Thousands of websites get hacked every day.
Yours might be next.
Even if you are using WordPress, there is a chance that your website can get hacked.
Most of the reasons why websites get hacked can be easily prevented.
You can secure your WordPress website even if you aren’t a web developer. And it need not take any time either!
Today, I will share with you 9 tips to secure your WordPress website right now…
Is WordPress Safe?
WordPress is the most popular content management software (CMS) that powers over 29% of all websites. It is an open-source project maintained by thousands of volunteer developers around the world.
The chances of WordPress itself having unresolved security bugs is really low. The army of volunteer developers behind the software is constantly testing it and fixing security issues as soon as they come to light.
So, most likely, if your website gets hacked, it won’t be because of WordPress itself.
Most WordPress sites get hacked because of a user error, or because a plugin or theme they are using has an unfixed security issue in it.
Before you make any changes to your WordPress website, make a backup of your website. This way, if you accidentally break something, you can restore a working version of your website.
9 Tips To Secure Your WordPress Website
1. Turn Off File Editing
You can edit the contents of your plugins and themes directly from the WordPress Admin Dashboard by default. This gives you the flexibility to being able to modify your themes and plugins quickly. BUT this can allow hackers to install malicious code on your website.
If a hacker gains access to your WordPress dashboard, there’s not a lot they can do there. You can always revert back to a backup and revoke their access. But if they can edit the files then they can do pretty much whatever they want with your website.
This is why it’s a good practice to disable file editing on all your WordPress sites. To disable file editing, add this line to your wp-config.php file:
This one line disables the File Editor for both themes and plugins.
2. Hide Your WordPress Version Number
WordPress adds a meta tag to all your pages called a generator meta tag. This tag is used to identify what software a website is built with. In this case, WordPress.
Hiding this is important as it tells hackers that you are using WordPress. And what’s worse is that it also tells them what version you are using.
If your website is using an outdated version because you forgot to update it, then hackers can use this information to find security vulnerabilities that haven’t been fixed in that outdated version.
Removing the generator meta tag in WordPress is really easy. All you have to do is add this line of code to your theme’s functions.php file:
3. Keep Your Themes and Plugins Updated
Plugin and theme developers release new updates for their products whenever they find and fix security issues. If a theme or plugin on your site is outdated, your site will become exposed to the risk of getting hacked.
When hackers find a security vulnerability in a plugin or theme, they scour the internet to find sites that are using those plugins. If your site is using an outdated theme or plugin, it might become a target.
So, KEEP YOUR THEMES AND PLUGINS UPDATED!
Whenever there’s an update, install it!
4. Assign Least Privilege Possible
If you need to share access to your website with a freelance writer, developer, or editor, give them an account with the least privilege possible. If you are giving access to a writer, there’s no need to give them editor access or worse admin access. The same goes for editors.
This way, even if someone you gave access to wants to compromise your website in some way, they won’t be able to because they don’t have the required permissions.
5. Change The Default Username
If you are using admin as the username, then you need to change that.
It’s really easy to guess. And if you are using admin as your username, then you’re probably also using a weak password.
Do yourself a favor and change your username!
Change it to something that won’t be easy to guess.
6. Use a Strong Password
Do I even need to talk about this?
Hackers try to crack passwords using bruteforce tactics. If you are using a password that’s a combination of two or three words. Then it won’t be that difficult to crack. Or if it’s something common.
The best passwords are randomly generated passwords. If you aren’t already, start using a password manager like Bitwarden or LastPass. That way, you can use really strong passwords for all your accounts and will only need to remember just one password.
An easy password is easy to crack.
A strong password is a combination of numbers, letters, and symbols.
7. Use Two-Factor Authentication
2-Factor Authentication prevents your website from getting compromised even if someone knows your login credentials. If you have 2-Factor Authentication enabled, you will need to enter a one-time password every time you log in. This OTP will be sent to your phone on whatever 2FA app you use.
This way, the only way a hacker can compromise your account is if they know your login credentials and have access to your phone.
You can use the Rublon plugin to enable 2FA for all accounts on your website. If you don’t have a 2FA app installed on your phone, I recommend Authy. It’s free, cross-platform, and has an option to recover your account in case you lose your phone. Don’t use Google Authenticator. If you lose your phone, all your accounts will be gone forever!
8. Install a Security Plugin
WordPress security plugins protect your site from malware and add a lot of security measures to your website.
To be honest, there’s not a lot security plugins do for your website. If your website gets hacked, most of the time it will be your fault. It will be because you didn’t follow a security best practice.
But at the same time, these plugins can make it less likely for you to make a mistake like that.
One of the best WordPress security plugins is Sucuri. It’s trusted by thousands of website owners.
9. Keep Regular Backups of Your Website
Nothing beats regular backups.
What would you do if a hacker takes over your website and deletes everything?
If you don’t backup your website regularly, you will lose all your hard work.
We don’t want that, right?
It’s a security best practice to regularly backup your website even if you think your website is secure.
We use UpdraftPlus for our websites. It’s very easy to use, and lets you backup your site to Google Drive. And it’s free!
If you want to keep your WordPress site secure, these tips are a great starting point.
They might not make your website bulletproof, but they will serve as a gatekeeper between your site and hackers.