update now” under each one, and they will be ready in a few seconds.
To update your theme, go to Appearance / Themes, and you’ll see all your installed themes there. The outdated ones will be marked just like plugins were. Simply click on “Update now.”
Apart from updating every plugin and theme, keep in mind to also remove the plugins and themes that you don’t use at the moment. Those are just unneeded weight. Consider this a bonus one among these WordPress security tips.
3. Back up your site regularly
Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.
To back up your site, you need a plugin. There are lots of good backup solutions out here. For example, Jetpack has some integrated backup features that are priced affordably. Their backup plans offer daily backups, one-click restores, spam filtering, and a 30-day backup archive.
There’s also a free alternative, UpdraftPlus.
🧑💻 Here’s some more advice + how-to on backing up your WordPress site.
4. Limit login attempts and change your password often
Don’t let your login form allow unlimited username and password attempts because this is exactly what helps a hacker succeed. If you let them try an infinite number of times, they will eventually discover your login data. Limiting the available attempts is the first thing you should do to prevent that.
You can use certain specialized plugins to limit possible login attempts. There are two very popular solutions, for example, both free:
Also, by changing your passwords often, you further decrease any hacker’s chances of breaking into your site. Though, by “often” I don’t mean every day … once in 2-3 months would be enough. Diversity kills the fun for those who are trying to break in.
⚠️ WordPress security tips note: LastPass is a nice tool that stores your password data safely and also generates strong passwords, so you won’t need to invent them yourself.
5. Install a firewall
Another one of our WordPress security tips deals with firewalls.
On your computer 💻️
Firewalls usually protect your computer from various online threats. This way, every strange thing that tries to connect with you will be questioned and kept away if it’s suspicious.
This has nothing to do with your WordPress site, per se, at least it has no direct connection, but installing a firewall on your computer is still worth the effort for one crucial reason:
- You use your computer to connect with the admin area of your website. Thus, if your own computer has been compromised, then your connection with the website can be at risk too.
A couple of tools for this purpose would be Norton Internet Security, Comodo, or ZoneAlarm. The latter is free.
On your WordPress website 🌐
Apart from installing a firewall on your computer, you can install security tools right on your WordPress website too. This type of firewall protects your site from viruses, malware, hacker attacks, etc.
Sucuri does a great job in this regard, and it’s one of the best security services for WordPress out here. It kind of does a bit of everything.
There are also free solutions for firewalls, such as:
6. Limit user access to your site
If you’re not the only user who has access to your site, be careful when setting up new user accounts too. You should keep everything under control. Try to limit the access of any type to users that don’t necessarily need it.
If you have many users, you could limit their functions and permissions. They should only have access to the functionalities that are essential for them to do their job.
It’s also important to note that while WordPress recommends a strong password by default, it won’t force you to change it if you’re picking a weak one. That means it’s on you to inform whoever is accessing your site that they should pick a secure enough password to maintain the security of the site. It’s crucial to ensure that everyone uses strong passwords, just like you do.
7. Rename your login URL
By default, the URL you use to log into your dashboard is either YOURSITE.com/wp-login.php
or YOURSITE.com/
wp-admin.
Now, here’s a not-so-fun fact for you:
Those two are also the most accessed URLs by hackers who want to get into your database.
By changing that URL, you reduce your chances of becoming another statistic. It’s a lot harder for a hacker to guess a custom login URL. In practice, this means that unless you’re some high value target, they would much rather move on to their next potential victim than waste time trying to figure out what your login URL is.
One of the easiest ways to implement this security tip is by using the iThemes Security plugin. You can use it to turn your login URL into something like YOURSITE.com/I_love_my_site
. This is one of those WordPress security tips that’s too simple not to do.
8. Enable security scans
Security scans are something done by specialized software/plugins that go through your whole website in search of anything suspicious. If something is found, it’s removed immediately. Those scanners work just like anti-viruses.
For a simple and affordable solution, you can use the aforementioned Jetpack plugin. Apart from the backup features, it also has daily scans for malware and threats with manual resolution (this plan is $9 per month). Alternatively, you can also use CodeGuard, or Sucuri SiteCheck.
9. Use SSL
SSL (Secure Socket Layer) is a great strategy through which you can encrypt your admin data. SSL makes the data transfer between the user browser and the server secure. There are two ways to get an SSL certificate:
- a) Buy one from a third-party company like RapidSSL.
- b) Ask your hosting provider for one. Sometimes, this comes as a feature in some hosting plans. Depending on your host, it is possible that you can get one for no additional cost.
For instance, Pagely hosting comes with free SSL on all plans.
🎁 Bonus: If you’re using SSL encryption, you won’t just secure your website, but you’ll also rank higher in Google rankings. Google favors sites that use SSL. So you now have two reasons to apply this particular of our WordPress security tips.
10. Protect your wp-config.php
The wp-config.php file is one of the most important files on your site. It also happens to be one of the most vulnerable files on your site.
Why?
Because it hosts crucial information and data about your whole WordPress installation. It’s technically the core of your WordPress site. If something bad happens to it, you won’t be able to use your blog normally.
One simple thing you can do is take that wp-config.php file, and simply move it one step above your WordPress root directory. Your WordPress site won’t be affected at all by this move, but hackers won’t be able to find it anymore.
Okay, that sums up the list! Is your site protected enough? Do you need any help in relation to these WordPress security tips?
If you want to learn more about WordPress security, this eBook provides an easy-to-follow checklist that will help you keep your site safe.
This is a really informative article with lots of great ideas. Could you please tell me what software you use to run your incredibly fast website? I also want to create a simple website for my business, but I need help with the domain and hosting. Asphostportal reportedly has a good reputation. Are there any other choices available, and if so, what would you suggest?
Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!