By Allan Jay Dumanhug
WordPress is the most popular Content Management System (CMS) used by nearly 75 million websites.
According to WordPress, over 409 million people view more than 23.7 billion pages and users produce about 83.1 million new posts and 44.5 million new comments each month. (WordPress Activity)
Unfortunately, According to statistic, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacking attacks.
With that being said, here are some security tips that might help you to protect your WordPress website.
Apply Login Attempts
Brute Force is one the most used hacking attacks for hackers. If you would just let them, they will try to login to your WordPress website until they figure out your password. Fortunately, there are security plugins like Login LockDown that allow you to limit the number of login attempts from a specific IP Address.
Avoid Using Many Plugins
You do not need to have many plugins that perform the same process on your website. Only use the most updated and the most downloaded plugin.
Back Up Your Website Often
Seriously, it doesn’t matter how secure your WordPress website is — you should always backup your website. There are many WordPress plugins that can help you keep a regular backup such as
Consider Automatic Core Updates
If you’re running an Old WordPress Version, all of the security issues of that version is common knowledge to the public. It only means that hackers can easily use those security loopholes to attack your outdated WordPress website. You can insert a few lines of code into your wp-config.php file to configure your WordPress website to install major core updates automatically.
Delete any plugins or themes you’re not using
Deactivating WordPress plugins isn’t enough; you must DELETE them. Removing plugins you don’t need will reduce the probability of being hacked.
Don’t use “Admin” as your username
“admin” is the most used username on WordPress and most hackers try to get your password by trying to perform a brute force attack on “admin” username. Luckily, you can easily change your “admin” username on your database after installing WordPress.
Eliminate PHP Error Reporting or Turn of the DEBUG mode
If your plugin doesn’t work correctly, it displays an error message publicly. Error Messages are definitely helpful for the website owner when troubleshooting. However, the problem is, these error messages sometimes reveal sensitive information like the full server path. Add the code below in your wp-config file to eliminate PHP Error Reporting.
Enable Two-Factor Authentication Login
One of the best way to protect your WordPress website from brute force attack is to enable the Two-Factor Authentication (2FA). After successfully typing in your username and password, 2FA will require you to input a randomly generated code sent to your mobile phone or email address. You may also use Google Authenticator plugin.
Ensure Scripts, Plugins, and Themes are Up-to-Date
Keeping your stuff updated is another way to protect your WordPress website from potential hacking attack. You can insert few lines of code into your wp-config.php file to configure your WordPress website to auto update plugin and themes.
Install Security Plugins
You should also install security plugins to protect your WordPress website from different kinds of security threats. These are the most used security plugins: Wordfence Security, iThemes Security, and All In One WP Security & Firewall.
Protect Your Sensitive Files and Directories Using .htaccess
Implementing this tip can have a huge impact on your entire website security. You may insert the code below in your .htaccess file to prevent public users from viewing your website’s directory.
Secure The wp-config.php File
The wp-config.php file contains the confidential information of your WordPress website. It is one of the most important file in your website so make sure it is secure. To protect this file, add the following code below in your .htaccess file.
Secure the traffic on your WordPress website with a free shared SSL Certificate from Cloudflare. You may also use the FREE SSL Certificate of Let’s Encrypt.
Allan Jay Dumanhug is the co-founder and Chief Information Security of Secuna, a startup security company that focuses on website application, penetration tasks services, and spreading cybersecurity awareness and education. You can read more about them here.