WordPress is one of the most popular CMS (content management systems) on the Internet. Unfortunately, due to its popularity, it is also the target of many hackers.
This is confirmed by Sucuri, a company specializing in web security, in its report which shows that 90% of hacked websites use a CMS running WordPress.
If you have a WordPress website, I guess you are interested in how to protect it from hacking attacks.
If this is the case, read carefully the below advice. Then try to put them into practice as soon as possible.
1. Choose a good web host
According to another study by WP Template, 41% of site hacks are due to a vulnerability in the web host.
Here is why it is very important to choose a professional supplier on which your company website is hosted.
Indeed, you can never secure WordPress if your host has gaps in this area.
The server security strategy implemented by the web hosting company is the key to maintaining a perfectly secure WordPress environment.
The importance of security at your host
Several layers of hardware and software security are required to ensure that the IT infrastructure is robust.
Your WordPress site must be able to defend itself against sophisticated threats, both physical and virtual.
For this reason, servers hosting WordPress should be updated regularly with the latest operating systems and software to stay updated always.
Beforehand, it is necessary to test and analyze them in-depth to look for possible vulnerabilities and malware.
In addition, your host’s network must be equipped with a well-configured firewall in order to protect its servers, even during the WordPress installation and website construction phases.
Finally, any software installed on the machine and intended to protect WordPress content must be compatible with the latest database management systems in order to maintain optimal performance.
The server must also be configured to use secure network encryption and file transfer protocols (such as SFTP instead of FTP) to protect sensitive content from malicious intruders.
What you should check with your host
The security of your site largely depends on the hosting provider.
Although I cannot tell you which is the best web host in terms of security, here is the list of the main points to check:
- Security software installed on the webserver,
- Availability and SSL support,
- Backup and restore,
- Malware analysis,
- Protection by firewall…
My advice: always seek the opinions of customers on the Internet before choosing your web host.
2. Always install updates to secure WordPress
WordPress occasionally releases new versions.
Certainly, these versions of WordPress bring new features and improvements. But they also fix the security vulnerabilities identified by the developers of WordPress.
By running an updated version of WordPress, you are safe from hackers who are constantly looking for vulnerabilities and security breaches.
To update WordPress, go to the “updates” section of your administrative console.
At the top of the page, a notification alerts you to the availability of a new version.
Click Update, then click the Update Now button. It only takes a few seconds.
The same practice applies to your extensions and themes. So be sure to update them all with their latest versions.
To check the updates available for your themes and extension, go to Home then Update.
3. Do not use the “Admin” identifier
There are still many website owners who use admin as their username.
However, it’s the username that hackers use first when trying to break into a WordPress website.
If you’re still using admin as your username, it’s not too late to change it.
4. Use a strong login password
The use of a strong password is an obligation to strengthen the security of a WordPress site.
It is a very basic practice, but it is too often overlooked. Yet it protects access to your website effectively.
Ideally, passwords should be difficult to guess and should contain lowercase and uppercase alphabets, punctuation marks, and numbers.
Experts also suggest using a different password per website, such as your social media accounts, email, WordPress access, etc.
5. Configure two-factor authentication
If you use Gmail or Facebook, it is likely that after entering your password, you will need to provide a code received on your mobile phone to access your Gmail or Facebook email account.
This is two-factor authentication (or A2F for experts). It is an advanced technique to reinforce security whatever the platform on the Internet.
As the name suggests, it involves a 2-step process in which you need:
- Not only your password to log in,
- But also a second code that you receive by SMS or via a telephone call or a one-time password (TOTP).
In most cases, it is 100% effective in preventing brute force attacks on your WordPress site.
Because it is almost impossible for the attacker to know both your password and have access to your mobile phone. Again, this is an additional step to secure WordPress.
6. Change the URL of the login page to the administrative console
To log into the website admin panel, by default, all WordPress websites have URLs that look like:
As for the same reasons as for the username “admin”, I also advise you to modify the URL of the administration page of your company’s website.
Indeed, all hackers know that the default URL ends with “wp-admin” or “wp-login”. By changing this, you make it more difficult for hackers since they need to know this URL. Therefore, you easily earn points in your actions to secure WordPress.
The easiest way is to use the iThemes Security extension. In this way, you personalize the URL address of your login page and immediately make it more difficult to guess.
7. Limit connection attempts
By default, WordPress does not take into account the number of attempts when a visitor tries to enter your site with several user names and passwords when logging in.
This can really cause problems.
Indeed, hackers use advanced techniques that allow them to guess the password by testing thousands, even millions, of combinations of letters and numbers.
To avoid this type of attack and add an extra layer of security to your WordPress website, limit the number of login attempts using a WordPress extension like Login LockDown.
This smart tool blocks the IP of any hacker who attempts this type of attack on your WordPress site.
The extension makes sure to limit the number of incorrect connection attempts, a bit like you only have the right to 3 attempts when entering your PIN code to pay with your bank card.
8. Block malicious requests
Among the common threats that your WordPress site may face, we find DDoS attacks, spam, bots.
To deal with these threats, there are many plugins, including Block Bad Queries which is one of the best.
BBQ is a handy WordPress security plugin with lots of features that improve the protection of your site.
This extension, which is used to protect your site against malicious URL requests, is super easy to use and yet it is very powerful and does not degrade the performance of your company’s website.
BBQ checks all incoming traffic and silently blocks bad requests containing unpleasant elements. This is an additional step to secure WordPress.
9. Start by protecting your computer
Protecting your computer from viruses and malware is the first step to avoid the risk of hacking your WordPress site.
If a hacker manages to infect the computer on which you access your WordPress administration console, he can then easily hack your website.
In fact, with a simple keylogger installed on your PC, everything you type on the keyboard is intercepted and transmitted to malicious people.
Obviously, this is also the case for your login information to your WordPress site.
It is therefore important to follow the basic security guidelines to avoid viruses and malware:
- Install a good antivirus and anti-malware software and keep them updated,
- Activate and configure Windows firewall correctly,
- Do not connect to your WordPress site via a public wifi network or an insecure connection unless you are using a VPN,
- When accessing your server, use FTPS (File Transfer Protocol Secure) instead of unsecured FTP. This prevents the monitoring of your connection.
10. Switch your website to HTTPS
If your site uses the HTTP protocol, all information is transmitted over the network without encryption.
This is the case for identification information, comments, credit card numbers. And this from your computer or those of your visitors.
In this case, a hacker present on the same network as yours can easily intercept this information.
This is a classic situation if you are on a public wifi network for example, except you are using a VPN.
In particular, without precaution, it can recover your username and password.
To overcome this problem, I strongly advise you to install an SSL certificate.
So you go from HTTP to HTTPS, the most secure protocol that encrypts the data sent between visitors and the server hosting your website.
There’s a misconception that if you don’t accept credit cards, you don’t need SSL certificate.
In addition to the security obtained, the transition to HTTPS offers many advantages, namely the confidence and credibility of your visitors as well as the improvement of the SEO of your website.
Indeed, Google favors secure sites.
To install an SSL certificate, you can use your web host. Indeed, many hosts offer this service. If not, choose a reputable SSL provider.
11. Set up an automated backup system
By applying these security tips, you minimize the risk of hacking.
Unfortunately, it is impossible to be 100% protected.
The reason is simple.
Hackers are constantly looking for new techniques and security holes to hack websites.
In the event of a successful attack, all of these security techniques do not restore your site.
This is why regular backups are the ultimate solution to recover your website quickly and easily in case of attack and hacking or any other problem on your server.
Conclusion on how to secure WordPress in 2020
I hope these tips help you better protect your WordPress site in 2020.
Each piece of advice is one step closer to a more secure website.
So don’t be lazy.
Most of these tips are set up in a few minutes and very easily you secure your activity.
In addition, most of these actions are free and therefore have no impact on your budget.
Never forget that the objective of your website as of all your actions in Digital Marketing is to attract new customers.
Securing your website therefore also means securing your activity.
Raunak is a Mechanical Engineer by qualification & Marketer by passion. He is the co-founder of Maiden Stride, a leading digital marketing agency that provides world-class search engine marketing services and website & application development.