How to Secure Your WordPress Website

Eliran Ouzan
Written by:
May 14, 2018

Millions of websites get hacked every year and many people consider WordPress as a vulnerable CMS(Content Management System). This creates the need by many people to secure your WordPress website.

It's obvious to feel scared because no one wants to lose his/her years of hard work. If you use LinkedIn, you may easily find people asking for help related to website security.

It's because most of the WordPress users are non-techie. If you're also a non-technical person, you may resonate with the fear of losing your website.

One of the biggest mistakes is to blindly trust your web hosting company. It happens every day that people complain of getting their website hacked because the web hosting companies promised to handle everything.

Just to clarify, a web hosting company does the best but it can't apply the security levels you should. The company does its job and you should do yours.

Only you can secure your WordPress website. Does this ring a bell to you? It should.

Now you may be wondering how a person without any coding skills can handle a website and secure it. I have an answer for that.

Go through the checklist and tell me later.

The Important Things You Should do to Improve Your Website's Security

You're going to read the basics as well as the advanced level of security levels. Stay connected and read carefully.

#1. Don't use the default username

I deal with a lot of clients and most of them keep the default "admin" username. When you install WordPress, the CMS gives you the freedom to choose your username but most of the people ignore it.

They keep the default username which can be hacked. Everyone knows that "admin" is the default username.

Nowadays, the web hosting companies have started offering an option to add the username while using the one-click WordPress installation.

#2. Change the default database tables prefix

Not everyone knows that the default prefix for all the database tables is "wp_" but hackers know it. It's always recommended to change it.

If you're building a new WordPress website, you can see an option to choose the custom database prefix while installing WordPress. But if you already have a website, you can change it either using a plugin or manually.

For the non-techie people, the manual method isn't feasible. They can use a plugin for this. Most of the security plugins allows you accomplish this.

#3. Disable WordPress directory browsing

If you add /wp-includes/ at the end of your website's URL and you see a few files, it means your website is insecure. Anyone can see the whole file structure and easily inject a code.

For example, you open https://www.example.com/wp-includes

And you see these.

  • Parent directory
  • Admin directory
  • Text

This simply means that when you click on these folders, the data of your website will get revealed. To block this, you need to add a code to the .htaccess file of your website.

Options -Indexes

After adding this, when you open the same URL, you will see a 403 Forbidden Error. It means no one has the authority to access those directories.

#4. Password protect your admin directory

WP-ADMIN is the folder which is really important for your WordPress website. If your admin directory is vulnerable, hackers can easily break into your website and take control.

The common word when someone someone breaks into your website through the login page is brute force attack. It's recommended to password protect this directory.

Before even opening the WordPress login page, an extra layer will be added which will require a password. There are two ways to accomplish this.

  • Using a plugin
  • Manually using the cPanel

#5. Limit Login Attempts

To secure your WordPress website, you should save it from brute force attacks. Many hackers use different usernames and password combinations to log into a website.

If you limit the login attempts, the IP will get blocked after the limited number of attempts. Let's say you limit it to 3 attempts and someone keeps using the wrong login credentials, that particular IP will get blocked.

Now you may be wondering how to accomplish this. Most of the special plugins to limit login attempts are outdated so you can use a security plugin.

#6. Disable PHP Execution

As you know, WordPress code, its plugins, and themes have the PHP code and that hackers inject this similar code to a website.

But if you disable the PHP execution, no extra code will get added to any of the WordPress files. Many people complain about their WordPress theme getting hacked, it's because of the PHP files.

You can stop it by adding a small code to the .htaccess file of your WordPress website. You have to use the FTP or the cPanel to do so

This file is hidden, so make sure you enable to see the hidden files in the file manager.

<Files * .php>

deny from all

</Files>

Open the file, add this code, and save.

#7. Using a Custom Login Page URL

You can open the login page of your WordPress website by adding /wp-login.php/ at the end of the main URL. Rather, you can use /wp-admin/.

Have you ever thought of using a custom login page URL of your own choice? You may use something only you can remember.

For example:

  • https://www.yoursite.com/the-throne-goal
  • https://wwwyoursite.com/i-love-my-site

It's your choice. This can be done using a security plugin.

#8. Don't forget to update WordPress, its plugins, and themes

When you use the older version of WordPress, any plugin or the theme, the vulnerability increases. It's because the hackers may have already found a way to hack into the old versions.

#9. Use a security plugin

To secure your WordPress website, it's really important to have a security plugin installed. If you have noticed, in almost every point mentioned above, you read the use of a security plugin.

It's because not everyone is a technical person to accomplish adding the security layers manually. So choose a security plugin which allows you to do those from your WordPress admin dashboard.

Choose any of these top security plugins.

  • All In One Security and Firewall
  • Wordfence
  • iThemes Security
  • Sucuri

I prefer the first plugin because it's lightweight and has all the options I mentioned above.

#10. Using strong passwords

This is not something you should be told every time you read about security but it's a must-have thing to keep in your mind.

It's so lame that people use their name, surname, their dog's name, lover's name as the password. The password should be a combination of capital letter, small letter, numbers, and special characters.

Try to mix everything up and generate the strongest password you have ever used.

Let me show you some examples.

  • G*ob%^v0s@?NQ)@2
  • (#)Tn72^#*C2Xo%y8

You may be wondering as if how you can remember such password. It's simple, make a pattern of your own and use the different keys to transform your simple password to the strongest password.

Do You Think You Can Secure Your WordPress Website

After applying all the above security layers, your website will be secured. But it doesn't mean it can't be hacked. It's really important to have a reliable web hosting company because all the data of your website is on their server.

If the server gets hacked, your all the security layers will do nothing. And of course, it's very important to keep the backup of your website and its database.

Now you may say that your web hosting does that for you. Well, if the server gets hacked, it means the backup is also hacked.

So, it's necessary to keep the multiple copies of the backup. You can use Dropbox, Google Drive, your hard drive to store the backup.

If you can't do it every day, at least do it once in a week.

I hope these tips will help you secure your WordPress website. If you still have any questions, feel free to drop a comment.

 

Check out the top 3 WordPress hosting services:

9.8
9.4
9.7
9.8
9.7
9.5
9.2
9.4
9.4
9.4
9.7
9.6
9.7
9.8
9.7

Was this article helpful?