WordPress is one of the most popular website platforms around. Over 74.6 million websites rely on WordPress technology, That’s more than Amazon (US), the most popular online retailer in America.
Of course, it’s not hard to see why. WordPress’s customizability, stability, website security, and ease of use is second to none. However, a WordPress site can only do so much to avoid hackers on its own. If the administrator at the helm of a secure website doesn’t know how to keep their site secure, it’s only a matter of time before someone breaks in.
If you want your WordPress site to go from hacker resistant to hacker-proof, there are seven big things that you should be doing.
1. Keep Up With Plugin and Theme Updates
One of the main reasons for WordPress updates is to seal newly discovered security holes in the WordPress software. So anytime you decide to ignore updates out of laziness or out of the worry that it’ll break your site, you put your site in jeopardy of being cracked.
If you’re worried about your WordPress site crashing or getting lost due to an update error, don’t. WordPress updates go off without a hitch almost all of the time. Even if you encounter an error, you can rollback to a previous version as long as you have a backup. You can make things even easier with a tool like WP-Rollback.
2. Use a 2FA For Your Logins
A 2FA or Two Factor Identification is an extra layer of security that supplements the typical username and password. You’ve probably already used this on secure banking websites that require an additional pin or ID code in addition to the other credentials.
This extra layer of protection may not be necessary for small sites or normal blog sites, but if you deal in sensitive information like bank cards, you should definitely use a 2FA.
3. Limit Unsuccessful Login Attempts and Remove Login Hints
Internet hackers typically use a hacking technique referred to as “brute force,” wherein an application program constantly inputs different data until it eventually uncovers correct credentials. It can take a while, but a brute force program will eventually find all correct combinations.
This method sounds crude, but it is by far the most effective way to break into unprepared sites. What makes it even more insidious is that these brute force applications are very easy to access and use. A ten-year-old with minimal computer expertise could hypothetically run one of these programs and successfully break into your site.
Luckily, you can make this extremely effective hacking technique completely worthless with two simple changes. First, limit unsuccessful login attempts by using a tool like LoginLockDown. Second, disable login hints that tell the user whether it’s their username or password that’s incorrect. Limiting login attempts could prove to be a mild inconvenience for your users, but you’ll have a much more secure website in the long run.
4. Rename Your Login Page and Remove the Admin Login Link
You can further deter brute force attacks by renaming your login page to something other than www.yourwebsitename.com/wp-login.php. By renaming your login page, you make automated brute force applications work much harder to find it in the first place.
You can also protect your site by using removing the Admin login link from public view, and turning it into a private URL that only your administrators have. All of this is doable with the Lockdown WP-Admin plugin. You can also download a plugin like The Hack Repair Guy’s Admin Login Notifier.
For this to work successfully, you may need to update your internet security policy with your employees and other administrators.
5. Create a 16 Digit Numerical Password With Symbols Like % or $ and No Whole Words For a More Secure Website
It’s tempting to make easily rememberable passwords like the names of people you know or your date of birth, but the easier it is to remember, the easier it is to hack. Instead, use a tool like passwordsgenerator.net to create a password that no human could ever guess. With anti-brute-force application methods in place such as tips 2 and 3, you’ll have a more secure website than the overwhelming majority of WordPress users.
6. Don’t Skimp On Your Hosting Platform
All the complex passwords and security precautions won’t do a bit of good if your host is unreliable. In fact, most hacked WordPress sites were hacked due to a failing on their hosting platform’s part.
Shared hosting is generally affordable and should be just fine for smaller sites. But if your site starts getting large and uses up more server resources than its peers, your shared host may encourage you to upgrade. This may be periodic series of messages if your host is polite, or your site may be dropped without warning if you’re unlucky.
If your site is going to be big, you’re better off going for a more secure WordPress specialized host. Pagely and Siteground are two well-respected WordPress hosts, but you should shop around to find one that directly suits your needs. In addition, you should keep track of your website’s server load and performance to see the degree of web hosting you need (with a tool like SiteUpTime).
7. Protect Your Own Computer
This goes without saying for most of you, but many others often forget this valuable tip. You need to ensure that your own system is secure. It makes no sense to protect your site from the outside if your own computer is infected with malware, trojans, or other bugs. If you’re getting popup ads, haven’t scanned for malware or adware in the last month, frequently visit unsafe sites or click random ads, or don’t utilize a firewall, you should check your system with multiple trusted virus scanners before doing anything else.
Remember to Always Have Backups!
Nothing is guaranteed. It’s possible that your site could still be hacked even with these security measures in place. Luckily, backups function as your trump card against hackers. If you or one of your administrators notices some malicious activity on your site, take it down and rewind back to a previous version once you’ve determined the cause.
It’s an inconvenience, but a few hours of site downtime is much better than someone stealing customer information from your secure website!
It’s recommended that you keep at least 3 backups of your site in various media including physical ones just in case your computer is compromised. You can make this process easier by turning on automated WordPress backups, but remember to check often to ensure the application is still working.
Downtime is unacceptable. You should be monitoring yours. Contact us for more on how to keep your website secure.