If you have never taken your wordpress website’s security serious then you might want to reconsider even right now. In this article, we will give you 10 ways to make to make your WordPress website secure.
Some of the ways to make your WordPress website secure include; Choosing a good hosting company, using premium themes, installing a security plugin, using strong passwords, Disabling file editing, Installing SSL certificate, changing the WordPress login url, limiting login attempts, hiding .htaccess and wp-config.php files. Updating your version of WordPress occasionally.
You may ask yourself,
Why should I keep my WordPress website secure?
Even though the core of WordPress is very secure and is updated often, it’s very important that you (the site owner) take matters into your own hands. This is because, in the event of anything happening, you will be the sole person facing the heat and loss.
Google blacklists thousands of websites for malware and phishing on daily basis which means that a security breach is real and could happen to anyone just like you and me. If you are serious about your website, then you need to pay attention to the ways to make your WordPress website secure that are pointed out in this guide.
Remember, government websites have been hacked too which is a clear message that you are not an exception.
10 ways to make your WordPress website secure.
1.Always Use Premium themes.
It always pays when you use Premium themes! If anything breaks, you could contact support and the issue will be sorted out quite easily. Never use nulled or hacked versions of themes. You will be able to save afew pennies , but there is no real business in the long run. You will be prone to attacks at any time without a savior.
2.Choose a good hosting company
Choosing the right hosting company from the beginning will be of great benefit when it comes to the security of your WordPress website. A good hosting company will be ready to do one of the following;
- Continuously monitoring their network for suspicious activity.
- All good hosting companies have tools in place to prevent large scale DDOS attacks
- They keep their server software and hardware up to date to prevent hackers from exploiting known security vulnerabilities in old versions.
- They have ready to deploy disaster recovery plans which allow them to protect your data in case of a breach.
At Billionaire Surge Media, we recommend bluehost and site ground among the shared hosting companies. When using a shared hosing company, serious research should be done because you will be sharing the server with other customers which opens the risk of attacks on other sites to your site too.
Alternatively, we recommend using a managed WordPress hosting service because it provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website. We recommend WPENGINE who are also very popular in this industry.
3.Install a WordPress security plugin
There are many WordPress plugins that can help you with security, however, not all are very good. At Billionaire Surge Media, we recommend Sucuri scanner which is a free Security plugin. It also has premium feature in case you need more complex security features. The features include; security activity auditing, file integrity monitoring, remote malware scanning, blacklist monitoring, effective security hardening, post-hack security actions, security notifications, and even website firewall (which is a paid feature).
When you install and activate Sucuri, you will need to go to the plugin menu in your WordPress admin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.
4.Use a strong Password
Even though passwords are often overlooked, they are very important in protecting your website from intrusion. If you have a password with recurring numbers or letters; you need to change it immediately. Passwords like 1234 or ABCD can easily be guessed and shouldn’t be used. At Billionaire Surge Media, we recommend that you always use a password with a combination of letters numbers and special characters. In fact; the best way is to use a password that is auto-generated by WordPress.
5.Disable file editing
WordPress themes and plugins can be edited directly using the file editing feature. However, in the wrong hands, this feature can allow hackers to introduce very disastrous programs into your website code. It is always recommended that it is turned off.
You can turn this feature off in 2 ways;
First is by going to appearance and then theme editor (at your WordPress dashboard). All you will need to do is to add the following code to your wp-config.php file.
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
The Second option is to use the hardening feature in the free sucuri security plugin that we talked about above.
6.Always keep your version of WordPress upto date.
WordPress is always being updated which means many of the security features are also always being updated. By staying updated with the latest version you are helping protect yourself from hackers.
WordPress automatically downloads minor updates however, for major updates; you will need to update it directly from your WordPress admin dashboard.
It is also a great idea to always keep your plugins updated, however, always make sure that you have a good backup copy of your website. This is because updates sometimes cause issues and may cause your website to crash.
7.Limit the number of login attempts.
You can always do this using a free WordPress plugin called Login Lockdown. After it’s installation, you can go to the plugin settings to limit the number of login attempts.
8.Install SSL certificate
Once you enable SSL, your website will use HTTPS instead of HTTP which will now show a lock against your url in any browser you are using. This encrypts the information you share with other websites which makes it rather more difficult to steal information.
SSL certificates were typically issued by certificate authorities and they cost hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.
Fortunately, Let’s Encrypt; a non-profit organization, decided to offer free SSL Certificates to website owners. Let’s encrypt is supported by companies like; Google Chrome, Facebook and Mozilla. Today, most hosting companies offer Let’s Encrypt Certification for free which means that there is not a single excuse why anyone wouldn’t have this free certificate.
9.Add Two-factor authentication
Two-factor authentication means any user will be logging in using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
You could have seen this with websites like; Google, Facebook, Twitter, which allow you to enable it for your accounts. You can also add the same to your WordPress site.
First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.
10.Hide wp-config.php and .htaccess files
While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them.
We strongly recommend this option to be implemented by experienced developers, as it’s imperative to first take a backup of your site and then proceed with caution. Any mistake might make your site inaccessible.
To hide the files, after your backup, there are two things you need to do:
First, go to your wp-config.php file and add the following code,
deny from all
In a similar method, you will add the following code to your .htaccess file,
deny from all
Although the process itself is very easy it’s important to ensure you have the backup before beginning in case anything goes wrong in the process.