Read this complete guide to find great security tips to secure your wordpress site from hackers.
Nowadays, security is being great concern for wordpress users because around 74.6 billion of site on world wide web depends upon wordpress to manage their website, it’s around 18.9 percent of total website in the internet. As the popularity of wordpress increases hackers are also targeting it and searching for the weak point (vulnerabilities) to grab the control over your website.
See: 7 ways to speed up WordPress Performance and Speed
It will be a worst case scenario for you if your site gets hacked. As you know that prevention is better than cure, the time has arrived to implement the security tools and techniques to prevent attackers. I created this guide to help bloggers and business owners to protect their wordpress site from such worst situation. Therefore read this complete guide to learn the tips that helps you to secure wordpress blog from hackers.
I am not saying that wordpress is an insecure platform, it’s highly secure only when proper security measures are applied in it. In the above figure you can see that 41 percent of site were hacked due to vulnerability in your hosting platform, 29 percent were hacked due to security issue in wordpress themes and rest were hacked due to security issue in plugins and weak password.
All of the security issues of wordpress are controllable and you can protect your wordpress site using some security measures that I am going to provide here.
Here are 10 things you can do to to Secure wordpress blog.
Security tips to Secure wordpress blog
1. Limit Login Attempts
Hackers can use various technique to grab your login credentials and one of the most popular technique is brute force attack. In brute force attack attacker uses an automatic software that continuously checks your username and password over and over by guessing and combining different letters and symbol. It will continuously check until correct username and password is not extracted.
Here you can read more detail about brute-force attack
Brute-force attack mainly targets your wp-login.php file in which attacker repeatedly try to login to your website using 1000’s of passwords at a same time therefore limiting the failed attempts of the attackers IP address can reduce the chances of getting hacked from brute-force attack.
How can I limit login attempts
By default wordpress doesn’t offer any feature to block any suspicious login attempts instead it allows unlimited attempts as a result password can be cracked from bruteforce attack
Therefore, there’s an inbuilt feature in jetpack which is specially developed to protect your wordpress site from brute-force attacks.
Jetpack Brute-force protection blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
2. Update All your themes and Plugins
Each update of any theme or plugin not only adds new feature and functionality it also brings patches for discovered vulnerability and loophole presented previously.
To reduce the risk of your site being hacked or compromised in some other way you need to update your blog instantly after update is released.
According to wpbeginner 83 percent of hacked wordpress blog were not updated. Similarly wordpress site are frequently getting hacked due to the outdated version of PHP, themes or plugins.
Not updating your wordpress site means that you are welcoming the attackers to hack your blog therefore guys it is strictly necessary to update your blog instantly after update is released.
3. Choose Reliable web hosting
Choosing a cheapest web hosting provider can save a lot of money but ask yourself a question, Is it really safe to host your wordpress blog in that provider. As noted in above figure 41 percent of wordpress site are hacked because of security issue in your hosting provider and its a bitter truth that if you are hacked at the host level, then there’s nothing you can do to prevent it you need to depend upon your provider to fix the issue.
Here are some of the important points you need to consider before signing up for a web hosting account.
- Do your provider offers free data backup solutions?
- Is is a certified partner by popular security company like McAfee or is it rated by CNET or other providers?
- Do read some honest review by other website owners?
- Do not expect cheaper because cheaper never brings security or quality.
- Do they offer instant support like phone or live chat?
4. Create a strong Password
Password is a layer of security that determines the security of your wordpress account. Short and weak password are easy to guess and crack using brute force attack. As noted above according to the report 8 percent of wordpress site were hacked because they had used weak password. Mostly newbie blogger usually sets simple password because it is easy to remember but actually it is not a good practice because weak password opens your site to be vulnerable.
You can read this guide to create a strong password.
Automatic tool to create strong password
There’s an open source app called secure password developed by Amit Agarawal that helps you to create unique and complicated password using the secure bcrypt algorithm. This is a web app and therefore you can use it from any browser in any device.
You can visit here to learn and download the secure password app.
5 . Never Use admin as your username
While installing wordpress never set your username as admin, you should change it to something else. Today the latest version of wordpress allows you to rename your username while installing wordpress. It’s strictly necessary to change your username because once set it is impossible to change unless you install any third party plugin or you change it from phpmyadmin.
If you have already launched a blog with the default username “admin” then follow these simple steps to change your username.
Login to your cPanel and click on phpmyadmin
select your database and edit the username field. Finally after changing your username in database save it to and login with your new username.
6. Use separate password in WordPress admin and in hosting cPanel
You can recover your lost or hacked wordpress password from phpmyadmin however if your site is hacked from hosting level then there’s nothing that you can do unless your hosting provider takes any action. Do remember that your hosting cPanel password must be stronger with the combination of alphabets numbers and symbols and while installing wordpress never create same username and password for your wordpress and cpanel
7. Never use Pirated theme and Plugins
The internet is full of high quality themes and plugin for wordpress. The problem is that often they are usually very expensive so, many of them choose cheaper solution or free alternatives. Until you use free or cheaper alternatives its fine but in search of premium themes or plugin never use pirated themes.
Most of the premium themes are cracked and freely available out there in the internet. Remember guys although these themes are availiable for free you should never use it because mostly pirated themes and plugins are injected with malicious code to make your site vulnerable.
8. Use a CDN
A CDN (Content Delivery Network) blocks all types of threats like comment spam and excessive bots crawling to malicious attacks like SQL injection and Denial of Service (DOS) attacks. It can automatically detects new attacks therefore once it identifies that there is a new attack it starts its security procedure by blocking the attacks from both the particular website and the entire community
See: What is CDN and reasons to Use CDN
Security is an essential part that can never be neglected in online community. Who knows when your account gets hacked, therefore caution should be taken from the first day of starting your blog. You may have probably heard that prevention is better than cure, the same principle applies here in this online blogosphere. Do not neglect your blog security saying that you are new or your blog is not popular. No matter how popular you are or how safe your hosting provider is unless you apply these security measures your blog will still be vulnerable.