How to Secure Your WordPress Website In 12 Steps

Anyone will agree that keeping your house or office secure from thieves is of key importance. Your website requires the same if not more protection measures, since digital thieves are invisible. You won’t see anyone “entering” the premises, yet, just in a few seconds you can loose all your data, even access rights to your own site. Cyber attacks are always painful and stressful, however, if you own a website that collects various user information (especially credit card details) you have a legal obligation to protect this data. The best way to do it, is to prevent it, and there are numerous tools, apps and tricks that you can use to make your website more secure. Here’s a few important ones:

Backup frequently

Keeping backups for your website is extremely important. Getting hacked is painful, but losing your entire website is a nightmare, and the list of reasons why that may occur is long. In case the worst happens, keep everything backed up, on-site and off-site. Trust us, it’s a lot easier to restore a recent, non-corrupted version of your website, than build everything from scratch.
Luckily, if you’ve invested into a good hosting provider, such as WP Engine or Siteground, they do regular automated backups of your site. Otherwise, you can opt for a manual alternative. Here’s how to back up manually.

Update everything

You wouldn’t want to eat a meal prepared out of old, spoiled ingredients, right? Why would you do that to your website then? Running your website on outdated software, plugins and themes compromises it greatly. Since most hacks these days are fully automated, ran with bots that keep scanning the web, searching for vulnerabilities to break in – we recommend updating your CMS (WordPress for Flothemes users), themes and plugins as soon as updates are released, just make sure to back up your site before any updates in case an error occurs during the process. Flo users, make sure you have our Theme Updater plugin installed to get a notification each time updates are available.

If you want to check the latest released version of WordPress, you can do it here. For a detailed guide on how to update your Flotheme, see our documentation.

Plugins

Adding extra features and functionality to your website is always tempting and exciting. Be sure, each time you opt for downloading and installing an extension to your site – that it is downloaded from a legitimate source. Check when was the last time it got updated (if the author stopped working on it and pushing updates, using it is a bad idea), maybe even its release date and number of installations. All this information gives you a better understanding of how trustworthy the plugin is.
You can also check out the list of plugins we recommend for our users, from spam and security, to translation, image protection and Pinterest extensions.

Usernames & Passwords

Truth be told, “admin” and “123456” or even your mom’s birthday are not secure username and passwords to be used for your site. Also, if you find your password among this list of Most Common Passwords of 2016 or this one prepared by WP Engine be sure that you can be hacked any day now.

There are a few simple rules to keep in mind when coming up with a password:
1. It has to be complex – using names of your pets, favorite sports teams, nicknames, etc isn’t good enough. Sometimes even using random real words isn’t good enough either. It has to be a string of random letters and digits. And there’s plenty of password generating tools available on the web for you to get help from.
2. It has to be unique – never reuse passwords. it needs to be unique every time, for every platform. Even if somebody hacks your email account – it shouldn’t provide them access to your site, FTP, Facebook account and many more.
3. It has to be long – it’s recommended to set up passwords which are at least 12 characters long. This also helps when there’s a limited number of times you can fail to login to your site. The longer your password is, the lower risk of being hacked.
Also, it’s recommended changing your passwords every 3-6 months – including your login credentials for your hosting and FTP.

Limited Login Attempts

Generally, WordPress doesn’t have any limits on the amount of times you can try to login into your site – therefore providing hackers with plenty of options to try out different username / password combinations and force their way into your admin panel. Luckily, you can easily change this and set a fixed number of login attempts.
To do so, you’ll need to download and activate a plugin called Login LockDown. Then, via your Settings tab, access the Login LockDown plugin and fill in your preferences – Max Login Retries, Retry Time Period, Lockout Length, etc. It’s all fairly simple and straightforward. We suggest setting up to 5 retries, not more.

Security Applications (paid or free)

While these are not 100% hacker proof, life is definitely a lot better with them. No matter if you opt for a free or paid security plugin, both types will provide an additional layer of protection to your site. Security plugins will make you more resilient to automated cyber attacks, which usually scan the web looking for loops and vulnerabilities. A few plugins to consider are:

1. WordFence – one of the most popular WordPress security plugins. It checks your website daily for malware infections. It will scan all the files of your WordPress core, theme and plugins. If it finds any kind of infection, you’ll get a notification via email. Its great from preventing brute force attacks and malware infections.
2. iThemes Security – with one click installation, you can stop automated attacks and protect your website. It will also fix various common security holes in your website. It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things.
3. MalCare – a WordPress Malware Scan and Protection Solution from BlogVault, with an easy setup process, automated scan & removal features. MalCare scans the website on its own servers and hence, there is no load on your server resources, and your website keeps running fast & smooth.
4. BulletProof Security – another plug-in with one-click installation. It adds firewall security, database security, login security and more. A great all rounder for monitoring your site security.
5. Sucuri – a globally recognized authority in all matters related to website security, with specialization in WordPress Security. They offer both, help services for those who have been hacked already, as well as protection against cyber attacks, both paid but incredibly valuable products. You can also try their free WP security scanner for a full audit of your site’s current security state.

These are just a few great tools available out there for you to test. There’s plenty more. Just remember the advice mentioned above in the “Plugins” section about downloading from trustworthy sources, and paying attention to the number of installs and updates history.

Use HTTPS (SSL Certificate)

Before we dive deeper into this one, lets us state clearly two facts:
1. The SSL certificate will not make your website more secure against hacking attempts.
2. Unless you have a payment system or a user database incorporated on your site (meaning users have an account and share any time of personal information on your site, especially card/financial details) you don’t really need a SSL certificate.
An SSL Certificate ensures a secure encrypted connection between a browser (your site visitor) and a server (your website), therefore protecting important details exchanged during each session – such as credit card or passport details, etc. Thus, if your users do not share any sensitive data with your site – the need of using HTTPS is rather minimal.
Note: While there are tons of guides and tutorials on how to migrate from HTTP to HTTPS, and it all seems easy and straightforward, we recommend consulting with technical support before switching to HTTPS, as this may cause multiple errors and broken website links if not performed correctly.

Our team offers SSL implementation services that you can read more about here.

Use a CDN Service

A CDN is a Content Delivery Network which provides alternative server nodes (spread throughout the world) that provide a faster response and download time for your users. CDN networks are required to meet specific security regulations to protect users data, and many will be on cloud networks that offer greater protection from DDoS attacks and other security threats. And while this is mainly used to improve site speed and bump up your SEO, you will find it useful when implementing the SSL Certificate on your site (which takes a bit longer as compared to the unencrypted TCP handshake). It doesn’t have to be Speed or Security. It should be both.
If you have a complex website and bigger budget, you can opt for something like MaxCDN, otherwise the free CloudFlare CDN will do the trick just fine. And here’s a small tutorial from WP Beginner on how to set it up.

Hide your Admin page

Change the url for your login page. To hack your website, a hacker needs to find your login page first. If you choose to hide it from search engines and not index it, those with malicious intentions will have a hard time trying to find a potential entry point. One way to do it, is to simply modify your login page url. You can do it with the help of the WPS Hide Login plugin or by using Protect WP-Admin plugin.

Change WP Database prefix

Most likely, your WordPress site uses the default wp_ prefix for all tables in your database – making it easy accessible for hackers. To strengthen your site’s security, we recommend changing this, though if not performed properly – you risk breaking your site. Please seek help from a developer and review this tutorial.

Disable File Editing

In your WordPress admin area you can find a built-in code editor which allows you to make chnages to your theme files and plugin files. While a tech savvy site owner may find this feature useful, a person with malicious intents can use it to put your entire site at risk. We recommend to turn it off. You can do it either do it via your wp-config.php file or your Sucuri plugin.
To turn off your WP code editor via the wp-config.php, you will need to add the following code to the file:

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

WP Beginner has a great, detailed guide explaining what this file does and how to edit it. Take a look here. While via the free version of the Sucuri plugin, you can turn of the code editor with 1 click with the Hardening feature.

1 Site – 1 Hosting

No matter how convenient and easy it may seem to host all your websites on a single hosting plan (if you have an “unlimited” one) it is not recommended to do so, because it offers a larger “plater” of attack opportunities for a hacker. Once the hacker finds a security vulnerability for one of your sites, it’s a lot easier to infect the rest of them. And while you’re trying to cleanup one site, it gets reinfected by the others.
The process of getting your sites and content back, will be painful.

For Advanced users with Dedicated Hosting we recommend installing a web application firewall (WAF) and Security Shield. Also, check out the tweaks recommended by WP Beginner in the section WordPress Security for DIY Users.

The 12 steps described above should help you significantly improve your website’s security. And while these do not protect you 100% for cyber attacks, they will surely help you avoid any random and automated hacker activity. Stay secure and get help as soon as any breaches occur!

Flothemes Team,
Empowering You.