May 14 2020

10 Tips To Beef Up Your WordPress Website Security

AnnexCore

Cyberattacks! They’ve become a daily struggle for businesses, and the number of cyberattacks keeps growing at a rapid rate. With hacker attacks happening every 39 seconds, securing your website is a very smart preventive measure against these attacks.

Cyberattacks come with dangerous consequences. They can hurt your brand reputation and destroy the trust your customers have for you. They can also cost you money – a lot of money. According to Radware – a cybersecurity company, cyberattacks are on average, estimated to cost businesses more than $1 million.

One. Million. Dollars.

Imagine a million dollars wiped out of your company’s balance sheet.

Just. Like. That.

And it gets worse. The average cost of a data breach has been predicted to cost $150 million before the end of 2020. I don’t know about you but $150 million ain’t no small change you can waste.

You have to understand that you cannot have a 100% secure system/website – that’s an illusion. Security is all about risk reduction, not risk elimination. This involves deploying all the necessary and reasonable controls that are available to you – within reason –  that reduces your odds of getting hacked.

Here’s how you can beef up your WordPress website security:

1) Invest in your WordPress Hosting Security

The very first step to securing your WordPress site is by investing in your WordPress hosting security. This involves choosing a trusted web host, or if you run a VPS (Virtual Private Server), having (or hiring someone that has) the technical knowledge to protect your server. If a hacker gains access to your hosting account, every other measure you take to protect your site will be a complete waste of time because the attacker can make malicious changes at will.

The key to keeping your WordPress environment thoroughly secure is by server hardening. This includes, but is not limited to:

  • Updating the Operating System and Security Software of the webserver
  • Installing firewalls and intrusion-detection systems
  • Configuring your server using secure networking and file transfer encryption protocols (SFTP) instead of FTP.

2) Always Update Your WordPress Core, Themes and Plugins to the Latest Version

Keeping your WordPress Core, Themes, and Plugins up to date is another important way of hardening your WordPress security.

WordFence interviewed 1,000+ victims of cyberattacks on their WordPress site owners asking them to describe how the hackers gained access to their site. After polling the results, they found that plugins, core, and theme were the first, third, and fourth most common points of entry respectively. Plugin vulnerabilities alone accounted for up to 55.9% of all access points for hackers.

Plugins that have not been updated in 6 months are not recommended as they might have been abandoned by the developer, which means there’ll be no support for code vulnerabilities that can leave your WordPress site up for cyberattack. You should also download plugins from WordPress official repository or only reputable sites to avoid downloading plugins that contain malware

You can activate automatic updates of your WordPress core to allow WordPress to automatically update your site to the latest version and improve the security of your site.

3) Update  Your PHP to the Latest Version

WordPress is written in PHP, so updating the PHP version used on your server to the latest is of utmost importance. Each major version of PHP released usually gets two years of full support from its date of release during which bugs and security issues are regularly fixed and patched. As of this writing, version 7.4 is the latest version of PHP.

4) Lock Down Your WordPress Admin And Limit Login Attempts

Your WordPress Admin is a backdoor to your WordPress site that when left vulnerable, can make it more susceptible to hacker attacks. Locking down your WordPress Admin makes it harder for a hacker to gain access to the backdoor of your WordPress site, thereby reducing its chances of being hacked. This strategy is called WordPress security by obscurity.

You achieve this by first changing your default wp-admin login URL to something more unique and less obvious. WordPress plugins like WPS Hide login or Perfmatters can easily help you to do this.

The next step will be to limit the number of login attempts. Remember that study from WordFence I talked about earlier? Brute force attacks occupied the second spot on the list. Brute force attacks are only possible when there is an unlimited number of login attempts to a site. Limit Login Attempts is one WordPress plugin that can help you limit the number of login attempts to your site. Some other plugins include Login Lockdown, Wordfence Security, and Jetpack.

5) Make Use of Clever Usernames and Passwords, And Implement Two-Factor Authentication

Surprising as it might sound, one of the most effective ways of beefing up your WordPress security is by making use of clever usernames and passwords. Here are the top ten most popular passwords from SplashData’s 2019 annual list of the most popular passwords stolen throughout the year in descending order of popularity:

  • 123456
  • 123456789
  • qwerty
  • password
  • 1234567
  • 12345678
  • 12345
  • iloveyou
  • 111111
  • 123123

Passwords like these make the job of a hacker a whole lot easier and if you use any of these, CHANGE IT.

To protect your site, even more, you should add Two-Factor Authentication to your site because there’s the risk of someone figuring out your password regardless of how secure it is. Two-Factor Authentication uses both your password and a second method to log you into your account. The second method is mostly through SMS, phone call, or a time-based one-time password (TOTP).

Two-Factor Authentication can provide almost 100% protection from brute-force attacks because what are the chances that the attacker will have both your password and your phone? Some WordPress plugins that can implement Two-Factor Authentication include Duo Two-Factor Authentication, Google Authenticator  and Two Factor Authentication.

6) Install an SSL Certificate For Encrypted Connections

There’s this huge misconception that you don’t need an SSL certificate on your site if you’re not accepting credit cards. Installing an SSL certificate allows you to run your site over HTTPS (HyperText Transfer Protocol Secure) – a protocol that allows web applications and browsers to securely connect to a website.

SSL certificates are important especially if you run a WordPress site with multi-user login, and more so if you run an eCommerce site. Apart from security benefits,  HTTPS has  other benefits including:

  • Higher ranking on Google. Google uses HTTPS to indicate more authentic sites.
  • Increase in trust and credibility of your site. A survey by GlobalSign showed that 28.9% of visitors looked out for the green address bar of their browser with 77% of them being concerned that their data might be intercepted or misused.

If these other reasons don’t motivate you enough to install an SSL certificate, I don’t know what will.

7) Protect Against DDoS

DDoS (Distributed Denial-of-Service) is a malicious attempt of flooding a target website with unwanted traffic using multiple compromised systems. These types of attacks usually harm your site but they make your site unavailable for a few hours or days.

Using third-party security services like Cloudflare or Sucuri can help protect your WordPress site from DDoS attacks.

8) Harden Your Database Security And Always Make Backups

There are a couple of methods you can use to harden your WordPress database security. The first method is by using a clever database name. If the name of your website is sushi recipes, your WordPress database will most likely be named wp_sushirecipes. Hackers can already guess that as the database name, making their job a whole lot easier. By changing your database name to something totally unrelated to your site (eg equustrian_ferrari), you make it a whole lot harder to guess your database name, thereby reducing the chances of getting hacked. This is another method of  WordPress security by obscurity.

The second method, which is very similar to the first, is changing the database table prefix. WordPress by default starts your table names with the prefix wp_ which again makes it easier for hackers to gain access to your database tables. Changing the prefix to something more random (like 94xt78q_) increases the security of your database tables.

As I mentioned earlier in this article, you cannot have a 100% secure website. For this reason, you need to constantly backup your site. Should your WordPress site ever get hacked, having a backup will save you from a huge deal of stress that you’ll go through if you didn’t have a backup.

 9) Prevent Hotlinking On Your Site

Hotlinking involves displaying files of another website – usually images and/or videos –  by directly linking to the website hosting the file. This might not necessarily be an attack on your website, but if files from your website are hotlinked to a very high traffic site, it can drive up your hosting expenses and might even cause denial-of-service.

10) Use WordPress Security Plugins

Of course! This article won’t be complete without the mention of security plugins that can help you keep your site secure. Some worthy mentions include Sucuri Security, iThemes Security, WordFence Security, WP fail2ban, SecuPress.

So there you have it. This is by no means an exhaustive list but you can put these into practice today and beef up your WordPress security.

This post may contain affiliate links for which we receive commission if you visit a link and purchase something based off our recommendation. By making a purchase through an affiliate link, you won't be charged anything extra. We only recommend products and services we've thoroughly tested ourselves and trust.