13 tips to secure your WordPress site
WordPress is the most widely used content management system in the world. More than 37% of the sites created to date have been created using this CMS, and this makes it the favorite target of hackers. Containing a few basic vulnerabilities, a WordPress site whose security has not been worked on is an open door to hackers wishing to recover your data or simply corrupt your website.
It is important to put in place good security practices from the start of the creation of your site so as not to have to fight intrusions all day long.
That’s why in this guide we’re going to give you 13 simple best practices to keep your WordPress secure.
1. Back up the database regularly
All sites have a database in which content is stored. It is essential to archive this data regularly, in case of problems on the site. Even if your site is ultra-secure, it’s always good to have a backup of your site if needed because “you never know”. Are you saying that the biggest sites on the web that spend a lot of money for the security of their site are sometimes hacked, so why not yours?
Performing regular backups of your site will allow you to restore your site, after correcting the vulnerability, if it were to be hacked and corrupted.
Ideally, we recommend that you perform a weekly backup. Be sure to note the current date of the archive on the backup folder. In case of error, hacking or loss of the site, you will be able to reintegrate everything quickly and easily.
There are various extensions for this that allow you to make automatic backups of your files, extensions, themes and others. Here are two popular WordPress backup plugins:
These two extensions allow you to create automatic backups of your database and your files, then store them on your server or the cloud (Dropbox, Azure, Google Drive, etc.), or even by sending email containing your backup.
2. Regularly check for updates
To protect your WordPress site or blog, you must make regular updates. As soon as an update is available, follow our advice to update your WordPress site before installing it.
This instruction is valid for the CMS, but also for all the plugins. New vulnerabilities are revealed regularly, which leads developers to often propose corrections. An obsolete extension therefore presents a significant risk…
As for the updates of your security plugin, they are more than essential! These include new viruses or hacking methods.
3. Install a security plugin
As there are antiviruses to install on your computer, you can also add an antivirus plugin to ensure the security of your WordPress. Quite often, these plugins not only protect your site from viruses, but they also monitor the overall security of your WordPress.
A security plugin will allow you to manage several aspects of your WordPress security easily and transparently for you. It is a toolbox grouping together several tools to secure your site. Among these security extensions we will find:
- WordFence Security
- iThemes Security
- WP fail2ban
- Sucuri Security
- All In One WP Security & Firewall
For example, WordFence will allow you to:
- Monitor your site traffic to block malicious traffic
- Notify you of updates available on your WordPress
- Protecting your login system against a brute force attack
- Check your files for malware, non-compliant urls, code injections, bad redirects, etc.
- Check the integrity of your files
- Repair your files as needed
- Scan your site for known vulnerabilities
- Enable 2-step authentication
- Block robots with a CAPTCHA system
Other features are available with WordFence and most security extensions have similar functionality. These are very useful and recommended extensions to install. WordFence alone is installed on more than 3 million WordPress today.
4. Use official plugins and themes
Using cracked extensions or themes is bad for the security of your site.
When you install unofficial versions, you potentially offer access to your site to anyone. The cracked versions are not validated by WordPress, it is possible that the people providing these extensions and themes slip inside the malware files, an access door to your site or any other malicious code without you even you realized it.AttentionAs a result, you could have your data stolen and give access to malicious people without even knowing it!
This is why it is strongly recommended to never install cracked versions and always go through the addition of extensions and official themes of WordPress or companies from which you would have purchased a theme or an extension.
5. Remove Unused Extensions and Themes
Sometimes, we install themes and extensions to test them or for a short time, then deactivate them (in the best case) or forget them and leave them aside.
This is a problem, even more so if you don’t update them or if they are obsolete, because these unused extensions and themes are potential additional gateways for hackers and useless to your site.
Good practice will therefore be to remove any extension or theme that you no longer use to reduce the risk of your website being hacked.
6. Change login address
To reduce the risk of hacking, it is also recommended to change its connection address. By default, WordPress offers you my-site.com/wp-admin . This once again makes the work of hackers easier!
7. Delete admin account
To connect to your WordPress administration, the admin username is offered by default. It is therefore massively used by hackers to access your site.
Avoid making it easy for them and create a personal, impossible-to-guess ID before deleting the admin account.How to do ?Follow our step-by-step tutorial to modify and delete an identifier.
Contact up to 400 customers/month
Register on Codeur.com to be alerted when a client is looking for a service provider with your skills.
8. Enable 2-Step Authentication
This security option offered by different extensions makes it possible to secure your connection system almost 100%!
In most cases, the 2nd login step will be a code sent by SMS, a phone call or a required login via a mobile application. The hacker will therefore have to know both your password and have access to the device used for the second connection step, which is almost impossible.
Among the extensions offering two-factor authentication we can find:
Most of these extensions work in pair with their own mobile application allowing you to manage the two-step authentication system and authorize the connection when a connection is initialized with this same system.
9. Hide the version of WordPress used
For each version of WordPress, there are flaws that hackers will be happy to exploit. To complicate the mission of these intruders a little, consider hiding the version of WordPress you are using.
The change is made at two levels: in the function.php file, as well as in the readme.html file . The latter is located at the root of your WordPress and must be deleted!Find out how to hide the WordPress version in our dedicated tutorial: how to protect WordPress from malicious attacks?
10. Prevent Folder Browsing
On a WordPress site, by default, folders are accessible to everyone. It is therefore imperative to block their access to better protect them.
To do this, you must modify the conditions of access via your .htaccess or opt for a plugin like Hide My WordPress .
11. Choose a secure web host
Security vulnerabilities will not necessarily come only from your site. They can sometimes come from your host. A large number of WordPress sites that have been hacked have been because of a security breach on the side of their host and not the security of the sites themselves.
It is therefore important to choose your host carefully.
For this you can already analyze the offers of the hosts according to 3 criteria:
- Do the host’s servers have a firewall and antivirus?
- Are automatic backups performed regularly?
- In the case of shared hosting, is each account isolated from other users so that an infected user does not infect others?
AttentionIf your current or future host does not respect at least these 3 key points, you can go your way and change to another host.
12. Protect the connection to your site with an SSL certificate (HTTPS)
You will surely have already seen the small padlock next to the url of a site and this url preceded by “HTTPS”. This is possible because the site in question holds an SSL certificate. This SSL certificate enables the HTTPS protocol which ensures a secure connection between the browser (client) and the web server .
This certificate is known to be important when the site offers a payment system directly on the site, however it is also useful for other reasons:
- In http, the data transferred between the server and the browser are not hidden and are transmitted in the clear. This is not the case when you use the HTTPS protocol for data transmission.
- The SSL certificate has an impact on your referencing (SEO). Google claims that this is a (slightly) determining factor for your positioning in searches.
- With the digital education which is more and more common, people have got into the habit of checking that the small padlock is present on the sites because they have often heard that it was a guarantee of security. Having an SSL certificate improves the trust people have in your website.
- In connection with the previous point, some web browsers like Chrome now display a ” Not secure ” mention in front of the URL of sites that do not have an SSL certificate. Worse, sometimes they can display a prevention page before accessing the site which can potentially scare off a large majority of visitors.
- For technical reasons, the HTTPS protocol is intended to be faster than HTTP. You may be able to improve the speed of your WordPress site simply by integrating an SSL certificate into it.
Do you want to install an SSL certificate and switch your WordPress to HTTPS? Follow our step-by-step tutorial !
13. Protect yourself against DDoS
DDOS is a denial of service attack, it consists of making a system (or website) inaccessible by targeting it with several systems simultaneously . In concrete terms, several systems (computers or servers) will try to perform actions at the same time on a specific target (a website for example) so that it becomes overloaded with requests until it can no longer manage them and ” crasher” rendering the target out of order.
To prevent this kind of attacks there are services (including a plugin) to configure on your WordPress site which will, thanks to their anti-DDoS protection, mitigate denial of service attacks.
Security is an important part that should not be overlooked when creating and maintaining your WordPress site. An intrusion into your database or your files by a hacker, and your website is quickly out of service… which can cost several hundred or even thousands of euros if your site is a source of income.
This is why it is essential to put in place the kind of best practices seen throughout this guide to reduce the potential risks of hacking.
To further secure your WordPress site, you can also follow our complete tutorial: How to protect WordPress from malicious attacks?