10 Expert tips to help you secure your WordPress website

WordPress is the most popular content management system (CMS), and according to the website CodeInWpWordPress powers almost 40 % of all the websites in the world. It's only natural that hackers are starting to target WordPress sites specifically. No matter what type of content your site provides, you're not immune. If you don't take certain precautions, you run the risk of having your website hacked. As with anything technology-related, you need to check the security of your website.
In this tutorial, we'll share our top 10 tips for keeping your WordPress site secure.

 

Choose a good web host

The easiest way to secure your site is to use a hosting provider that offers several levels of security.
It may seem tempting to opt for a cheap hosting provider, but don't neglect the quality of your web hosting. Choose a hosting provider with DDos protection, a WAF (Firewall) and anti-spam & malware solutions. Why is it so important to protect your website? Because your data could be completely erased, and your url could start to be redirected to another location.
By paying a little more for a quality hosting provider, additional layers of security are automatically assigned to your website. Another advantage is that by using a good WordPress hosting provider, you can speed up your WordPress site considerably.
Although there are many hosting providers, we recommend Closte, WPX, Kinsta, and WPEngine. They offer a host of security features, including daily malware scans and access to 24/7/365 support. And best of all, they're reasonably priced too.

 

Avoid using Nulled themes or extensions

Premium WordPress themes look more professional and have more customization options than a free theme. Premium themes are coded by highly skilled developers and are tested to pass several WordPress checks as soon as they are released. There are no restrictions on how you can customize your theme, and you'll get full support if something goes wrong with your site. And best of all, you'll benefit from regular theme updates.
But there are a few sites that offer Nulled or Cracked themes. A Nulled or cracked theme is a pirated version of a premium theme, available through illegal means. They're also very dangerous for your site. These themes contain hidden malicious code, which can destroy your site and database, or record your administrator credentials.
Although it may be tempting to save a few euros, always avoid Nulled themes for your own safety.

 

Install a WordPress security plugin

Regularly checking your website's security for malware is time-consuming work and, unless you regularly update your knowledge of coding practices, you may not even realize that malware is embedded in the code. Fortunately, others have realized that not everyone is a developer and have implemented WordPress security plugins to help them. These plugins ensure your site's security, scan for malware and monitor your site 24/7 to regularly check what's happening on your site.
Sucuri.net is an excellent security plugin for WordPress. It offers security activity auditing, file integrity checking, remote malware scanning, blacklist control, effective security enforcement, post-hack security actions, security notifications and even a website firewall (for an additional fee).

 

Use a strong password

Passwords are a very important element of website security, and are unfortunately often neglected. If you use a simple password, such as "123456, abc123, password", you should change it immediately to avoid falling victim to an attack. Bruteforce. If this password is easy to remember, it's also extremely easy to guess. An advanced user can easily crack your password and gain access without too much trouble.
It's important that you use a complex password, or better still, an automatically generated password with a variety of numbers, nonsense letter combinations and special characters like % or ^.

 

Disable file editing

When you're setting up your WordPress site, your dashboard includes a code editing function that lets you modify your theme and plugin. You can access it by going to Appearance>Editor. You can also find the plugin editor by going to Plugins>Editor.
Once your site is online, we recommend that you disable this function. If hackers gain access to your WordPress admin panel, they can inject subtle, malicious code into your theme and plugin. Often, the code will be so subtle that you won't notice anything wrong until it's too late.
To disable the ability to modify plugins and the theme file, simply paste the following code into your wp-config.php file.
define('DISALLOW_FILE_EDIT', true) ;

 

Installing the SSL certificate

Today, the SSL (Single Sockets Layer) protocol is advantageous for all kinds of websites. Initially, SSL was required to secure a site for specific transactions, such as payment processing. Today, however, Google has recognized its importance and gives sites with an SSL certificate a higher ranking in its search results.
SSL is mandatory for all sites handling sensitive information such as passwords or credit card data. Without an SSL certificate, all data between the user's web browser and your web server is delivered in clear text. This text can be read by hackers. By using SSL, sensitive information is encrypted before being transferred between their browser and your server, making it more difficult to read and making your site more secure. For websites that accept sensitive information, the average price of an SSL is around $40 to $150 per year. If you don't accept any sensitive information, you don't need to pay for an SSL certificate. Almost all web hosts offer a free Let's Encrypt SSL certificate that you can install on your site.

 

Change your WP connection URL

The default address for logging into WordPress is "yoursite.com/wp-admin". By leaving this address as default, you may be the target of a brute force attack aimed at cracking your username and password combination. If you allow users to sign up for subscription accounts, you may also receive a lot of spam. To avoid this, you can change the administrator's login URL or add a security question to the registration and login page.
Pro tip: you can further protect your login page by adding a two-factor authentication plugin to your WordPress with extensions like Wordfence. When you try to log in, you need to provide additional authentication to access your site - for example, this could be your password and an e-mail (or text). This is an enhanced security feature to prevent hackers from accessing your site.
Tip 2: You can also check which IP addresses have failed the most connection attempts, and then block these IP addresses.

 

Limit connection attempts

By default, WordPress allows users to try to log in as many times as they like. While this can help if you frequently forget which letters are capitalized, it also opens you up to brute force attacks.
By limiting the number of login attempts, users can try a limited number of times until they are temporarily blocked. This limits your chances of being subjected to a brute force attempt, as the hacker is blocked before he can complete his attack.
You can easily enable this with a WordPress login attempt limit plugin. After installing the plugin, you can change the number of connection attempts via Settings> Connection limit attempts. If you'd like to activate connection attempts without a plugin, you can also do so. by following tutorials on the internet.

 

Make inaccessible/Hide wp-config.php and .htaccess files

While this is an advanced process for improving your site's security, if you're serious about your security, it's important to hide your site's .htaccess and wp-config.php files to prevent hackers from accessing them.
We strongly recommend that this option be implemented by experienced developers, as it is imperative to first make a backup of your site and then proceed with caution. Any error could render your site inaccessible.
To hide the files after your backup, you need to do two things:
First, go to your wp-config.php file and add the following code,
<Files wp-config.php>
order allow,deny
deny from all
</Files>
In the same way, you'll add the following code to your .htaccess file,
<Files .htaccess>
order allow,deny
deny from all
</Files>
Although the process itself is very easy, it's important to make sure you have the backup before you start in case something goes wrong.

 

Update your WordPress and plug-in versions

Keeping your WordPress up to date is a good practice to ensure the security of your website. With every update, developers make a few changes, often updating security features. By keeping your CMS up to date with the latest version, you help protect against pre-identified vulnerabilities and exploits that hackers can use to gain access to your site.
It's also important to update your plugins and themes for the same reasons.
By default, WordPress automatically downloads minor updates. For major updates, however, you'll need to update directly from your WordPress administration dashboard.

Conclusion

WordPress security is one of the essential elements of a website. If you don't maintain your WordPress security, hackers can easily attack your site. Keeping your website secure isn't difficult and can be done without spending a dime. Some of these solutions are aimed at advanced users, but if you have any questions, WS Digital Consulting can help you secure your website and protect your data.
Have you already been the victim of an attack? Has your SEO and online reputation been impacted? Call on our experts, Contact us