If you are currently running a WordPress website, without focusing on keeping your site code secure, you may be exposed to some serious problems.
It’s very important to know that WordPress security is not automatic.
If you check the WordPress Attack Report (October 2017) provided by Wordfence, you will certainly start thinking of ways to protect your WordPress blog/site. Also keep in mind that, in December 2017, WordPress websites were under highest brute force attack.
2018 is the time for a consistent focus on digital protection.
That’s why we’ve prepared and infographic for you, including the most important security tips to have a strong start in 2018.
1. Don’t use “Admin” as your administrator username
“Admin” or “admin” is the most common username for WordPress admin users. To make hackers life a little more difficult, you should choose any other username instead of “admin” and pick one with capital letters. Since you already have a WordPress website, you should now:
- create a new user with administrator privileges
- if your previous “admin” user was your only user, assign all blog posts and pages to the new admin user you just created
- delete the old “admin” user from your WordPress
This will give hackers hard times when trying to log-in on your website.
Do you what an easier method to change you admin? Check free version of Hide MY WP plugin.
2. Pick a strong password
The complexity of your password is another crucial issue. Do you know which passwords are most common? “123456”, “password”, “12345678”, “qwerty” and “123456789” .
Passwords are vital to your WordPress security and to cyber security in general. That’s why you need to start using passwords that have the following features:
- They have no words in it to prevent dictionary attack
- They have symbols and numbers in it
- They are at least 15 characters long
If you don’t know how to come up with a password so strong, just use a service like strongpasswordgenerator.com or phonetic password generator. For passwords management you can try a services like LastPass, which will be able to generate strong and long passwords as well.
3. Disable login hints
Any time you type wrong – non-existent username or just an incorrect password – on your WordPress website’s login form, you’ll get a hint telling you either your username is wrong, or your password doesn’t match with that username.
It may have never occurred to you but this is a niche for hackers looking to break into your website.
If you wish to disable login hints in your WordPress login error messages, watch this video and it will guide you step by step.
4. Keep your WordPress environment updated
WordPress is free and it has been created by a community of developers. With each new release, they fix bugs, add new features, improve security, improve performance, and enhance existing features to stay up to date with new industry standards.
In this link , you will find stept by step instructions about how to update your wordpress version.
Here’s a list of other things to keep in mind:
- Keep plugins and themes up-to-date
- Delete any plugins or themes you’re not using
- Make sure you download plugins and themes exclusively from well-known sources
5. Disable trackbacks
WordPress has a feature, which is enabled by default, that allows websites to send and receive trackbacks and pingbacks. This is a method for alerting other sites that you have linked to them.
Unfortunately, 99% of them are pure spam, so it’s best if you just disable them entirely from your WordPress settings.Find how to disable trackback watching this video.
6. Secure the Name of the WordPress admin & login paths
During the installation process, WordPress creates two default login URLs.
This happens during every WordPress installation. Since these repetitive login URLs are a potential security risk, many webmasters change their login page. Changing login URL protects against the most common type of website security breach, a brute force attack.
To sum it up:
- Username – don’t choose something obvious, like “admin.”
- Password – again, avoid the obvious and go for a complex password.
- Your login URL – the gateway to the WordPress dashboard.
How do you change URLs?
This can be very simple if you use a plugin like hide my wp.
You will be able to hide the fact that you are using WordPress as a bonus.
7. Prevent directory browsing (indexing)
Some WordPress folders contain data that needs to be secure. For example, the wp-content folder contains your themes, plugins and media uploads.
Anyone can simply surf through those media files and hackers can find potential exploits. So we need to make the hacker’s job more difficult by not disabling directory browsing.
If you want more information on the importance of disabling the directory browsing or on how to do it, please check this link.
8. Download plugins entirely from known resources
WordPress plugins are “treasures” that everybody wants to use. Be aware that a plugin might sometimes harm your site, though.
Before downloading any plugin, always check for comments or reviews, if there’s any support, if the author is quick to react.
9. Hide the common WordPress paths
Hiding the common paths can save you from a lot of hacker attacks. Being able to cover up the common paths is critical, because you get to keep intruders away from sensitive website data.
You can do this manually but I think it is difficult if you are not a specialist. You can do a lot of harm to your site. Or change it through a WP Plugin like Hide My WordPress
10. Use 2-factor authentication for login
Two Factor Authentication (TFA) provides an additional layer of security. As it requires two successive factors – ‘something you know’ (your password) and ‘something you have access to’ (your mobile phone, for example). You can see some method of 2-factor authentication.
You can learn more about 2-factor authentication from securitymetrics .
To efficiently implement a two-factor authentication on your WordPress website, you should use one of the many plugins available . Two interesting plugins that give a “twist” to TFA are Rublon, which is also an email-based two-factor authentication, and Clef, which uses the camera of your phone.
WordPress is the most popular CMS on the web and is now powering over 26.5% of all websites. Since it holds such a large piece of the market share, it brings additional security concerns and increases your risk of attack when vulnerabilities are discovered.
In conclusion, WordPress security strategies are so important because they protect your business.
Once you’re you’re starting ti implement security strategies, you’re going to win in the long run.
What WordPress security strategy did you use last year?
I have over 10 years experience in building plugins and themes for WordPress and other platforms.
Contact me if you have plugins that you want me to check before you insert them in your website. I will be happy to check them for security and speed.
Latest posts by John Darrel
- 10 Fast and Easy WordPress Security Hacks You Need to Implement Today - February 14, 2018
- 7 of the best cloud hosting providers for 2018 - January 25, 2018
- The Highest WordPress Brute Force Attacks – December 2017 - January 10, 2018