4 things you can do immediately for your self-hosted WordPress website security
WordPress is the most popular website platform and content management system in the world. Did you know that over 30% of all websites in the world are powered by WordPress? It’s an impressive market share.
But WordPress doesn’t come without headaches.
One of the most important headaches it presents is how do you keep your self-hosted WordPress site secure? It is prone to hacking, cracking, redirecting, data breach, and more?
We’re not all web geniuses, and in today’s internet climate hacks and attacks are all-too frequent and intrusive.
Before getting into our four critical recommendations, let’s cover a few obvious things you can do to increase the security of your WordPress website.
First, make sure you are using Secure Sockets Layer (SSL). SSL is a way to encrypt your data as you send it across the web. It also has the added benefit of protecting visitors data, which is why platforms like Google Chrome have gone so far as to notify users when the sites they’re visiting aren’t protected by SSL.
Another recommendation is to use strong passwords and to change them regularly. You don’t want a user account with a password like password123. Hackers will crack that in a heartbeat, but there are a lot of ways hackers crack your website such as brute-force attacks where password security alone is not sufficient. If you host a lot of websites, we recommend using a password management application like LastPass or Google Password Manager. Or you could go old-school and keep a spreadsheet of your passwords. The point is we don’t recommend using the same password across all of your sites, and it’s nearly impossible to remember all of your passwords.
Another obvious thing you can do is to make sure you upgrade WordPress to the latest version when a version upgrade becomes available. It’s recommended that you backup your database and current filesystem before doing this just in case you come across any incompatibilities (however, most of the time this won’t cause any problems unless you are using incredibly old themes or plugins).
Here’s another basic but not so obvious one: Minimize the number of plugins used to just what is absolutely necessary. As an open platform, WordPress offers many plugins and most folks install plugins on their website that perform one or more functions. However, these plugins can create vulnerability for security, especially if they are not supported or updated by their developers frequently. In order to increase WordPress website security, sometimes it is best to minimize the number of plugins used to the bare minimum.
Now for the more advanced and actual critical tips! These are four critical tips and best practices that our Digital Team at Office Divvy recommends. These are all based on our own experiences in fighting hackers in our WordPress sites.
With these tips, you can increase your website security against hackers.
1) Use Wordfence Security Plugin
WordPress has a lot of security plugins, but this one is by far the most popular. Wordfence is a terrific security platform. Since we started utilizing Wordfence on over three-dozen websites, we’ve benefited from it tremendously in our fight against hackers. Wordfence is also very well-received in online reviews and forums.
Here’s what the Wordfence plugin does:
- It blocks malicious requests that come from known hackers.
- It scans your site for vulnerabilities such as out-of-date plugins and themes and files that are different than they should be (based on the WordPress plugins database) and makes updating them to the latest version a breeze. It will even send you alerts when plugins receive updates so you can update them ASAP.
- Wordfence has a firewall which automatically blocks abusive IP addresses, and protects against brute-force attacks. You can also set up alerts: if someone tries to login again and again (and fails) you will get an email alerting them of this activity on your website! This is how you catch those culprits.
- It even has brute-force protection which automatically locks out users who try (and fail) to login multiple times.
Once you start using Wordfence, you’ll be amazed at the number of fishy things hackers do on your website. So it creates nice visibility and educational opportunities for anyone maintaining a WordPress website.
Wordfence is free but there are also premium services upgrades available with additional features like remote scanning, monitoring logins/account accesses per day, blocking content injections by URL blacklists, and even “hack removal/cleanup” services.
2) Change login URL from default wp-admin to something else:
Your site may have fallen victim already because you didn’t take the time to change your login URL from the default URL. The default login URL (wp-admin) is known to anyone who knows your website runs on WordPress, which isn’t particularly hard to find out. It’s a best practice to hide that and change it to a different URL.
3) Use user-name suppression and user-name and real-author-name separation:
If the author name is Joe Smith, make sure the username is not easily predictable (i.e. JSmith or JoeSmith).
It’s also recommended that you change your “user nicenames” if your author pages are visible. User nicenames are essentially a WordPress-given “url-slug” that can be used to show posts made by users, called author pages. Unfortunately WordPress is a little behind the ball on the user nicenames, making them almost an exact duplicate of the username by default. There are a number of ways to fix this. If you don’t need author pages, it’s recommended that you simply turn them off. This will prevent your nicenames from being visible at all. Even if you do hide author pages, we still recommend changing the user nicenames to something that isn’t the user’s login username.
If you can’t change your user nicenames, we recommend creating “dummy” author accounts with lowest-level permissions and making your posts and pages be authored by those accounts.
4) Use two factor authentication:
Utilize two-factor authentication for logins. Two-factor authentication is a great way to keep your WordPress site secure and can be set up using Wordfence, and on your phone using either “Google Authenticator” on Android and iOS, or “Authy” on iOS which works without an internet connection.
Here’s how 2FA works: First, you have a login code (typically generated by the source you’ll be logging in at) that will be needed to connect your authentication app to your website. Once you’ve connected your authentication app, it will show six-digit 2FA code. These numbers change every few minutes so they’re extremely hard to brute force.
Secondly, whenever you login to your website going forward, after entering your password, you will be presented with another box where you’ll input your 2FA code displayed on your authenticator app. This makes it near impossible for anyone else to log into your account even if they know your username and password, as no one has both sets of information!
The above are the promised 4 key things you can do this week to increase the security of your WordPress site.
How about a bonus one?
5) Don’t use admin level user accounts:
Limit admin-level user accounts. One or two per site is plenty! WordPress allows admin levels users which can make them dangerous…for example, with administrative privileges, users could delete all content from their blog including backups too–so don’t do it! Instead, create lower privilege users (such as a Contributor or Author) and use those as authors when publishing/associating content with an author account.
* * *
There we go! Four very specific, practical, and essential tips for you to do what your WordPress website deserves and desires for increased security, all based on the Office Divvy Digital Team’s experience.
Our Digital Team has already implemented these for our digital clients’ WordPress websites. If you manage your own WordPress site but are unable to implement these recommendations by yourself, know this: Within Office Divvy’s membership we have digital agency clients who can help.
By the way, do you have any additional tricks or tips? Feel free to leave a comment below.
- Hybrid work, you are not behind. You may even be ahead. - December 29, 2021
- 10 Things Any Small Business Owner Can Draw from Harry Potter - July 11, 2021
- 4 things you can do immediately for your self-hosted WordPress website security - June 19, 2021