WordPress.org is indeed the best CMS and the most popular blogging platform that every blogger loves but the thing which I really hate about WordPress is the security issue and its vulnerability to being hacked easily. WordPress is vulnerable because it is an open source CMS where the source code is open to all so the hackers can easily find security holes in it and use it to breach the security of WordPress blog.
On an average more than 60,000 WordPress sites hacked daily which is almost two third of all websites hacked in one day. Well this is a serious issue which most of WordPress bloggers don’t really care about, and if you too, don’t take the security of your WordPress blog security seriously, you may be the victim one day.
But don’t be panic, having little efforts will make your site and important data safe. Here are 10 practical tips to secure your WordPress site.
01. Secure Hosting
Almost 41% of all the WordPress blogs got hacked because of vulnerable hosting they have used. It’s a huge percentage so the hosting must considered first in order to make your WordPress site secure.
From the day first, opt for a secure web hosting service for your WordPress blog rather than going for cheap hosting. Remember, your WordPress blog is as secured as your hosting therefore look for the hosting services that keep security on priority. Do some background search and read the reviews regarding the hosting company you are about to host your site on. They may cost you bit more but make it sure that your WordPress blog is on secure place in safe hands. A secure hosting is one with following features
- Web Application Firewall
- Support for latest PHP & MySQL versions
- Account isolation
- Intrusion detecting feature
02. Updates WordPress Version, Plugins and Themes
Don’t ignore “Please Update Now” message showing on your dashboard or your WordPress site will be open to hacker’s attacks. Every updated version of WordPress comes with fixes and patches for the possible or potential vulnerabilities along with other features. If you are using the older WordPress version, hackers who knew the security issues of may target you blog.
The same is true regarding WordPress plugins and themes. So every time you got a message to update a plugin or theme, don’t ignore it.
03. Choose Strong Password
Weak password is another most common risk factor accountable for 8% of total WordPress hacks. Needless to say, a password like “america”, losangeles” “qwertyu”, “asdfg12345” is easy to guess and can be easily broken with online password breaking tools that apply thousands of password or word combination in a second.
Here are few tips to make strong password
- Use mixture of alphabetical and numeric characters.
- Use both upper- and lowercase alphabets as the password is case sensitive.
- Use different symbols in password like $%*&! (don’t sue spaces)
Read here Google suggestions regarding strong password Or alternatively use password manager application like LastPass or KeePass (free) which will generate and remember strong password for you.
See the strength of your existing password here at GRC
04. Never use admin as username
Along with a strong password a strong username is also crucial. By default WordPress site has “admin” as username for administrator which is easy to guess and hacker attempt repeated logins using “admin” as username with list of common passwords. If you too, use admin as username, your blog is at risk of malicious attacks. Change it to an uncommon user name.
Note: After the WordPress 3.0 update, users are now allow to choose own name instead of admin.
05. Hide user Names
Well you may change the username from “admin” to another name but hacker can still gain access to your username via author archive page on your blog. So you must hide it from the hackers by configuring the user’s table in Database.
To hide the username form hackers, you need to change it in wp_users table. For this you have to access your database using phpMyAdmin. Look for wp_users here you’ll see a column user_nicename with list of users. Click on the username and change it to something other then the real username. For example if the username is johnsnow, change it to something like jhowsn.
Read the article regarding hiding your username here
06. 2-Step Authentication
You may have had enable Two Factor authentication feature on your Gmail ID where after login, a code is sent to the given phone number which let you access your Gmail account from a different PC or device.
If you apply the same 2-Step Authentication to your WordPress blog, there will be significantly improvement in your blog security. However 2-step authentication is not an inbuilt feature of WordPress, you have to use third-party plugins to enable this feature on your WordPress blog. One of the best ways to enable 2-factor authentication is to use Clef Two-Factor Authentication while the other plugin is Authy. All you need is to install one of these plugins, register on their respected sites, proved the phone number and you’ve done.
07. Limit login attempts
Sometime hackers or bots try to crack WordPress blog password by brute-force attack via online or offline tools by applying combination of thousands of usernames and passwords. Although they might not always successful in cracking your password but still if they do it, you may lost your blog and data. To avoid such attacks, a good solution is to limit the number of login attempts from the same IP. Again, this feature is not available in WordPress by default but plugins will do it for you. A list of plugins available in WordPress plugins directory that allow you to specify the number of failed login attempts from an IP. Just try one of the following plugins
08. Don’t Use pirated themes and plugins
Pirated Premium WordPress themes and plugins are easily available at file sharing or torrents sites but don’t ever use such pirated WordPress themes or plugins. These themes may have malicious code or script hidden in them which upon installation to your WordPress theme or plugins directory may render severe harm to your WordPress blog.
Even be conscious to use free themes offered by an unknown source or developer. It is better to pay some $$ to buy premium WordPress theme rather then to lost your data forever. Or if you want to use free themes, use one from the trusted companies or those available on WordPress official theme repository. Similarly use only plugins that are listed in WordPress.org plugins directory as they are test and evaluated for any malicious code
09. Use A Security plugin
After all these tips, you can still make your WordPress blog security tight by adding an extra layer of protection using a security plugin. Just explore the WordPress plugins directory for some handy security plugins. These plugins will add an extra layer of security to your blog, protect your blog from malware and will regularly scan your blog for any malicious code or unusual activity. Both free and premium security plugins available there, choose the one which is most trusted and rate by other WordPress users and has the features that best suit your requirements.
Some of the handy Security plugins available at WordPress plugins directory are:
- All in One WP Security and Firewall
- BulletProof Security
- Better WP Security
- Exploit Scanner
10. Take frequents backups
Take a backup of your WordPress blog before it’s too late. Even after all the safety measure you apply to improve your WordPress blog security, there is no assurance that your site is 100% safe, so you need to be prepared for the worst happen.
Being a WordPress blogger, it’s crucial to take regular backups of your blog so in case if something wrong happen with your blog or if your WordPress blog is being hacked, you can easily restore all the data and can re-establish your site to its previous glory.
If you are a novice blogger and don’t know much about the backup process of your site data, don’t worry, there are some handy plugins that might help you in this regards. Some of these plugins includes
Some hosting services provide backup feature to take backup of website or blog on routine basis. Checkout your site’s cPanel to see if this features is provided to you by your hosting provider.