Things you can do to keep your WordPress website safe

July 8, 2020
Anthony Fajardo

If you're reading this, chances are, your website is running on WordPress. As WordPress reaches approximately 35% of all websites, security experts consider it to be a large attack surface and a very high value target for bots and hackers.

Eversince I started using WordPress, I've heard of how insecure it can be, as well as the PHP language which WordPress runs on. According to Cal Evans, an Information Technology consultant based in Florida, a language itself is not insecure. There might be vulnerabilities that crop up but those get quickly patched. A language itself is not inherently insecure, it's how people use it.

A badly developed website, or plugin can have a code hackers can use to exploit and therefore take control of your site.

Here are some actionable items to help you keep your site more secure.

1. Keep your WordPress core & plugins up-to-date

This is the single most important thing you can do to keep your site safe. There are a couple of things you can do to keep your WordPress core up-to-date.

1. Update Manually - Once you log into your WordPress dashboard, you will see a notification that you an updated version of WordPress is available.

Be sure that you have backed up your site before updating the WordPress core. Depending on the plugins you currently have, the core update may break some plugins and cause your site to go down. It's better to always have a backup ready.

More about backing up your site down the list.

2. Autoupdate through your hosting provider - Some hosting companies have the option to automate your WordPress core and plugins updates.

Attackers are looking at these codes for possible vulnerabilities. Keeping your WordPress Core and plugins up-to-date can prevent attackers from exploiting these plugins and taking control of your website.

On SiteGround, you can go to your control panel (cpanel) and look for the section under WORDPRESS TOOLS. There you will find the WP Auto Update. Click this and it will take you to the WordPress Auto Update Manager.
By clicking the Autoupdate setting on the right, you will be given a choice how long to wait before a Major / Minor WordPress core update has been released as well as a choice whether to automatically update your plugins (as shown below).

2. Strong Passwords

According to Charlotte Empey, Marketing Director at Avast, "the best passwords will thwart brute force and dictionary attacks".  

A Brute Force attack tries to guess every combination in the book until it hits on yours.  While a Dictionary Attack tries a prearranged list of words such as those you'd find in a dictionary.

Another way hackers can get your password is by phishing.  That is when they try to trick you into giving them your login credentials.  You may get an email saying that your website requires you to change your password and provides you with a link.  A website owner may click that link and enter their credentials thinking it is a legitimate site.  

What NOT to use as passwords : admin, administrator, your birthday, your mother's maiden name, your spouse's name.  Assume these are already common knowledge

To learn more about how to strengthen your password, check out Charlotte Empey's blog at avast by clicking the link below

3. Regular Backups

Backing up your WordPress site is extremely important. This means you have a similar copy of your content and data with you. In case When your website gets hacked, this data will be available to you and you can restore the entire site and database.

Depending on your web hosting company, this may be a service that you currently have with them and I suggest you take advantage of it. If not, there are a few WordPress plugins you can install to back your website up and database and save it to Dropbox, Google Drive or email it to you.

SiteGround has Automated Daily Backup for all their hosting plans. They backup your information on their servers on a daily basis for up to 30days back and restoring them are free.

A few WordPress Plugins that deal with backing up your websites are the following:

  1. UpdraftPlus - This plugin is used by more than 2million websites online and allows you to create a complete backup of your WordPress site and store it on the cloud or download to your computer
  2. VaultPress - Vaultpress is now a part of JetPack, (another WordPress plugin). You will have to subscribe to JetPack, get a account and install it on your website. This plugin starts from $39 per year for the personal account while the business premium account starts at $99 per year.
  3. Duplicator - This is a popular WordPress plugin used to migrate WordPress websites. It also has a backup capability but does not allow you to create scheduled backups. Best thing is, it's FREE

4. Move your login page

It is easy to identify if a website is a WordPress website. Simply adding "/wp-admin/" at the end of the URL would take you to the login page of any WordPress website. Moving your login page such that when anyone types your URL and added the wp-admin string at the end, can add another layer of security by hiding the way hackers can log into your site. This is caled Security by obscurity.

I would recommend WPS Hide Login plugin. With over 600K active installation, this is one of the most popular plugin to change your login page into anything you want.

5. Disable file editing

WordPress comes with a built-in theme and plugin editor. This code editor allows you to edit your themes and plugin files directly from the WordPress dashboard. As great as it may sound, this poses a security risk when a hacker gains access to the back-end of your website. There's a couple of ways to do this.

  1. Editing the wp-config.php file via FTP softwares like Filezilla

    FTP or File transfer Protocol is "a set of rules that networked computers use to talk to one another. Filezilla is an open source software that supports FTP.

    a. Once you've connected to your site through Filezilla, navigate to public_html > wp-config.php

    b. Right click on the wp-config.php file and select view/edit. This will open the file on your default text-editor

    c. Add the following code anywhere:

    define( 'DISALLOW_FILE_EDIT', true );

    d. Save
  2. Editing the wp-config.php file via your web hosting control panel

    On your web hosting control panel (cpanel), look for the File Manager button and click it. This will open a new browser window and on the left which lists all the folders in your server, look for public_html. Once inside that folder, look for wp_config.php and right-click to edit.

    File Manager > public_html > wp_config.php

6. Two-Factor Authentication

The Two-Factor Authentication (2FA) adds another layer of security to your WordPress website. Even if the hackers were able to guess your username and password, the 2FA will still require them to enter a code that is either sent via text to your mobile device, email or through an app like Google Authenticator.

You can add a plugin called WordFence which protects your website from Brute Force attacks adn other threats.

Once you have installed the plugin, you navigate to the:

WordFence tab > Login Security > Two-Factor Authentication

You will also need to have Google Authenticator on your phone and sync the two together. Once Activated, everytime you login to your website, you will be required to enter a 6 digit code to ensure you are the person authorized to login.

In Closing

Website Security is not a one and done deal where you install a plugin, set it and forget it. It involves layers upon layers of steps to stop the attacker from gaining access to your website.

Hopefully this article has provided you with some ideas on how to secure your WordPress website from attackers. There are other ways that you can secure your site, but the ones I've listed are easy, actionable, and something you can do right now.

The only, secure server out there is the one that you've unplugged from the internet... if you want to make it 100% absolutely secure, turn it off.

- Cal Evans
Copyright © 2023 Anthony Fajardo