Today, WordPress powers not less than 30% of the websites on the internet. It is the most popular content management system.
There are 40,000+ WordPress sites in Alexa Top 1 Million rankings, and more than 70% of these WordPress websites are prone to attacks. It does not take special hacking skills to identify the vulnerabilities. There are free tools that can reveal the loopholes within seconds.
Did you know Reuters was hacked in 2012? The news website was using an outdated version of WordPress.
Of course, there’s nothing like a 100% secure website. What is achievable is reducing the chances of being hacked by 99% than most other WordPress sites out there.
As a WordPress site, you are likely to suffer from vulnerabilities that can be exploited using backdoors, brute force login attempts, denial of service, malicious redirects, pharma attacks, and many others.
What are these vulnerabilities;
- Using an outdated and unsupported WordPress version,
- Poor credentials management,
- Outdated plugins and themes,
- Poor system administration
What we are trying to help you prevent happened with the Botnet attacks Mid 2019. A good number of WordPress websites have their precious data wiped off. This should not be the scenario if you can take these 10 WordPress security actions;
1. Never Be Out of Date With Anything
Starting from your WordPress Core, Themes, and Plugins, you need to keep them all up to date. When there are outdated items on your WordPress site, it creates an opening for hackers to find their way into your website.
Out of date items is even one of the signs looked out for by hackers and bots.
It does not matter if a plugin or theme is not in use, keep them updated or deleted.
Go through your “Plugin Last Updated” and remove anyone you don’t intend to use soon, or get them updated if you still have plans for them. Anything not updated within the last 12 month already poses a security risk, get them deleted.
2. Use a Unique Password and Change It Regularly
You cannot use “Password” as the password of your WordPress site, neither should you use your date of birth in any format. The best practice is to avoid using recognizable words or string of words in any language.
For your password, ensure it is random, changed every month, and used for a single purpose.
Let’s make it more precise, a random password should look like this; aW1!hBn%sD?$. If your password does not look random like this, your website is at risk.
Ensure that the random password is only used for your WordPress site, and not to your Gmail, Facebook and Twitter account. There are tools that can be used in generating random passwords such as Lastpass, and Strong Password Generator.
How Long Should Your WordPress Site Password Be?
Make sure it’s not less than 15 characters without a word in it as it can be prone to a dictionary attack.
3. Never Use The Standard WP-Admin Login Page
You are making it quite easy for hackers to brute force their way into your WordPress website. By using either /wp-login.php or /wp-admin/ as an entry point into your WordPress backend, you are sending IV to hackers to visit your WordPress site.
It may look straightforward and petty, but this is one of the easiest ways to gain control of any WordPress site.
Change it to something unique such as /my-login-page/ or /new_admin/
Customize the login page to your WordPress backend, make it a bit of a secret. Let the hackers have it difficult knowing the entry point. It’s even more vulnerable if you still have “Admin” as the login username to your WordPress site.
4. Set Up Lockdown Feature
When brute force attempts are made, wrong login details are used. However, this can be curtailed using a lockdown feature. With the lockdown feature, the WordPress site is locked down when multiple hacking attempts are made.
It does not end there; you will be notified immediately through an alternative email of the unsuccessful login attempts. When the site is locked down, it limits the efforts of the brute force being utilized.
You can also specify that the IP address where the login attempt is originating be banned from accessing your WordPress website. There are several WordPress plugins that have these features.
5. Protect the Heart of Your WordPress Website
The heartbeat of any WordPress website is the wp-admin directory. Once this directory gets breached, you have lost total control of your WordPress site. Which is why it’s not enough to leave it open for access.
Aside from the login page, you should password protect your wp-admin directory. This means that the dashboard is accessed using two passwords; this can even be done along with a Two-Factor Authentication (2FA).
Password protecting the Wp-Admin directory will have to be done from the Cpanel of your hosting set-up.
When an attacker gains access to your dashboard, they will have to figure out another set of login credentials.
6. You Don’t Have To Use The WP Prefix
There are hundreds of attacks that your WordPress site is prone to, and one of such is the SQL injection attack. One that is preventable by changing the WordPress table prefix wp to something unique.
If you are planning on starting a new WordPress site, this should be one of your priorities. Your prefix should never be wp, change it to something unique, such as wp01, or wpnew.
What of if you have already installed your WordPress website using the wp prefix, it can still be fixed. Search for WordPress plugins that can help you fix your prefix. Ensure you carry out a back-up before working on the database of your WordPress site.
7. Never Reveal Your WordPress Version Number
Right there in your WordPress site’s source view, you’ll find the WordPress version number. It’s also in your WordPress dashboard. You are the only one that should know the WordPress version you are running.
If an attacker knows the WordPress version you are running, there are one step closer to hacking your WordPress site. When the version is known, they can custom-build their attack without trial and error.
How can you remove the WordPress Version Number?
The WordPress version cannot be removed, but it can be hidden. There are WordPress security plugins that do this excellently.
8. Encrypt Your WordPress Site Using SSL
The admin panel of your WordPress site is better secured using a Secured Socket Layer. With SSL in place, data transfer between browsers and servers are secured. This means hackers cannot intercept your data or breach the connection.
Check with your hosting company if they offer an SSL certificate; some companies provide an SSL certificate. Usually, a good hosting company provides SSL as part of the hosting package.
Your WordPress site will also be taken seriously by search engines. For example, Google ranks websites with SSL higher than those without it. With SSL, you are not only securing your WordPress site, but you are also able to attract more traffic.
9. Extra Layer of WordPress Security With Two Factor Authentication
Another security measure for your WordPress site is employing a 2FA module. Every user, including you, will be required to provide two different login details before accessing the dashboard.
Aside from the password, the user will be asked to provide an answer to a secret question, or a secret code, or a combination of characters. Save yourself all this stress and use Google Authenticator app. This means that without access to your phone, no one can access the login.
10. Back-Up Your WordPress Site Regularly
If you’ve been able to implement all of the 9 WordPress security actions above, there’s still room for improvement. Remember, the idea is to secure your website away from the prying eyes of attackers.
Regardless of what you have done so far, you need an offsite back-up. With a back-up somewhere, your WordPress site can be restored to a working state anytime.
A regular back-up should not be later than once in 7 days. There are WordPress sites that create an offsite back-up every hour. For starters, a weekly or bi-monthly back-up is pertinent.
With a back-up in place, you can get your website up and running regardless of what happens to your WordPress website.
One last WordPress security action you should take is white-listing IP addresses that should have access to your dashboard.
WordPress security should not be trivialized, the more attention you pay to it, the harder it gets for attackers. Security, is one of the things you should take seriously while considering the top content marketing mistakes to avoid. Luckily, WordPress security has been made easy with all the abundance of tools and plugins at your disposal. You have to know the ones to use.