CheapWindowsHosting.com | Best and cheap WordPress hosting. Are you using WordPress? If you are then that’s a good choice. Easy to use, loads of great features and powerful SEO means it’s no surprise that WordPress is the world’s number one Content Management System (CMS).
But with that popularity, comes an element of risk. As with any popular software, WordPress attracts hackers who will try a number of ways to exploit your site. The last thing you want is to wake up to find your site hacked, suspended for hosting malware or sending phishing emails.
The cost to your reputation, let alone the cost of fixing the hack and restoring your site to a safe and secure level, could be extremely high. It’ll also take a long time to recover the lost trust from your clients. And that’s without factoring in any damage to your search ranking if Google deems your site to be high risk.
But don’t despair. You can easily secure your WordPress site and prevent the vast majority of hacking attempts with some simple security housekeeping.
So here are ten simple ways you can secure your WordPress site.
Implementing two-factor authentication (2FA) for logging in is one of the simplest but most effective ways of preventing brute force attacks. The way they work is that they add an extra layer of login security by requesting additional proof of ID, such as a mobile generated code or secret questions.
WP Google Authentication plugin is an excellent example of a 2FA plugin that can easily be installed to secure your site’s login.
Reducing the number of login attempts is a simple but effective way of preventing determined hackers and unauthorized manual login attempts. All that’s involved is a locking mechanism in the login retry of your WordPress login page.
The WP limit login plugin lets you prevent any attempted brute force attack to your login page by blocking any IP addresses that cross the threshold of failed login attempts in any given time period.
Most people will leave their WordPress admin login set to the default one, which will usually end in either wp-admin or wp-login.php.
You can make your site more secure simply by changing this to something less predictable such as /wp-login.php? or my_login.php etc.
This simple step alone will stop most automated brute force attacks which are set up to attack the default admin URL page. The iThemes security plugin is a comprehensive security plugin that allows you to do this.
Sometimes the simplest options are amongst the most effective and changing passwords is just good, basic security.
Let’s face it, if your password is as simple as abcd123 then it’s just a matter of time before someone breaks into your site. Best practice is to make sure you use a combination of lowercase, uppercase, special characters and numbers for your password. Try to make your password at least 10 characters long using the above combination and you’ll definitely make your life lot easier.
If you need help with generating a secure password then use this password generator tool.
The most important directory of your WordPress website is wp-admin directory. Therefore, it makes sense to password protect it to add an extra level of login security – one for logging in and one for WordPress admin area. This can be achieved using the AskApache Password Protect plugin.
Of course, an administrator will often need to visit a certain directory of wp-admin, so unblocking those directories can make administration easier while locking the rest of the directory.
If your blog has multiple users, say from other members of your blog or external contributors, then it would be best to ensure that they are forced to use strong passwords.
Using a plugin like Force Strong Passwords will make sure your admin area is secure. This plugin will make sure that your users are forced to choose secure, difficult to break passwords which incorporate good password protocols, such as using a mix of characters (upper and lower case), numbers and symbols.
A Man-In-The-Middle Attack (MITM) is where data sent between two parties is intercepted by an eavesdropper in the middle who monitors the data being sent between the two.
The most basic way to prevent this happening is to switch from insecure HTTP to secure HTTPs by using an SSL Certificate. This creates an encrypted, impenetrable link between the browser and the web server.
Aside from the benefit of extra security, HTTPs is actually a stated Google Ranking Factor. So as well as better security, you get a better ranking!
If your WordPress files are tampered with by a hacker, you’ll want to know about it as quickly as possible to minimize any damage. Plugins like Acunetix WP security, Wordfence can monitor your WordPress files to track any changes made to them and notify you.
In fact, the Wordfence plugin is one of the most installed security plugins in WordPress. It has live security scanning, monitoring, intrusion detection and prevention features all built in so if you’re looking for an excellent security all-rounder then this plugin is definitely worth considering.
If you follow the tips in this post, then hopefully your site won’t get hacked. However, if you do get hacked, the last thing you want is to have to start from scratch or try to work out how to remove any infected files and make your site safe again.
The best way to address this is to ensure that you take regular back-ups of your site. Backing up your sites will allow you to restore your websites from previous working copies if required. There are a number of WordPress plugins that can help you do this such as Vaultpress, Backup Buddy or blogVault.
There is a cost involved with some of these but when compared to the alternative of having a hacked website with no back-up, it is a price worth paying.
As a hosting company, one of the most common security issues we see with WordPress and other CMS systems like Joomla is having an out of date version or an out of date plugin.
In fact, one of the most common ways hackers can hack into your WordPress website is through plugins that haven’t not been patched or updated to the latest versions. However, many plugins have automatic update options so you should consider configuring them to make use of this feature.
WordPress has an automatic update feature from version 3.7 onwards. If you are unsure that you have the latest version, you can check at the official WordPress site.
TIP: Only download plugins that are from the official WordPress website. This will make sure you aren’t being tricked into downloading malware to your site.
As you can see there are loads of simple things that you can do to prevent your site getting hacked. Some of them are just basic procedures like using complex passwords, but there are also plenty of plugins that have been created specifically to ensure that your site is safe and secure.
Remember, it’s often the simple things that can stop your site getting hacked!