Here are 10 ways to secure your WordPress website to stay safe and comfortable online:
- Choose a good hosting company
The easiest way to have your website safe is to choose a Hosting company, which offers many security ways.
It may seem tempting to choose a cheap Hosting company, however do not be tempted by this as the cheaper the Host the lower the security settings.
Pay a little more for a better Hosting company, because investing means higher security of your site.
From our personal experience as very good hosting companies, which have both high levels of security and reasonable prices we can mention Hostgator, Namecheap, Godaddy etc.
2. Do not use an invalid theme
WordPress premium themes look more professional and you can customize them more for your site than free ones. Professional WordPress themes, coded by unique programmers which go through many filters from WordPress that then go on sale.
Be careful not to be fooled by some sites that offer cracked premium themes, as they are very dangerous for your web. These themes contain malicious hidden code, which can destroy your web and database, or steal your administrator credentials.
- Install the WordPress Security Plugin
You need a lot of time and work to regularly check the security of your WordPress site. Thankfully others have figured this out, releasing Security Plugins called the WordPress Security Plugin. This plugin takes care of your web security, scans for malware and monitors 24/7 what happens to your WordPress web.
- Enter difficult and generable passwords
Passwords are a very important part of your WordPress web security. If you are using a simple password ie 123456 or abc123, password, etc., you should change your password immediately. An advanced user can easily crack your passwords and access your web, ruining a lot of work. It is important that your passwords are complex, including uppercase, lowercase letters, numbers, characters, and a minimum of 10 characters. One recommended site for generating such passwords is PasswordGenerator
- Disable File Editing
After launching your site online, in the admin panel there is an option to edit the code. Once your site is online we recommend that you disable this option, as for security reasons, if someone manages to log in to your site they will not be able to edit themes, plugins or site coding.
To do this deactivation just edit the wp-config.php file by adding this line as below
define (‘DISALLOW_FILE_EDIT’, true);
- Install SSL Certificate
Nowadays, Layer Single Socket, SSL, is essential for all types of websites. Initially SSL was useful for securing sites that performed specific transactions, such as processing payments. However, Google is well aware of its importance and provides sites with an SSL certificate a better place in search results.
SSL is mandatory for any web site that processes sensitive information, passwords or credit card details. Without an SSL certificate all the data between your web browser and the web server is sent in simple text. This can be exploited by hackers who steal this data very easily. Using an SSL certificate, sensitive information is encrypted before being transferred between their browser and your server, making it harder to read this information and navigate the web more securely over your WordPress website.
- Change your WP login URL
By default to log in to your admin panel url is yoursite.net/wp-admin. Leaving this as it is you can be the target of a brute force attack hitting your password combinations.
If you accept registrations on your site you will also receive many spam requests to register.
To change this you can change the Login URL to a URL that only you know.
- You can also protect your site with a 2-factory authenticate plugin in WordPress the moment you login.
- You can also check which IP has multiple login attempts and place them in the ban list.
- Limit Login Attemps
By default, WordPress allows users to try to login as many time as they want. While this may help if you frequently forget what letters are capital, it also opens you to brute force attacks.
By limiting the number login attempts, users can try a limited number of times until they are temporarily blocked. The limits your chance of a brute force attempt as the hacker gets locked out before they can finish their attack.
You can enable this easily with a WordPress login limit attempts plugin. After you’ve installed the plugin you can change the number of login attempts via Settings> Login Limit Attempts. If you wish to enable login attempts without a plugin you can also do so.
- Hide wp-config.php and .htaccess files
While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them.
We strongly recommend this option to be implemented by experienced developers, as it’s imperative to first take a backup of your site and then proceed with caution. Any mistake might make your site inaccessible.
To hide the files, after your backup, there are two things you need to do:
First, go to your wp-config.php file and add the following code,
order allow,deny deny from all
In a similar method, you will add the following code to your .htaccess file,
order allow,deny deny from all
Although the process itself is very easy it’s important to ensure you have the backup before beginning in case anything goes wrong in the process.
- Update your WordPress version
Keeping your WordPress up to date is a good practice to keeping your website secure. With every update, developers make a few changes, often times including updates to security features. By staying updated with the latest version you are helping protect yourself against being a target for pre-identified loopholes and exploits hackers can use to gain access to your site.
It is also important to update your plugins and themes for the same reasons.
By default, WordPress automatically downloads minor updates. For major updates, however, you will need to update it directly from your WordPress admin dashboard.