WordPress is definitely the most popular content management system in the world. About 20% of all websites use it. The number of active website that use it has reached 75 million.
At the same time, high popularity brings a lot of security problems. According to Securi report, WordPress is also the most attacked CMS. In a 2019 report by hosting watchdog Aussie Hosting, nearly ⅔ of all WordPress security risks were associated with insecure plugins that allowed backdoor entry into WP sites.
But do not worry, in case you follow security best practices and use several tricks from this guide, you will find WordPress security can be substantially strengthened with just a couple of simple steps.
• Watch for and install all new WordPress versions
The first and most vital step to strengthen WordPress protection is ensuring you run the latest version. In case you wish to have a website with no viruses or other malware, you have to be sure that your WordPress version is the latest one. Although this is the simplest tip, only 22% of WordPress sites run the latest version at a given time.
Automatic updates work only for minor security issues. Key version updates should be installed manually.
• Create custom login
Is admin your WordPress username? If yes, then you make it easier for hackers to breach your control panel. I strongly advise you to change this username or create a new admin account. For the second option, please follow these easy steps:
- Sign into your Control Panel.
- Locate the Users option and press Add New.
- Create a new user and make him the Administrator.
- Re-login with your new Administrator account.
- Return to the Users section and remove the initial Admin account.
A strong password is crucial for ensuring WordPress protection. It is almost impossible to crack a password that consists of 16 characters. Use lower- and upper-case letters, numbers and special characters. There are many tools that help creating complex passwords.
• Enable two-factor authentication
Two-factor authentication will add one more security layer. Together with entering the username and password, you need to make one more step for successful authorization. Some people find it inconvenient, but security is always inconvenient. You probably use two-factor authentication for online banking, why not to use it with your WordPress site?
Enabling two-factor authentication is very easy in WordPress. You just need to install a special mobile application and configure settings in WordPress. Google Authenticator is the best option.
• Do not use PHP error reporting
If you are a website developer, PHP error reporting is very important to you. But for typical website owner, showing errors to strangers is not a good thing. Please correct this asap. Do not worry, you do not need to be a tech guru to disable PHP error reporting in WordPress. Most often you can do it in the control panel of your hosting provider. Alternatively, add two lines to the wp-config.php file:
@ini_set (‘display_errors’, 0);
• Stay away from nulled templates
There are tons of nulled templates and plugins out there. You can download them free of charge on numerous torrent and file sharing sites. But you should keep in mind that hackers often infect such templates with malicious codes. Please do not use nulled WordPress templates. It is unethical and also harms your security. At the end of the day, you will have to pay infosec experts to clean your site.
• Scan your WordPress site with an antivirus
Cybercriminals utilize vulnerabilities present in plugins and templates in order to infect WordPress. It is vital to use security software and scan your blog regularly. There are a lot of brilliant tools for this.
• Consider transferring your website to a more reliable and secure hosting
Do not think this is strange advice as statistics reflects serious numbers. Almost half of the WordPress websites get hacked because security vulnerabilities found on the hosting provider’s side. These numbers should convince you to consider a more secure web hosting provider. Below are important factors to keep in mind while choosing a new web hosting:
- For virtual hosting options, try to ensure that your site is isolated from others thus minimizing chances of possible infection from the side of other websites on this server.
- Your new hosting provider should have an automatic backup option.
- The server should have a firewall and security scanning tool.
• Back up as often as possible
Even big and popular websites get hacked. We read about such cases every day. This happens despite the fact that owners of the biggest websites spend thousands of dollars on improving their WordPress site security.
Even if you follow security best practices and use my tips provided in this post, you still have to regularly back up your website. There are a lot of options and ways how to make backups. You can download website files on s separate drive, or use options offered by the hosting provider.
• Turn file editing
You should know that WordPress offers an editor for editing PHP files. Although this option is helpful, it can also be harmful. In case attackers access your control panel, File Editor will be the first thing they will notice. It is desirable to turn this feature completely off. You can do this by editing the wp-config.php file like this:
define (‘DISALLOW_FILE_EDIT’, true)
• Uninstall unused plugins or templates
Regularly clean your WordPress website by removing unused plugins or templates. Cybercriminals like to use outdated plugins that contain security holes to gain access to your control panel. Removing old plugins reduces the risk of getting infected.
Although WordPress is the most hacked content management system in the world, it is not difficult to improve its security. In this article, I provided you 10 useful tips that will help increase the security of your WordPress website.