Ways to Secure Your WordPress Site

n

Introduction

nnnn

You’ve spent months building your brand, so why wouldn’t you protect it? WordPress is an incredibly powerful platform made for content management, but it can also be vulnerable to hacks and other issues. Thankfully there are many ways to ensure that your site is secure and that you have made every effort to provide a safe environment for your users.

nnnn

Use a Good Web Host

nnnn

n
• Use a web host that offers good security features.
nnnn
• Check to see if they offer a firewall.
nnnn
• Check to see if they offer two-factor authentication (2FA).
nnnn
• Check to see if they offer a secure server and hosting environment.
nnnn
• Make sure your website is on the same server as your business’s other websites, or in another location altogether, so that it’s easy for attackers or criminals who want to steal data from all of you—or from just one site—to do so quickly and easily without having any trouble finding out where exactly things are located at any given moment.*
n

nnnn

Only Use Quality Themes and Plugins

nnnn

n
• Make sure the theme and plugins are updated.
nnnn
• Make sure the theme and plugins are secure.
nnnn
• Make sure the theme and plugins have good coding standards in place (a coding style guide is a good place to start).
nnnn
• Check if there’s any documentation for how to use their features, what these features do, and why they’re useful for your site. You can also read through previous reviews of their products on WordPress Plugins Directory or WordPress Theme Review Directory to see if anyone has had any issues with them before.*
n

nnnn

Keep WordPress Core, Themes, and Plugins Up-to-Date

nnnn

n
• Keep WordPress Core, Themes and Plugins Up-to-Date.
nnnn
• Update the Hardening Guide for your server to the latest version. This will help protect your site against common vulnerabilities and hacks. If you don’t know how to update it yourself, ask your web host or look for a good one in the recommendations section of this article: https://www.digitalocean.com/community/articles/how-to-update-wordpress/.
nnnn
• If you’re on VPS hosting (or managed shared hosting), they will take care of updating everything automatically! It’s easy; just log into cPanel via SSH and run php -r “plugins_dir” /muol_update_core; php -r “plugins_dir” /muol_update_themes;” They’ll do all the work for you!
n

nnnn

Don’t Use “Admin” As a Username

nnnn

n
• Don’t use “admin” as a username
nnnn
• Don’t use a common word as a username
nnnn
• Don’t use a username that is easy to guess or brute force (e.g., admin, admin123)
n

nnnn

Use a Strong Password

nnnn

Passwords are the most important part of securing your website. Although it’s tempting to use a simple password like “password,” that’s not good enough because hackers can easily crack these passwords using software called a “brute-force attack.”

nnnn

To increase the security of your WordPress site, you should use a strong password with at least 15 characters (the longer they are, the harder they are to crack). A combination of letters, numbers and symbols is even better than just one type—for example: !N9V7!U0J2Q1K/UJ/&%+7D@6E?=P>TZL-HZR8W(S+S;#O*G< FY

nnnn

Use Two-Factor Authentication

nnnn

Two-factor authentication is a way to add an extra layer of security to your WordPress site. It’s important to use two-factor authentication on your site, because it prevents brute force attacks in which hackers try to break into your account by guessing passwords and trying them one by one.

nnnn

To enable two-factor authentication:

nnnn

n
• Go to Settings > General and scroll down until you see “Two-Factor Authentication”.
nnnn
• Click on the text field next to “Enable Two-Factor Authentication” and then enter a code that will be sent via SMS or email when you log into the site (for example). This can be anything between 6–20 characters in length but must include at least one number and one capital letter (e.g., 123456). If this code matches what was sent through SMS/Email verification earlier then no further action should be necessary; otherwise click “Next” so we may proceed!
n

nnnn

Limit Login Attempts

nnnn

n
• Limit login attempts.
nnnn
• Monitor login attempts.
nnnn
• Protect your password and database with a strong, unique one-time password (OTP).
nnnn
• Use a web application firewall (WAF) to prevent brute force attacks, malicious requests and spammers/bots from accessing your site through either the internet or localhost.* Use plugins that are specifically designed for securing specific parts of your website.
n

nnnn

Install an SSL certificate

nnnn

An SSL certificate is a digital seal that proves to the Internet that your site is secure. It encrypts data and prevents anyone from reading it as it travels between you and the server. This helps prevent man-in-the-middle attacks, which are when someone intercepts data at some point in its journey across the Internet. The most obvious benefit of an SSL certificate is increased security for your users; if someone wants to listen in on what’s being said on your site, they’ll need both access to my server AND my keys (which are held by me). With an SSL installed on your WordPress installation, only I have access—and even then only if I want it!

nnnn

Change Database Prefix

nnnn

The database prefix is a word that precedes the name of each table in your database. The default prefix is wp_, but you can change it by adding security keys to your wp-config.php file:

nnnn

“`hash($request->getPost()) = md5($GLOBALS[‘db_username’]); print_r($GLOBALS[‘db’]); “`

nnnn

If you’ve used WordPress before, this won’t be new information for you when we talk about securing your site; however, if not then this might be something worth revisiting as we go along in this article series!

nnnn

Protecting wp-config.php and .htaccess Files

nnnn

If you’re using a wordpress.com hosting account, the file that contains all of your site’s information is wp-config.php. This file contains database credentials for accessing and editing your WordPress installation—basically everything you need to access and manage it from within the admin area of WordPress.

nnnn

If someone gets into this file, they can see everything stored in it (including usernames and passwords). Furthermore, if this file leaks onto public servers or gets installed on another site by mistake, then anyone who visits that website will be able to see what username/password combos are used by its users! This makes protecting wp-config.php very important; after all, if an attacker knows how much effort went into securing this file then they might try to guess at other ones just so as not lose out on opportunities like these.

nnnn

Add Security Keys

nnnn

Security keys are used to generate secure cryptographic keys that are used to encrypt data stored in WordPress. They can be used to encrypt data stored in the database, files and cookies.

nnnn

Security keys can also be used to encrypt temporary files created by browsers or other applications that run on your computer when you visit a website (like Google Chrome’s cache).

nnnn

Disable File Editing

nnnn

Disable file editing:

nnnn

n
• To disable file editing, you need to enable “File Editing” in the WordPress dashboard.
nnnn
• On the next screen, click on “Permalinks” and then go back to the previous screen. You will see a new option called “Disable File Editing” which has been added by default when you enabled it previously. Clicking on this button will disable all forms of text-based content within your website (posts, comments etc.)
n

nnnn

Prevent PHP Files from Being Executed

nnnn

n
• Use the deny from all directive to block all access to your server except for those who are in the local network.
nnnn
• Use the allow from 127.0.0.1 directive to permit only localhost requests from outside your computer’s network (including other computers on that same subnet). This is useful if you want to restrict access only for specific visitors, but it won’t work if someone tries accessing your site directly instead of sending a request through their browser’s proxy settings (which may not be configured properly).
nnnn
• “
n

nnnn

Disable XML-RPC Selectively

nnnn

If you’re using XML-RPC, it’s important to know when and why you would want to disable it.

nnnn

n
• The most common reason is that some users need access to additional features or functions of your website that are only available through XML-RPC. These could include tracking code or API requests for third party services like Google Analytics and Facebook Pixel (for example). In these cases, disabling XML-RPC will allow only those users who need these features directly from their browser (or via an API) access them.
nnnn
• Another case where disabling XML-RPC may be necessary is if there are multiple IP addresses on a single computer sharing one WordPress site instance—in this scenario, each request sent by any one IP address will cause another error message in the logs which can be confusing for administrators trying figure out what happened during launch time! You can learn more about how many unique IP addresses share one WordPress installation here: https://enquiriesupport@wordpressorg/kb/howmanyipaddressesaresharedonmywebsite
n

nnnn

These are important ways to protect your website.

nnnn

n
• Use a good web host.
nnnn
• Only use quality themes and plugins.
nnnn
• Keep WordPress core, themes, and plugins up-to-date.
nnnn
• Don’t use “admin” as your username or password when creating an account on any site (it’s easy to remember but it also can be guessed). Instead of using “admin,” consider creating another username and password combination that you’ll use for non-administrative tasks on your site such as submitting posts or comments in the admin dashboard. A strong password should be at least 16 characters long with mixed numbers and lowercase letters; no spaces or special characters—just numbers! If possible add an uppercase letter somewhere within the word(s) being used as part of this new password combination so that even if someone does guess one letter out of place they won’t know what else might have been guessed correctly after seeing only one incorrect letter in their guess list.”
n

nnnn

Conclusion

nnnn

Remember that security is a process, not a one-time event. In order to protect your website, you’ll need to keep everything up-to-date and secure against attacks. By following these tips, you will be able to prevent hackers from taking over your site by using brute force attacks like SQL injection or cross-site scripting. These are just a few ways in which people can steal information from websites and other systems on the internet; there are many more methods too! Make sure that all of them have been taken care of before moving forward with any changes to your site’s security settings.

n