It is no secret that WordPress powers more than a quarter of all websites on the internet. It has been estimated that over 60 million sites are powered by this content management system, which creates an enormous opportunity for hackers to exploit vulnerabilities in order to gain access and take control. However, not every website running WordPress is vulnerable because there are several ways you can protect yourself from malicious attacks. In this blog post we will talk about how to make your site secure with just a few simple changes!
How do I tell if my site is secure?
First of all, don’t panic! It is important that you understand how to identify the warning signs of a hack or malware, and take action accordingly. Here are some tell-tale signs:
*Strange files being written to your website directory (this usually means they’re trying to upload malicious scripts)
*New WordPress user accounts popping up
Have you done the basics?
1. Check that your site has a green lock next to the URL in the browser
2. Look for https:// at the beginning of your domain name
3. Type “https” before typing in your domain name and see if it redirects you to an encrypted website with “https” on top
How To Make WordPress Secure
- Make sure that SSL is enabled on your site. SSL prevents unauthorized access to the data that is transmitted from and to your website, such as passwords and credit card numbers
- Limit admin login attempts with a plugin such as Limit Login Attempts Reloaded
- Disable file editing by WordPress users without FTP privileges (i.e., “the editor”)
- Check Access Rights for folders & files in wp admin
- Disable Directory Listing in PHP
- Change the default admin login URL (e.g., to “admin-login”)
- Encrypt all your user data with a plugin like Jetpack – WordPress Security, which has AES encryption and password protection
- Create unique keys for each site you create.
- Enable debugging mode on your site to check for hidden errors (don’t forget to turn it off afterward)
- Install and maintain a good antivirus program.
- Protect the wp-admin directory with an .htaccess file that blocks access to unauthorized browsers, scripts or bots.
- Protect your site with a theme like iEmbed Shield, which lets you specify a list of sites that are allowed to embed your content
- Replace the default WordPress administrator account with a new password and username.
- Run a secuirty plugin like iThemes Security and change your default WordPress password
- Scan your site for infections with a plugin like Site Check (even if you don’t think it’s necessary)
- Install and maintain an antivirus program for the server (Your web host should already do this for you if they are any good).
- Configure security headers in your site’s .htaccess file
- Disable plugins that you’re not using. Even better delete them if you can.
- Create a backup of your site and store it off-site (e.g Google Drive, DropBox)
- Install an intrusion prevention system
- Monitor your site for suspicious activity
- Prepare Your WordPress Site For Future Updates
If this seems like a lot to do, it’s because it is and this is why most people don’t do it and web designers usually don’t take much care about security becuase they just want to move on to the next client, by the time you have problems is usually too late. It’s a lot of work and takes a long time to figure out what you need to do.
Fortunately this is all included as standard with our very own WordPress Hosting Service.
To learn more about how we can make your site secure, contact us today for a free WordPress security consultation.
