If you are currently running a WordPress website, without focusing on keeping your site code secure, you may be exposed to some serious problems.
It’s very important to know that WordPress security is not automatic.
If you check the WordPress Attack Report (October 2017) provided by Wordfence, you will certainly start thinking of ways to protect your WordPress blog/site. Also keep in mind that, in December 2017, WordPress websites were under highest brute force attack.
2018 is the time for a consistent focus on digital protection.
That’s why we’ve prepared and infographic for you, including the most important security tips to have a strong start in 2018.
1Don’t use 'Admin' as your administrator username
Don’t use 'Admin' as your administrator username
“Admin” or “admin” is the most common username for WordPress admin users. To make hackers life a little more difficult, you should choose any other username instead of “admin” and pick one with capital letters. Since you already have a WordPress website, you should now:
- create a new user with administrator privileges
- if your previous “admin” user was your only user, assign all blog posts and pages to the new admin user you just created
- delete the old “admin” user from your WordPress
This will give hackers hard times when trying to log-in on your website.
Do you what an easier method to change you admin? Check free version of Hide MY WP Ghost plugin.
2Pick a strong password
Pick a strong password
The complexity of your password is another crucial issue. Do you know which passwords are most common? “123456”, “password”, “12345678”, “qwerty” and “123456789” .
Passwords are vital to your WordPress security and to cyber security in general. That’s why you need to start using passwords that have the following features:
- They have no words in it to prevent dictionary attack
- They have symbols and numbers in it
- They are at least 15 characters long
If you don’t know how to come up with a password so strong, just use a service like strongpasswordgenerator.com or phonetic password generator. For passwords management you can try a services like LastPass, which will be able to generate strong and long passwords as well.
3Disable login hints
Disable login hints
Any time you type wrong – non-existent username or just an incorrect password – on your WordPress website’s login form, you’ll get a hint telling you either your username is wrong, or your password doesn’t match with that username.
It may have never occurred to you but this is a niche for hackers looking to break into your website.
If you wish to disable login hints in your WordPress login error messages, watch this video and it will guide you step by step.
4Keep your WordPress environment updated
Keep your WordPress environment updated
WordPress is free and it has been created by a community of developers. With each new release, they fix bugs, add new features, improve security, improve performance, and enhance existing features to stay up to date with new industry standards.
In this link , you will find stept by step instructions about how to update your wordpress version.
Here’s a list of other things to keep in mind:
- Keep plugins and themes up-to-date
- Delete any plugins or themes you’re not using
- Make sure you download plugins and themes exclusively from well-known sources
5Disable trackbacks
Disable trackbacks
WordPress has a feature, which is enabled by default, that allows websites to send and receive trackbacks and pingbacks. This is a method for alerting other sites that you have linked to them.
Unfortunately, 99% of them are pure spam, so it’s best if you just disable them entirely from your WordPress settings.Find how to disable trackback watching this video.
6Secure the Name of the WordPress admin & login paths
Secure the Name of the WordPress admin & login paths
During the installation process, WordPress creates two default login URLs.
- wp-admin.php
- wp-login.php
This happens during every WordPress installation. Since these repetitive login URLs are a potential security risk, many webmasters change their login page. Changing login URL protects against the most common type of website security breach, a brute force attack.
To sum it up:
- Username – don’t choose something obvious, like “admin.”
- Password – again, avoid the obvious and go for a complex password.
- Your login URL – the gateway to the WordPress dashboard.
How do you change URLs?
This can be very simple if you use a plugin like hide my wp Ghost.
You will be able to hide the fact that you are using WordPress as a bonus.
7Prevent directory browsing (indexing)
Prevent directory browsing (indexing)
Some WordPress folders contain data that needs to be secure. For example, the wp-content folder contains your themes, plugins and media uploads.
Anyone can simply surf through those media files and hackers can find potential exploits. So we need to make the hacker’s job more difficult by not disabling directory browsing.
If you want more information on the importance of disabling the directory browsing or on how to do it, please check this link.
8Download plugins entirely from known resources
Download plugins entirely from known resources
WordPress plugins are “treasures” that everybody wants to use. Be aware that a plugin might sometimes harm your site, though.
Before downloading any plugin, always check for comments or reviews, if there’s any support, if the author is quick to react.
Bonus Tips
9Hide the common WordPress paths
Hide the common WordPress paths
Hiding the common paths can save you from a lot of hacker attacks. Being able to cover up the common paths is critical, because you get to keep intruders away from sensitive website data.
You can do this manually but I think it is difficult if you are not a specialist. You can do a lot of harm to your site. Or change it through a WP Plugin like Hide My WordPress Ghost
10Use 2-factor authentication for login
Use 2-factor authentication for login
Two Factor Authentication (TFA) provides an additional layer of security. As it requires two successive factors – ‘something you know’ (your password) and ‘something you have access to’ (your mobile phone, for example). You can see some method of 2-factor authentication.
You can learn more about 2-factor authentication from securitymetrics .
To efficiently implement a two-factor authentication on your WordPress website, you should use one of the many plugins available . Two interesting plugins that give a “twist” to TFA are Rublon, which is also an email-based two-factor authentication, and Clef, which uses the camera of your phone.
Conclusion
WordPress is the most popular CMS on the web and is now powering over 26.5% of all websites. Since it holds such a large piece of the market share, it brings additional security concerns and increases your risk of attack when vulnerabilities are discovered.
In conclusion, WordPress security strategies are so important because they protect your business.
Once you’re you’re starting ti implement security strategies, you’re going to win in the long run.
What WordPress security strategy did you use last year?
- WordPress REST API Security: Best Practices and Tools - June 24, 2024
- WordPress Firewalls & Tools for Your Website Security - June 17, 2024
- The Importance of WordPress Security Checks - June 10, 2024
good list
Nice post. I used to be checking constantly this weblog and
I’m impressed! Extremely useful information particularly the
final section 🙂 I deal with such info much. I used to be seeking this certain info for
a long time. Thank you and good luck.
I visit every day a few sites and sites to read posts, except this
website presents quality based posts.
Thank you a bunch for sharing this with all folks you really realize what you’re talking about! Kindly additionally discuss with my site =).
Thanks for publishing this awesome article. I’m a long time reader but I’ve never been compelled
to leave a comment. I subscribed to your
blog and shared this on my Facebook. Thanks again for a great post!
Great site you have got here.. It’s difficult to find quality writing like yours nowadays.
I honestly appreciate people like you! Take care!!
Howdy! Quick question that’s entirely off topic.
Do you know how to make your site mobile friendly? My weblog
looks weird when viewing from my iphone4. I’m trying to find a template or plugin that might be able to resolve this issue.
If you have any recommendations, please share. Many thanks!
Thanks for sharing your thoughts on WordPress attack.
Regards