Since the majority of WordPress attacks are used to send spam, execute SEO spam, or perform a malicious redirect, hackers don’t discriminate based on the amount of traffic you generate. And since smaller websites are typically less secure and therefore easier to hack, they are a prime target for attacks of all shapes and sizes.
To help you prevent such attacks, I’ve compiled a list of 9 quick and easy tips to improve the security of your WordPress site today.
1. Change Your WordPress Login URL
This single hack alone will eradicate more than 99% of all brute force attacks before they even begin.
Since the default WordPress login page /wp-admin is commonly known, anyone with a basic understanding of the internet can easily access your login page and attempt to brute force their way into your admin panel.
Unless you change the URL of your WordPress login…
To do this, simply install a plugin like iThemes Security and change the URLs to something unique.
For example: /wp-admin/ → /my_awesome_admin_login/
2. Create Strong Passwords and Change Them Regularly
Although this tip is common sense, in my experience, it’s rarely common practice.
By using secure passwords that are 16 characters long containing no discernable pattern or keyphrase and changing them on a monthly basis, you can dramatically reduce the likelihood that your site will be successfully hacked.
3. Implement an SSL Certificate
Implementing an SSL (Secure Socket Layer) certificate is an easy and low-cost way to immediately bolster the security of your WordPress site. The SSL encrypts data that is transferred between browsers and the server which makes it difficult for hackers to intercept that data or your information.
You can purchase an SSL from a dedicated company or simply talk to your hosting company and request that they provide you with one. (Many will do this for free)
4. Keep Your WordPress Core and Plugins Up to Date
Again, although this tip is common sense, it’s not always practiced as regularly as it should be.
WordPress and the plugins that you use are updated on a frequent basis to improve the user experience and patch any vulnerabilities in the software. However, if you aren’t regularly updating your site and plugins, you will not have access to these patches.
I personally recommend that you set your WordPress site and all plugins to update automatically whenever possible.
5. Prevent PHP Files from Being Executed
One of the most commonly used folders for hackers to upload malware to your site is the wp-content/uploads or /wp-includes folder. You can prevent files from being executed in this folder by creating a new text file and pasting the following line of code.
<Files *.php>
Deny from all
</Files>
Then, simply save this file as .htaccess and upload it to both your /wp-content/uploads and /wp-includes folders via the cPanel.
6. Remove Inactive Users on a Regular Basis
Another simple, but an often overlooked tip that many webmasters forget is to regularly remove inactive users from your WordPress site.
This is especially important if you run a large editorial blog or a similar site with a large number of guest writers and contributors.
7. Disable File Editing
If a user has admin access to your WordPress dashboard, they can edit important files including plugins and themes.
If you are cautious with granting administrative access, this shouldn’t be a problem. However, it’s still a good practice to disallow file editing so that, in the event that a hacker does gain administrative access, they still won’t be able to change any of the files.
To do this, simply add the following line of code to the wp-config.php file.
define(‘DISALLOW_FILE_EDIT’, true);
8. Avoid Logging Into Your WordPress Account on Unsecured Networks
With more and more people working remotely, it’s become all too common for uninformed individuals to access sensitive information on unsecured public networks. This is a huge mistake.
When browsing the web on a public connection, anyone with the right skillset can quickly and easily hack your connection and intercept the information that you are transmitting.
From your banking information to social media profiles to your WordPress logins, everything is up for grabs while you are connected to these networks.
As such, it’s important that you exercise caution and ensure that you only login to your WordPress site from a private network or secure your public connection using a reputable VPN.
9. Find and Install a Reputable Security Plugin
One of the simplest (and least techie) ways to increase the security of your WordPress site is to install a reputable security plugin that can reduce your site’s vulnerabilities is to install a comprehensive plugin that will tighten security across the board.
I personally recommend iThemes Security which will:
- Limit the number of login attempts to your WordPress dashboard
- Block IP addresses with multiple failed login attempts
- Rename the default WordPress login URL (as mentioned in point #1)
- Enforce strong passwords
10. Regularly Scan Your Site for Vulnerabilities
It’s been said that “What you don’t know won’t hurt you.” While this might be true in some regards, it is most certainly not the case when it comes to WordPress security.
Even if you take all of the aforementioned steps from this article, your site could still have many potential weaknesses and vulnerabilities that you are unaware of.
As such, it’s a good idea to regularly scan your site for vulnerabilities using a tool like WordPress Security Scan or WPScan. Although the premium versions of these tools might set you back a few dollars, the added peace of mind is well worth their nominal fee.