Several bloggers, business-owners, brands and individuals make build their sites with WordPress. The unfortunate fact about this is that they usually don’t secure their websites. They wrongly assume that if their sites do not have high traffic they may never gain the attention of hackers but this is not true.
Hackers massively attak sites sometimes without any particular interest on one website. In the past 2 months WordPress sites have ben under serious attack. Recently, Managed Hosting WordPress users on GoDaddy were compromised leaking out their admin usernames and passwords.
Losing your site to hackers means all your efforts of years and months will be wasted. Hackers also use hacked sites to send spam messages. There are few steps WordPress users can take to secure their sites. These steps are easy and they don’t require you to be a programmer to execute them.
1. Have the right mindset
Securing your site begins with having the right mindset. Many assume that just because their site is small or low in traffic means that it will not get the attention of hackers so they relax. Over time, I have seen sites of a few months old get hacked. Hackers don’t care about how small or big your site is, sometimes they send malicious codes massively to several domains on a particular web host. So they might not even know what your domain is. As far as your site is live it can be attacked. No site is too small to be hacked.
You also don’t need to be an ethical hacker or a programmer to protect your website, there are just simple things you need to do. You will see them in the next steps.
2. Enable auto-update on your themes
First of all, you don’t need to have more than two WordPress themes installed on your site. I usually leave the default theme which is the WordPress core theme released each year and one other theme that I am using for the site. This is just a backup mechanism in case my site runs into a problem and I need to disable the current theme, the default theme will then be activated and give me the access to discover what the problem is with the site.
Before now, you had to manually click on the update button when a new update is available for your themes but that has changed, You can simply click on the enable auto-update button and when a new update is released your theme will automatically update.
If peradventure, you have added some custom codes to your theme you will have to do something extra so that your codes will not get wiped away with new updates. You will need to install a Child theme, add all your custom codes to the Child theme and that will prevent them from being wiped out when there is an update.
3. Enable auto-update on WordPress core
WordPress is constantly being updated by the WordPress team to meet up with security standards. Hackers change their strategies every day looking for new loopholes with which they can defraud users. The WordPress team also research into this and try to update the WordPress framework based on this. In fact, WordPress recently bought a company WPSec company which scans WordPress vulnerabilities and documents them. When you enable auto-update on your WordPress core, anytime there is a new update your site will be updated as well.
4. Use the latest PHP version
This is a little bit technical but doesn’t require programming. It is also dependent on the kind of hosting you have, some hosts offer managed WordPress hosting in which they will help you select the latest version of PHP which is the core language on which WordPress was written. If you don’t use Managed hosting you will have to choose the latest PHP version by yourself. You can do that by logging into your CPanel, each dashboard has a unique look but the option is usually under the Software category.
To know if you are using the latest version of PHP, on your WordPress dashboard go to ‘Tools’, ‘Site Health’ you will see a message on what version of PHP you are using.
As of the time of this writing, the latest version is PHP 8.0
5. Enable auto-update on your plugins
The new WordPress core allows you to enable auto-update on all your plugins. Most of the WordPress attacks are usually directed through outdated plugins, particularly the ones that have millions of downloads. To be safe, make sure you enable auto-updates on both plugins that are active and those that are not active.
6. Install WordFence
WordFence is a security plugin that helps you block a lot of attacks. WordFence has proven to be one of the best security plugins. Just by installing this plugin a lot of attacks will be avoided. It also has some features that can help you block particular IP addresses. You can set a limit to the number of times someone will log in with a wrong password after which the user will be logged out.
7. Enable 2 Factor Authentication
With WordFence, you can enable a more secure login. Each time a user wants to log into your site the user will need a code that will be generated from an authenticator app on the user’s phone. So nobody can log into your site without having your phone.
It is advisable your use 2-factor authentication for your other accounts like Gmail, Facebook, Instagram etc. Virtually every online service provider has a structure for 2 factor-authentication.
8. Use a unique username
By default, the admin user name on WordPress is usually set as ‘Admin’. Hackers know this, they also know that the default login URL for all WordPress sites is thewordpressdomain.com/wp-admin. They just add /wp-admin to the end of your domain. They use ‘admin; as the username and try to guess what your password will be.
Changing the default username gives a hacker extra work to do. Also, make sure you don’t use the same username as the nickname or author name which appears in your blog posts.
9. Use a Secure password
This is a no-brainer. Use a password that contains a small letter, a capital letter, a number and a character. You can use words from your dialect or any Nigerian language.
10. Obfuscate your login URL
As I said earlier, the default login URL for WordPress is thedomain.com/wp-admin but you can change that. You can use a plugin like WPS Hide Login. With this plugin, you can change your login URL. You can change the ‘wp-admin’ to any word you want. Doing this reduces the possibility of login attempts or brute force attacks.
11. Use secure contact forms
Contact forms allow users to send data to you basically in form of text. But hackers take advantage of them by sending some scripts which can allow them to have access to some database or take over your site. Use contact forms only if it is very necessary, if not, just direct your users to send you a mail.
If you will have to use contact forms, use the ones that have the Google Recaptcha feature. This will reduce the risk of spam scripts that are broadcast to several websites by hackers. An example of a secure contact form is WPForms.
12. Monitor comments
Don’t allow comments to be automatically published. Set your comments to be manually approved. Just like it is with Contact forms, hackers also send malicious codes through comments. You can also enable Google Recaptcha on your posts to avoid massively published malicious codes. Before approving any comment, make sure it has a direct relationship with the content you have published. Also check if it has any URL embedded into it, if it does, you can edit the URL out of it or trash the comment.
13. Take user input seriously
If you run a website that allows users to enter data either by uploading a file, logging in or inputting a text you have to make sure you monitor all the inputs.
Monitor every input that is submitted. Read your mail notifications when someone signs in, if you notice a strange location quickly block the person’s IP with WordFence.
WordFence notifies you when someone logs in to your site. It tells you the users location, the time of login, the date,, and the IP address of the user.
All the plugins I have mentioned here are free. If you can do all of these, you will never have any problem with your WordPress security. If your site is hacked, quickly get an expert to help you flush out the malicious codes before the situation gets worse.