How To Secure Your WordPress Website: A beginners guide
Last updated: August 12th 2022
“It takes 20 years to build a reputation and just a few moments of cyber-incident to ruin it,” says Stephane Nappo, a leading cyber security expert and this, indeed, holds water. Websites are always compromised, regardless of how big or small, they may be. Most website security breaches are done not to steal information or tamper with website layouts but to use the server as an email relay for spamming purposes or to set up a temporary web server that hackers would typically use to host files of an illegal nature.
And if you use WordPress, like 43% of the internet, you might have an added disadvantage.
Why do hackers target especially WordPress?
The answer is simple — WordPress is popular. Like they say, to catch a thief, think like a thief. Likewise, think like a hacker: A lot of factors go into play when a hacker is trying to decide which website to target. For example, if a hacker is looking to take over a lot of websites for their gain, they would likely try to target a platform that millions of sites use rather than a platform that only forty-five odd websites use. This is because it would be much easier for the hacker to take over the latter. WordPress is a widely used platform, which makes it a popular target for hackers.
While it may seem daunting at first, the open-source nature of WordPress code is one of its greatest strengths. Being open-source allows for white hat hackers to more easily find and report exploits, which in turn allows for developers to help improve security over time.
By taking these extra steps to secure your website, you can help increase security and make it a little more formidable for hackers to mess things up.
Use update-to-date themes and plugins from reputed developers.
The number one reason hackers and bad actors can break into your WordPress site are vulnerabilities in your theme or plugins, even though the WordPress core is pretty secure. That's why it's important to only install themes and plugins from reputable developers and to always keep them up to date. Reputation doesn’t mean popularity; a popular plugin can still be poorly coded. The best way to determine is to read the reviews of such themes or plugins on the WordPress repository.
Keep the WordPress core itself updated to the latest version as each update brings various security patches and fixes.
Use Strong and Unusual usernames and passwords.
This seems obvious, but people still use their first names or nicknames as their usernames which is a significant security risk as people may guess your username from your blog posts, press releases, social media, etc.
Your WordPress password should be strong and not easy to guess. Make it at least sixteen characters and use a mix of upper and lower case letters, numbers, and symbols. If you have trouble remembering random passwords, you could try using Bitwarden or LastPass. Never use the same password for services like Paypal!
Your username and password are to WordPress, what locking your front door are to home security. Just like you wouldn't leave your front door unlocked, you shouldn't have an easy-to-guess password. It doesn't matter how good your security system is if you leave the door open for anyone to walk through.
A pro tip I like to use: generate your username like you’d generate your password, then make a pseudo-account with the least privileges (subscriber in most cases.) Assign all your posts, pages, etc., to this account. This way, your account with most privileges remains hidden; even if someone breaks in via the pseudo-account, they won’t be able to do much!
Webdock users canvery easily further harden their WordPress installation using our WordPress lockdown feature.
Limit the number of log-in attempts.
Brute-force is when hackers try to guess your username and password repeatedly to get through your site's front door. Various plugins can help prevent these attacks by blocking an internet address from making further attempts after a limit on retries, and this can make a brute-force attack difficult. You can, for example, use fail2ban for very effective firewall-level blocking of failed login attempts, please see our guide here on how to set that up.
There are a few different types of Captcha available, like Google ReCaptcha and H Captcha. Still, the concept is the same no matter which plugin or method you use: any visitor who tries to fill out a form on your website must first prove that they're human.
In the past, Captcha was often seen as a troublesome and inconvenient option; however, it has improved dramatically in recent years. Plus, it protects your site from hackers and spam and does two crucial jobs simultaneously.
You can also enable Captcha only on the /wp-admin page if you don’t want to spoil your visitor’s experience.
Getting rid of inactive plugins and themes.
Inactive plugins and themes can leave your site vulnerable and bog down your server with unnecessary requests. If you're not using a plugin or theme, get rid of it. This way, you can focus on your tools and keep your site lean. If you need to reinstall themes or plugins later, you can always reinstall them.
Using a CDN
Content Delivery Network or CDN is a service replicating your website files on a globally distributed server network. Using any CDN, like Cloudflare, is beneficial for preventing DDOS attacks and helps you increase your website speed.
Last but not least: Taking and maintaining regular backups of your site. Backing up your site is a lot like wearing a seatbelt, and it's a safety precaution that will make your life easier if something terrible happens. By having a recent copy of your site, you'll be able to restore your content before it is compromised easily.
While WordPress is very secure, it's always a good idea to be prepared for the worst-case scenario. Having routine backups of your site will give you peace of mind and help you avoid any stressful situations if your site gets hacked.
Webdock takes daily snapshots of your server already, for free, so you don't have to worry about this aspect if you are a Webdock user.
But what about the security plugins?
Security plugins like Wordfence are a great way to streamline and harden your WordPress installation’s security. Still, it is not always necessary, especially if your site isn’t complex like an eCommerce website.
Though there is no one way to secure a website fully, there are some steps you can take to make it more secure. These include basic steps, such as adding a strong password, and more complex actions, such as investing in a sound security system. These measures can make it much harder for hackers to access your site.
This guide was a very rudimentary guide aimed at beginners. If you feel comfortable with more advanced steps when it comes to securing your VPS server in general, check out this guide.
Aayush Nair has been a passionate freelance WordPress designer for the past eight years. He likes to share his knowledge to help and enrich the community in his free time.