How to Secure Your WordPress Websites

Before talking about WordPress Security, let’s talk a little about what WordPress is.

WordPress is a Content Management System that has been around for a long time. It was first released on the 27th of May 2003. WordPress quickly gained popularity and now it powers up to 37% of the top million websites.

Even with the popularity and functionality of WordPress, many Nigerians have still not accepted it as an excellent means of creating and managing a website. Many claim that WordPress is not secure and can be easily hacked.

The truth is, WordPress is highly secure if you know what to do and how to turn on its security features. I cannot deny that many WordPress sites have been hacked and that is because most WordPress users don’t pay attention to the health of their websites.

There are just a few things you need to do to make sure your site is secure and hack-proof. I have been using WordPress for more than 10 years and none of my sites has ever been hacked. If companies like Facebook, Sony Music, NGINX, Angry Bird and others use WordPress means that WordPress can be secure.

I will work you through the process of making sure your site is secure.

1. Have the right mindset

Securing your site begins with having the right mindset. Many assume that just because their site is small or low in traffic means that it will not get the attention of hackers so they relax. Over time, I have seen sites that are a few months old get hacked. Hackers don’t care about how small or big your site is, sometimes they send malicious codes massively to several domains on a particular web host. So they might not even know what your domain is. As far as your site is live it can be attacked. No site is too small to be hacked.

You also don’t need to be an ethical hacker or a programmer to protect your website, there are just simple things you need to do. You will see them in the next steps.

2. Enable auto-update on your themes

First of all, you don’t need to have more than two WordPress themes installed on your site. I usually leave the default theme which is the WordPress core theme released each year and one other theme that I am using for the site. This is just a backup mechanism in case my site runs into a problem and I need to disable the current theme, the default theme will then be activated and give me the access to discover what the problem is with the site.

Before now, you had to manually click on the update button when a new update is available for your themes but that has changed, You can simply click on the enable auto-update button and when a new update is released your theme will automatically update.

If peradventure, you have added some custom codes to your theme you will have to do something extra so that your codes will not get wiped away with new updates. You will need to install a Child Theme and add all your custom codes to the Child theme and that will prevent them from being wiped out when there is an update.

wordpress security

3. Enable auto-update on WordPress core

WordPress is constantly being updated by the WordPress team to meet up with security standards. Hackers change their strategies every day looking for new loopholes with which they can defraud users. The WordPress team also research this and try to update the WordPress framework based on this. In fact, WordPress recently bought a company WPSec company which scans WordPress vulnerabilities and documents them. When you enable auto-update on your WordPress core, anytime there is a new update your site will be updated as well.

4. Use the latest PHP version

This is a little bit technical but doesn’t require programming. It is also dependent on the kind of hosting you have, some hosts offer managed WordPress hosting in which they will help you select the latest version of PHP which is the core language on which WordPress was written. If you don’t use Managed hosting you will have to choose the latest PHP version by yourself. You can do that by logging into your CPanel, each dashboard has a unique look but the option is usually under the Software category.

To know if you are using the latest version of PHP, on your WordPress dashboard go to ‘Tools’, ‘Site Health’ you will see a message on what version of PHP you are using.

As of the time of this writing, the latest version is PHP 8.0

5. Enable auto-update on your plugins

The new WordPress core allows you to enable auto-update on all your plugins. Most of the WordPress attacks are usually directed through outdated plugins, particularly the ones that have millions of downloads. To be safe, make sure you enable auto-updates on both plugins that are active and those that are not active.

6. Install WordFence

WordFence is a security plugin that helps you block a lot of attacks. WordFence has proven to be one of the best security plugins. Just by installing this plugin a lot of attacks will be avoided. It also has some features that can help you block particular IP addresses. You can set a limit to the number of times someone will log in with a wrong password after which the user will be logged out. WordFence has many advanced WordPress Security features that you may need for a small site but if you own a site that receives millions of traffic every day, you may want to subscribe for WordFence premium.

7. Enable 2 Factor Authentication

With WordFence, you can enable a more secure login. Each time a user wants to log into your site the user will need a code that will be generated from an authenticator app on the user’s phone. So nobody can log into your site without having your phone.

It is advisable your use 2-factor authentication for your other accounts like Gmail, Facebook, Instagram etc. Virtually every online service provider has a structure for 2 factor-authentication.

8. Use a unique username

By default, the admin user name on WordPress is usually set as ‘Admin’. Hackers know this, they also know that the default login URL for all WordPress sites is thewordpressdomain.com/wp-admin. They just add /wp-admin to the end of your domain. They use ‘admin; as the username and try to guess what your password will be.

Changing the default username gives a hacker extra work to do. Also, make sure you don’t use the same username as the nickname or author name which appears in your blog posts.

9. Use a Secure password

This is a no-brainer in ensuring WordPress Security. Use a password that contains a small letter, a capital letter, a number and a character. You can use words from your dialect or any Nigerian language.

10. Obfuscate your login URL

As I said earlier, the default login URL for WordPress is thedomain.com/wp-admin but you can change that. You can use a plugin like WPS Hide Login. With this plugin, you can change your login URL. You can change the ‘wp-admin’ to any word you want. Doing this reduces the possibility of login attempts or brute force attacks.

11. Use secure contact forms

Contact forms allow users to send data to you basically in form of text. But hackers take advantage of them by sending some scripts which can allow them to have access to some database or take over your site. Use contact forms only if it is very necessary, if not, just direct your users to send you a mail.

If you will have to use contact forms, use the ones that have the Google Recaptcha feature. This will reduce the risk of spam scripts that are broadcast to several websites by hackers. An example of a secure contact form is WPForms.

12. Monitor comments

Don’t allow comments to be automatically published. Set your comments to be manually approved. Just like it is with Contact forms, hackers also send malicious codes through comments. You can also enable Google Recaptcha on your posts to avoid massively published malicious codes. Before approving any comment, make sure it has a direct relationship with the content you have published. Also check if it has any URL embedded into it, if it does, you can edit the URL out of it or trash the comment.

13. Take user input seriously

If you run a website that allows users to enter data either by uploading a file, logging in or inputting a text you have to make sure you monitor all the inputs.

Monitor every input that is submitted. Read your mail notifications when someone signs in, if you notice a strange location quickly block the person’s IP with WordFence.

WordFence notifies you when someone logs in to your site. It tells you the user’s location, the time of login, the date, and the IP address of the user.

All the plugins I have mentioned here are free. If you can do all of these, you will never have any problem with your WordPress security.

What is your opinion on this?