LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

How to secure your WordPress Site

Tags: , , Date/Time: September 23, 2020 @ 8:52 am, by Jon Biloh

WordPress is a powerful and open-source CMS based on PHP. It is no doubt that it is one of the most used platform for a blog, e-commerce stores, portfolios, and much more. According to some sources, WordPress is powering around nearly 35% of the websites on the Internet in 2020. The platform is very flexible and allows you to customize it with a huge number of free themes and plugins. Since it is a very common platform, exploits are also common and one should know how to secure a WordPress site. We are sharing some good tips on how to secure it and prevent it from getting hacked.

1. Keep everything up to date

Outdated software, theme and plugins are some of the main reasons why WordPress sites become vulnerable. WordPress itself should be kept up to date and before updating, a site backup should be made so that it can restore if website breaks. Paid themes and plugins are usually neglected and not kept up to date by most people as they do not have an auto-update option, or updates may have expired.

Look for a plugin that has not been updated for a long time, it may have been removed from the official WordPress site for some reason, in this case, it is not recommended to use such plugins. It is also recommended to use the latest PHP version.

2. Use Strong & Different Password

Weak passwords cause hackers to access your account easily, while if there was any data breach where you had an account somewhere, and if you used the same password there, hackers get a chance to gain unauthorized access to your website. Keeping a unique password will also help you secure your site.

3. Use a WordPress plugin to secure your site

Some of the WordPress plugins are useful and can help you secure the site. One of the examples is WordFence, which prevents your site from getting infected. It also provides brute-force protection along with real-time monitoring. It also comes with Two-Factor Authentication which is good to use for extra protection.

4. Using a firewall

This only applies to the users who are running their sites on a VPS or Dedicated Servers as shared hosting users have no control over firewall due to limited access. Some of the free recommended firewalls are CSF Firewall and COMODO WAF.

5. Restrict the access

Everyone should not have an administrator role, as it provides complete access which is very risky. Always try to limit the access and assign different roles for each action so that the user does not get full access. Only if you are sure that a person is trusted, then you should provide them administrator access.

6. Daily Remote Backups

It is always recommended to create backups, especially on a remote server, or even your computer. Keeping the backups on the same server cannot be useful sometimes, in case the site gets infected, you will be able to restore your website completely.

7. Do not use nulled themes or plugins

It is always recommended to purchase the premium themes and plugins instead of using free nulled themes or plugins and should always support the developers. The code may have an exploit that can cause your site to be infected.

8. Disable Default WordPress Code Editor

WordPress allows you to edit the files directly through the admin interface, which is insecure and if in case a hacker gets access to your login, they can easily put an exploit and you may never know about it. It is simple to block the code editor by adding this line to your wp-config.php:
define(‘DISALLOW_FILE_EDIT’, true);

9. Change Admin Area URL

Usually, bruteforcer takes the list of pre-defined admin area URL’s. As WordPress is a very common CMS, your website could be targeted and hacked easily if the admin area URL is kept the same. WordPress has the following admin URL: https://example.com/wp-admin. Changing wp-admin to something different will reduce the chance of the website getting hacked.

10. Do not use default admin username

The username “admin” was kept as default by WordPress before, however still nowadays people keep the same username which increases the chances of successful brute force, so it is recommended to keep different usernames.

11. Security Questions

Adding a security question for an admin will also make the website more secure as using all the checks will prevent hackers to get unauthorized access. However, you would require an additional plugin for this as WordPress does not provide it by default.

You should try your best to implement all the security features mentioned above as it will highly decrease the chance of website getting infected. Though there may be more security tips, so if you are aware of any of the best security tips, do let us know in comments.

I'm Jon Biloh and I own LowEndBox and LowEndTalk. I've spent my nearly 20 year career in IT building companies and now I'm excited to focus on building and enhancing the community at LowEndBox and LowEndTalk.

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *