WordPress is by far the most used content management system and website builder globally. Millions of individual site owners, organizations and businesses take advantage of this easy to use platform to build their website or blog. In 2021, about 35% of the 1.3 Billion of active websites were estimated to be using WordPress. WordPress however is also, unfortunately, one of the most targeted platforms by hackers and other malicious actors. Launching a WordPress site without taking the necessary measures to keep it secure, is a disaster waiting to happen.
While the average site owner might not be a cyber security expert, understanding the basics of website security and taking a few actions can prevent your WordPress website from being hacked in 95% of cases. Here are 7 steps you can take to keep your WordPress site secure.
1) Keep your WordPress installation and plugins up to date
Most hacked websites happen due to the site owners not having updated WordPress to the latest version, or using an outdated plugin. WordPress is NOT a set up and forget it system. As a website owner, you need to make sure your WordPress installation and all plugins you use are always kept updated to the latest version.
2) Install a security plugin
There are various security plugins available from third-party providers, that can help improve the security of your WordPress site. Such plugins can help scan your website for vulnerabilities, block IP addresses where brute force attempts originate from, disable access for malicious visitors and bots, prevent your WordPress files from being modified among other features. Make sure to use one from a reputable vendor.
3) Change default settings
By default, WordPress comes with a default admin URL and a default admin user (“admin”). Obviously, these settings are known to threat actors and are the first ones to be used by malicious actors trying to hack your website using brute force or social engineering. Make sure to change those default settings when launching your WordPress site. You might even consider removing altogether your admin user after creating a new user to which you would have given admin privileges. Another default setting that is often targeted is the wp-config.php file which host key information about your installation. You need to take action to harden that file using the .htaccess file, and restrict its access to unauthorized parties.
4) Monitor your website
It is important to monitor your WordPress site for changes that may be indicative of malicious activity. This can be done using plugins, third party remote tools, or having a website security company handle that function for you. Samurai Defender offers. You can consider our Web Defender website security packages which include monitoring for uptime, online reputation, blacklists and more.
5) Choose a reputable web host
Not all web hosting companies are the same when it comes to maintaining a secured WordPress website. You need to choose a web host which provides WordPress hosting or is familiar with hosting WordPress sites, and maintain servers with secure software including up to date PHP and MySQL versions. If you are looking for a new host to your WordPress site, we recommend HostGamma.com
6) Install a SSL certificate
Enabling SSL/https ensure that traffic between your website’s visitors browser and your server is encrypted. Not having SSL enabled will have a warning on most major browser and Google next to your website, which has a negative impact on your website reputation. SSL with help with SEO, your visitors first impression, but also is an important component of your website security posture. Many hosts today offer SSL certificates for free. If not, look into purchasing one from your host or from a third party SSL provider. Samurai Defender does not sell SSL certificates as of now, however we can help install SSL for your site for just $29.
7) Backup your WordPress site
If all fail and your WordPress site happens to be hacked, the last thing you would like would be in a situation where you have no backup available to revert your site to. Even if your host offers automated backups, you cannot rely on those. We have seen so many cases where hosts backups failed, were corrupted, or just too old. Luckily, there are many options to backup your WordPress database or complete files to a remote location. You can also download manually a backup manually at regular periods, which is an option available from cPanel, Plesk and other major control panels today. Samurai Defender also offers a secure backup service for just $10/month
We hope you have found this article interesting. By implementing the above steps, you will strengthen the overall security of your WordPress website and make it more resilient to online malicious threat actors. If you need professional help in securing your WordPress website, you can check our WordPress hardening service. Alternatively, simply contact us to discuss your needs.