According to a report, 55% of websites that got infected or hacked were not updated at the time of such incidents.
First thing first, before you put out a single piece of content or anything for that matter to your blog/site, what you need to do with utmost priority is secure your WordPress website.
If you are someone who gives importance to your website and it’s security, this tutorial is for you.
In this article, I have shared 15 must-know basic security tips for your WordPress website. (No coding guide)
What if I don’t secure my WordPress website?
Take the cake!
If you are serious about your website, you won’t do that. If not, it doesn’t matter.
Let me say what will be the situation if your website got hacked.
You may not be able to login to your website, thereby lose the complete access.
Or you log in to your site and notice that there is some activity. Adding/deleting plugins or themes or sending random emails from your business email address.
In some worst-case scenarios, you may get an email asking to sell your website or pay some ransom to gain back your website’s accessibility.
In some other cases, your website/blog may get redirected to some other website.
Why it is important to secure a WordPress website.
It is nothing but a nightmare to know that your website got hacked. Because it can heavily damage your business reputation and revenue as well.
If hackers get access to your site, they can steal sensitive information like passwords and user databases of your website.
They can also send promotional emails or the worst, malware to your users/customers.
Well, I know you are looking for a solution to avoid such situations, but before that, if in any case, you haven’t secured your blog/website or ignored your WordPress website security, these are all some of the things you may have to go through.
So, how to secure a WordPress website from hackers?
Did you know that there is an attack on the web every 39 seconds?
To avoid getting hacked, you need to follow some of the precautionary measures.
I have listed out 15 practical tips below to secure your WordPress website/blog.
Follow these basic, no coding tips to secure your WordPress website before bad guys come knocking on your door.
Let’s take some secure steps together.
15 must-know basic tips to secure a WordPress website.
Table of Contents. 1. Secure Web Hosting. 2. Install SSL certificate. 3. Installing WordPress the right way. 4. Use a Strong Password. 5. Change the WordPress table prefix. 6. Delete the Default "Admin" Username. 7. Update themes and plugins. 8. Update WordPress. 9. Backup Regularly. 10. Use separate CPanel for each of your websites. 11. Delete everything which is not in use. 12. Don't install plugins and themes without thorough research. 13. Don't buy plugins and themes from an unknown source. 14. Enable two-factor authentication. 15. Limit login attempts.
1. Secure web hosting.
There are hundreds of hosting service providers out there in the market. Some companies provide hosting services at very cheap rates while some companies charge a very high price for the hosting.
It all depends on the quality and types of services they provide like shared hosting, managed hosting, cloud hosting, etc.
To save some bucks, we tend to go for the low priced hosting services. Same way, even companies also want to save some dollars.
As a result, some hosting providers do not secure their hosting platforms properly. In such cases, all the websites hosted on those platforms are under the risk of hacking attempts.
To avoid this, you have to choose the best hosting providers for your WordPress blog/website.
Before deciding on the hosting platform, do your thorough research about the companies, check their ratings and reviews, ask with the experts or forums where these things are discussed.
2. Install an SSL Certificate.
Have you noticed the lock symbol before the web address on the search bar when you entered this site?
If you see a lock symbol, you are on a secure WordPress website. Your information is safe with such sites.
Since 2018 chrome notifies you the sites which are non-https as not secure.
Technically there may be nothing wrong with your site, but visitors will be confused, and they simply X out thinking your website is not secure.
Imagine you are buying something online, and the site you entered shows not secured. Will you give your credit/debit card information?
HTTPS is considered as secure, and now it’s the official factor for google ranking as well.
What is SSL Certificate?
Secure Sockets Layer(SSL) or HyperText Transfer Protocol Secure(HTTPS) is the secure version of HTTP. Letter S indicates secure, which means all the information exchanges happening between the browser and site are encrypted.
HTTP is the protocol in which all the data exchange happens between the website and the browser.
A lot of hosting companies provide free SSL certificates nowadays along with the hosting service. In case you don’t have an SSL certificate from the hosting companies, it is better to spend some money on it to rank your website better in search results and to give a secure feeling for your visitors as well.
When you use public, WiFi networks such as railway stations, coffee-shops, etc HTTPS becomes very important. Someone using the same network can sneak in and get some sensitive information about your visitors if your website is not encrypted.
3. Installing WordPress the right way.
When we are starting with WordPress, it is easy to get excited and head straight to install WordPress. But before that, you should know the proper way of installing WordPress on your site so you can be least bothered about your settings later.
When you log in to your sites CPanel, you’ll find an App Installer called Softaculous.
Under Softaculous Installer, you will find a WordPress option as shown in the image below. Click on it and click on Install.
Fill in the necessary information like account name tag line if any etc.
Then scroll down to the username password section.
4. Use a Strong Password.
One of the most common things we use when it comes to passwords is the combinations of our surname or pets name. No matter how much awareness has created around using strong passwords, people still think that it is ok to use these names.
Passwords are the primary keys to your site. To protect your WordPress site, you need to have robust and unique passwords for each of the accounts.
Because if hackers get access to the password of your CPanel or your business email account or web hosting control panel, it is what all they need to gain access to the rest of your site.
To avoid this, you need to have separate passwords for each of these accounts.
How to choose a strong password?
1. Ideal password length should be a minimum of 8 characters. 2. Use uppercase and lowercase letters.(AAA, aaa) 3. Use numbers and special characters. (!@#$%^&*) 4. Never use the same passwords everywhere on the internet. 5. Change your passwords frequently. 6. Don't use your business name or pets name or surname combined with numbers as passwords unless it is something like this- btS/760flRDLS@82#. 7. Avoid using a word that's available in the dictionary as your WP password. 8. Most importantly, never share your passwords to anyone or anywhere.
5. Change the WordPress table prefix.
WordPress uses wp_ as a prefix by default for the tables it creates in your database.
There is an option to change it while installing WordPress.
After you set your password, scroll down to the advanced section. You will see a screen like this.
Choose a tough combination as a prefix, as shown above. Now it will not be an easy job for anyone to guess your database name.
6. Delete the Default “Admin” Username.
If you are using the default WordPress username, you are saving a lot of time and effort for hackers.
All they have to do now is find out your password.
It is advised to change the default username password while installing WordPress itself.
You can also do it later on by logging into your WordPress dashboard. How?
Here are the steps.
To create a new user profile, go to USER in your WordPress dashboard, and click Add New.
Fill the relevant details and don’t forget to give the Administrator role to a new user account so you have the authority to make the necessary changes later on to your blog.
To delete your default username, log out of your WordPress dashboard and log in again with the newly created user details.
Go to users >delete the default admin user.
Don’t forget to transfer author info for your posts to the new user profile. Else you will have to lose all your content if any.
7. Update Themes and Plugins.
Often you see an update notification in your WordPress dashboard. Either it is plugins or themes. Why are there so many updates and why do you need to update all this regularly to the latest version?
There will be some security flaws and bugs, or there will be a need to update the features to keep the plugin more useful. To solve all these issues, service providers keep on working on their products regularly and fix them up quickly.
But if a user is not logging in and updating the things as and when required, then there is nothing the developers can do for such websites.
8. Update WordPress to the Latest Version.
Sometimes when you update WordPress, you may not be able to use your site, or there will be some unknown issues. Because of this fear, people avoid updating their WordPress to the latest version.
Each of the WordPress updates fixes security issues and bugs and secures your website, improves the user experience to a new level. For example, a recent update – which is WordPress 5.5 brings in a new feature where you can enable auto-update of all your plugins and themes.
Just allow it once, and you don’t have to worry about the point said above. A pretty cool and time-saving update, isn’t it?
According to Sucuri’s 2016 report, 55% of websites that got infected or hacked were not updated at the time of such incidents.
9. Backup Your Data Regularly.
Backups will not prevent your site from being attacked or hacked, but you can bring back your website online quickly from the backup in case of a hack.
To do so, we have one plugin which does a pretty good job, that is updraft plus. Install the plugin, activate, and go to settings.
Choose where you want to backup your data and set when to backup.
Daily backup is the best practice you should follow.
As you can automate the backup process using this Updraft plus plugin, you don’t have to be worried about manual backup.
The best thing about this plugin is that with its multiple backup options you can backup your data wherever you want.
Be it to your google drive, or your local disk, or maybe for dropbox. Updraft plus does a decent job and this plugin is absolutely free.
10. Use Separate CPanel for Each of your Websites.
If you have multiple or unlimited website options, it is obvious to host multiple websites in the same hosting package.
Many people don’t realize that they must have a separate CPanel account for each of the websites and have a different set of username and password for the same. Else it takes just one site to get access to all of your websites.
11. Delete Everything that is not in Use.
It takes one mistake on a line of codes in any PHP file on your database for an attacker to enter your webspace.
When you don’t delete old plugins, themes, or free images there will be more files on your webspace, which may become a highway for hackers.
Even though they are inactive, it’s data files can be openly accessible on your webspace.
To prevent that, have only essential files on your webspace that are crucial to the functioning of your website. So if you have any unused/inactive plugins or themes delete them right away.
12. Don’t Install Themes and Plugins without Thorough Research.
All Softwares needs extra care regularly by an experienced programmer to keep it safe from any vulnerabilities.
All plugins and themes out there are not equally taken care of. An inexperienced person may develop some plugins, and they don’t take the extra effort to update it regularly.
In such cases, if you use those plugins, it’s going to cause security problems for you.
Also, keep in mind that using more plugins is going to delay the page load time of your website.
To avoid that you have to do thorough research about the themes/plugins before installing.
So use as few plugins as possible, and make sure they are updated and maintained regularly.
To check this, go to your WordPress admin dashboard. > Click on Add new plugin > enter the name of the plugin you are looking > then you will see the plugin > check the last updated section of that plugin > if it is not updated lately, and doesn’t support with your latest version of WordPress, it is not a good idea to install such plugins.
Because the developer of that plugin is no longer supporting/updating it actively. If there are any vulnerabilities, your website’s security will be in danger.
13. Don’t Buy Plugins and Themes from Unknown Source.
There are a lot of websites that offer paid plugins and themes for free and some offer at much cheaper rates compared to the original cost. It is human psychology that we want to save some bucks wherever we can.
But it is not a good idea to compromise your website’s security for the same. Downloading such themes and plugins can put your website security at risk, and they can also be used to steal sensitive information from your website.
So don’t go for plugins and themes from the unknown source. Always use themes or plugins from the official WordPress repositories or the reliable source.
14. Enable Two-Factor Authentication.
Two-factor authentication involves a two-step method in which you require your cell phone to log in to your website. Why cell phone? Because you have to provide a One Time Password to login to your site.
As it is almost impossible to have your cell phone as well as your username password for hackers, it is instrumental in preventing brute force attacks to your WordPress site.
How to setup?
Login to your CPanel and find this setting.
If you cannot see it in your CPanel, you have to install a plugin. I recommend using Google Authenticator plugin. Download and install the plugin.
The next thing you have to do is install an app called Google Authenticator in your Android or ios device.
Then configure it with your WordPress plugin and click activate. Now your blog is going to use Google authenticator.
Bonus Tips– Your Google authenticator code is six characters long and expires in a minute. If you feel this time-space is not enough, you can turn on the Relaxed mode. If you are confident about your typing speed, you don’t have to bother about this mode.
Important Alert– As you already know, this method involves your mobile device, you need to be extra conscious. Losing your mobile phone or deleting the app accidentally or changing your phone with this plugin On is not at all a good idea.
In such cases, you may have to contact your hosting providers to access your website if you are a newbie to WordPress.
15. Limit Login Attempts.
DDoS attacks are the most common types of WordPress attacks on the wp-login.php page. Imagine thousands of bots or spiders bombarding your login page with lots of different Username Password combinations to gain access to your website.
If you ensured the point 6 mentioned above, the chances of bots attacking your login page are less, but you cannot stop it from trying.
One of the useful things I found on the internet is limiting your login attempt. After specified wrong attempts, you cannot log in for a fixed time. Cool! Isn’t it?
How to do it?
Go to your WordPress dashboard > click plugin > add new > under search bar, type ‘limit login attempts‘
Click install, then activate.
Then go to your WordPress dashboards setting to find this feature. Click on it. You will see a tab like this. Now choose your preferred options and click save.
This is what it looks after four wrong attempts. You can set this time according to your requirements.
There you go!
Hope you ensure these necessary steps to secure your WordPress website.
Apart from the points mentioned above, you can also use security plugins like Sucuri to prevent the malware and enable website firewall against the most common threats.
You can also deny the wp-config file using .htaccess by adding some code into it. All these steps are beyond the scope of this basic guide.
As we know, WordPress is an open-source, everyone, including a good and a bad guy, has access to the code. Bad guys are always waiting for the smallest loophole in the code to manipulate.
To prevent such loopholes WordPress platform and plugin/theme providers work regularly and bring updates to make it more user friendly and secure.
In short, to prevent getting attacked or hacked, make sure you follow the necessary steps and suggestions detailed in this article.
So next time, when you think of uploading a cool looking plugin/theme, do your homework to make sure you are not giving out the key of your WordPress website. Also, don’t forget to keep everything in your web space up to date.
I hope you found useful information in this article. Also, let me know in the comments if I missed any of the basic settings that you follow.
You may also like: