WordPress is a fantastic platform for building websites but when it comes to security it does have a few vulnerabilities. In this post, we’ll provide you with a range of tips to help you make your WordPress website far more secure.
Hide your wp-admin login page
When most hackers try to break into your website, they’ll do it by attempting to log in via your wp-admin page. With WordPress being so popular, everyone knows this is the standard login page, so all a hacker needs to do is type in ‘http://yoursite/wp-admin’ in their browser. It would make things much more difficult for them if that page was hidden – and this is possible with plugins such as Protect Your Admin. Using these types of plugins, you can change the URL of the wp-admin page to something that a hacker wouldn’t know what to look for.
At the same time, these plugins make it possible to redirect anyone who does try to access the old wp-admin url to your homepage.
Auto update WordPress and its themes and plugins
One of the reasons there are so many updates is because developers spot vulnerabilities and send out a new version with a security fix. Whilst most WordPress users know we should update our software as soon as a new version is released, we often don’t get around to it. This is particularly true if you run many different websites.
Luckily, there are several plugins, such as Easy Updates Manager, which make it possible to update WordPress, together with your plugins and themes, automatically, taking the headache out of keeping your site up to date. You can configure Easy Updates manager so that you can choose which plugins you want to update automatically and which ones, if any, you want to manually update.
Change your username
To log in to your site, a hacker needs two pieces of information – your username and your password. Whilst we are constantly reminded to be secure with our passwords, giving people access to your username provides them with 50% of the information they need to break in to your site.
We all know that we should not use ‘admin’ as a username, but even using our own names can be risky. If your run a blog and have your own name mentioned on the site, either on the homepage or as an author, then it can be very helpful to hackers. If you are called John Smith, then it’s not going to be too difficult for hackers to hazard a guess at your username being ‘johnsmith’ or something similar when attempting to login.
To make your website more secure, you need to do two things. Firstly, change your username to something that would be more difficult for a hacker to guess at; and secondly, change the settings so that your username is not identical with the display name.
To make your username more difficult to guess at, use a mixture of upper and lowercase letters as well as numbers and symbols too – just as you would with your password. You can change your username easily using the Username Changer plugin.
To change the display name so it is not identical with the user name, go to Admin Panel >> Users and then find yourself in the user list. Once there, click ‘Edit’. When the page opens, scroll down to the section in the image below:
To make the display name different, do the following:
1. Change the Nickname to the name you want to be displayed
2. Click the dropdown box, next to Display name. The new nickname should now appear in as an option. Choose this as your display name.
3. Click to save settings at the bottom of the page.
4. You will now have a more secure username and this will not appear on your blog or on emails and newsletters.
Scan for intrusion
One of the best ways to defend your site is to have it constantly monitored for intrusion threats. This can protect your website against malware, code injections, cross-site scripting attacks and many other types of threat.
There are two ways to protect your website using intrusion monitoring. The best method is to have your site monitored by your web host using an advanced system, such as MTvScan. Systems like these can come at a premium, but if you have WordPress hosting with eUKhost, you’ll get MTvScan included for free in you hosting package. Below, you’ll see some of the features of MTvScan.
An alternative would be to use one of the free plugins available from WordPress, such as WordFence. These plugins also offer reasonably good intrusion protection, though to get the most secure features, such as blocking IPs from specific countries, you do need to upgrade to the premium versions. However, as a start, the free versions offer better protection than none at all and are well worth using to keep your site safe.
Use two-factor authentication
Two-factor authentication is a highly secure process that means no-one can login to your website with just a username and password – they will also need another piece of information which is usually created during the login process and sent to your mobile phone. What this means, is that unless a hacker has your mobile phone with them, they won’t be able to break in to your site.
There are quite a few plugins available in the WordPress repository which provide you with this kind of security, including Google Authenticator For WordPress and the very popular (over 700,000 downloads) Clef Authenticator which is so advanced you don’t even need a password.
Remember to backup
Never take security for granted. Hackers use very sophisticated methods and are always on the lookout for new vulnerabilities. If your site is hacked or infected, you will need a backup to restore your lost website. If you don’t, it could mean the loss of years of hard work, your business being offline and an expensive rebuild.
There are a few different routes you can take to back up your website. A good web host will provide a remote backup service with options to back up at the rate which your website needs – be it continuously or once a week. They will also provide you with appropriate storage and the expertise to get your site back online if you are hacked.
A less expensive method can be achieved using a backup plugin, such as Updraft Plus. Whilst the free version won’t provide continuous backups like a web host can, you will still be able to schedule when they take place. What isn’t included is the storage, so you will need to find somewhere to store your backups. If you have a small site you can use Google Drive or Dropbox, for large sites you may need to pay for storage space.
Hopefully, these tips have given you a better understanding of some of the threats faced by WordPress websites and what precautions you can take to improve security and make it harder for your site to be hacked.
If you are looking for WordPress hosting, check out our WordPress Hosting page. Our affordable packages are packed with helpful features and backed up with expert WordPress support and first-class security.
Latest posts by Asher Ross (see all)
- 7 WordPress Functions Most Beginners Don’t Know About - September 21, 2016
- 9 Ways the Internet of Things Will Affect Your Business - September 6, 2016
- How to Source Free Images for Your WordPress Site - August 10, 2016