We are in 2017 at currently almost 60% websites using WordPress Content Management System(CMS). So, WordPress security is an important topic for every website owner, which we often Ignore.
While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to harden your WordPress website security.
If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this article, I will share basic but most Important WordPress security tips to help you protect your website against hackers and malware.
1. Hide login page to prevent brute force attacks
Brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly.
The attacker systematically checks all possible passwords and passphrases until the correct one is found. Of course, Hackers don’t do it manually, normally powerful computers can try 1000’s of combination within seconds. Brute force is considered to be effective, although time-consuming approach.
Now, what if we just hide our default login page?
For example, default WordPress website login page is example.com/wp-admin and if we make it something like example.com/backside. it’s going to be the tough job for anyone to guess our login page before even trying to start guessing our password.
Don’t worry it’s super easy, Just install WPS Hide Login Plugin.
WPS Hide Login is a very light plugin that lets you easily and safely change the URL of the login form page to anything you want.
After you finish installation go to Setting > General and at the very bottom of general settings you will see the extra settings option. Just give any name to login URL and you are done.
Congratulations, Now no one will be able to access your login page. It is that simple.
Next time if someone tries to go example.com/wp-admin that person will see page disabled warning
2. Limit Login Attempts
We just discussed hiding our login page, But what if an attacker discovers our login page (well if some can guess password millions of times they can also find out our login page.
Don’t worry I keep you covered :p.
Basically, we need to limit login attempts someone can try before they have to wait for a set amount of time. This will just rip apart the whole concept of brute force attack and make your website more secure.
For this, we need to download Loginizer plugin.
This plugin will help you fight against brute force attack by blocking login for the IP after it reaches maximum retries allowed. You just install the plugin and don’t really need to touch settings. Default settings will let someone try for three times. If a visitor fails in 3 tries they have to wait for 15 minutes. Changing browser or Clearing cache will not help attacker as this plugin block the IP address itself.
3. Regular Backups
Backups are your first defence against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress Hosting site in case something bad was to happen.
If you are with a good hosting company they should back up your website every single day. It’s ok if your hosting not offering backups at the moment(consider changing your hosting, though). There are many free and paid WordPress backup plugins that you can use. If you depend on plugins that mean every day little extra work for you, That’s why Good hosting matter.
Most hosts back up the entire server, including your site, but it takes the time to request a copy of your site from their backups, and a speedy recovery is critical. You need to learn how to back up your own site files and restore them.
Best option is chosen good hosting, which I will discuss below
4. Choose Good Hosting
This is more critical if you are running online Store. WordPress hosting service plays the most important role in the security of your WordPress site.
The problem with shared hosting is that, if one account is compromised other account on the server are also in risk. A good shared hosting provider like Siteground take the extra measures to protect their servers against common threats. They have a special feature called account isolation means even if one website hacked through let’s say a WordPress module vulnerability, the attacker cannot go outside the account.
Also, a lot of commands and tools from the Linux system are either changed or disabled in order to further minimise the risk of intrusion through the server. Sounds pretty much like a heavily configured VPS, right? Only much much cheaper
5. Disable File Editing
If you are running Multi-Author WordPress website like us and another user also has admin access to WordPress dashboard you better disable built in editor so no can play with a code of theme or plugin.
As you know WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin dashboard. In the wrong hands, this feature can be a security risk which is why I recommend turning it off. Then you can only edit theme or plugin files via FTP or from your hosting dashboard.
How you can do this
You need to add below code in your wp-config.php file.
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
Boom, It will take up to 15 minutes to secure your WordPress website. You can focus on more important things. You may consider speed up your website or create better content for your audience.
If you are a beginner then that was a lot to take in. Everything that I mentioned in this article is a step in the right direction. The more you care about your WordPress site security, the harder it gets for a hacker to break in.
Please, don’t hesitate to leave any questions or comments below, and I’ll respond to each of them.