17 tips to lock down your WordPress website!
If you got to this post, you probably already understand the importance of a website for a company’s digital strategy, starting with the choice of an appropriate and secure platform for you to manage it.
WordPress is one of the most used content publishing platforms. But how to make sure that the site is well protected? How to have a good WordPress security?
Hacker attacks are increasingly common and they can be lethal when they harm your website, as it is the main online channel for generating new business. For this reason, here are the 17 tips you should know to make your WordPress site completely safe:
- 1. Create frequent backups
- 2. Log in with your email
- 3. Change your website’s login URL
- 4. Protect the wp-config.php file further
- 5. Increase the security of the wp-admin directory
- 6. Use two-factor authentication
- 7. Have an SSL certificate
- 8. Keep themes and plugins up to date
- 9. Be careful when choosing themes
- 10. Use strong passwords on the platform
- 11. Delete unnecessary files
- 12. Prevent spam
- 13. Prevent registration of new user accounts
- 14. Assign the right permissions for files and folders
- 15. Make sure the debug file is well protected
- 16. Change the database table prefix
- 17. Connect the server correctly
Continue reading and check them out!
17 ways to secure your WordPress website!
1. Create frequent backups
Think of the following example: you have a corporate website with a lot of content, ranging from pages describing your products or services to a list of customers who have purchased from you and articles created on your blog. What if, suddenly, everything just disappears? What would you do?
Yes, this is possible, for reasons such as a problem with your server or even an invasion on your site by malware or a competitor. Do not think it will not happen to you.
For example, did you know that Microsoft’s competitors used to look for information about the company in the trash it dumped? Therefore, make sure to backup your site periodically so that all your information is secure.
2. Log in with your email
When creating a WordPress site, you can choose to login with a username or email. For greater WordPress security, we recommend that you choose the email, and we will explain why.
Usernames are easy to predict, which makes it easier for someone to discover them, especially if it is their first name.
Emails are more difficult, even if they are for corporate use, as only members of your company and people with whom you establish contact will know it. So, if you have another email that few people know about, it’s more appropriate to use it.
3. Change your website’s login URL
All WordPress sites have, by default, the URL http: //yoursiteaddress.com/wp-admin. When hackers try to break into your site, they try to log into that page forcibly, using a GWDb (short for Guess Work Database).
That is a database that contains various combinations of usernames and passwords. When one of them matches, the attacker is able to enter your website.
That is why you need to change the login URL and eliminate the chances of that happening. To do so, use the iThemes Security plugin, which allows you to change /wp-admin/ to any other text string of your choice.
Another thing you need to have in mind is to limit login tries to avoid brute force attacks on your page. This way, attackers can’t keep trying different combinations of login and passwords endlessly.
4. Protect the wp-config.php file further
The wp-config.php file contains information about installing WordPress, being your site’s most important element. Therefore, it must be the most protected from virtual attacks.
Working on securing it further so that the file is inaccessible to attackers is quite simple. You just need to move the wp-config.php file to a higher level within your root directory.
The WordPress architecture allows the server to access the file, even if it is elsewhere above in the system. Invaders won’t see it, but WordPress will.
5. Increase the security of the wp-admin (or wp-login) directory
Speaking of wp-admin, we must remember that it is the main directory of your WordPress site, so it can be completely corrupted if that part is breached. Therefore, try to protect your wp-login.php with a password so that only the site administrator and the website owner can access it.
This causes the login page, in addition to displaying username and password, to also request a second password in order to grant access. There are WordPress security plugins, such as AskApache Password Protect, aimed at securing this area. But you can also choose the two-factor authentication, which we’ll talk about next.
6. Use two-factor authentication
WordPress security should not be restricted to the website but also to the system you use to log in—it must be protected in the same way. A way to do this is through two-factor authentication.
This authentication brings the need for a double login on your website to ensure greater security. Thus, it prevents intruders from entering the system and having access to your data.
In addition to login and password, when using two-factor authentication, you also need to enter a code. It can be sent to you by email, SMS, or otherwise.
One example of a good two-factor authentication plugin for WordPress is the Google Authenticator. Very simple, free, and functional. You can download it here.
7. Have an SSL certificate
An SSL certificate is essential to make your WordPress website secure by guaranteeing protection for your visitors—especially if they need to enter personal and credit card information. It also increases your website’s chances of indexing, since secure sites are part of Google’s ranking criteria.
To get a certificate, you must contact your hosting server — many offer it for free. After activating it, you need to apply it in WordPress using the Really Simple SSL plugin.
8. Keep themes and plugins up to date
One of the first steps you take when creating a WordPress site is to choose a theme that will be applied. Also called templates, there are several types that you can select to make the website look like your company.
In addition to the design, themes also bring features that meet your needs. However, for them to work well, you need to install updates whenever they are released. Otherwise, the template may lose some of its functions and not work properly.
The same applies to plugins that add specific functions to the site, such as a contact form, social media buttons, the creation of lead generation banners, etc. Every time they have updates, you need to install them so that there are no issues.
As I’m talking about updates, always update WordPress versions along with your themes and plugins.
9. Be careful when choosing themes
This is very important for WordPress security, and not just for the web design. In order to have a professional website focused on results, it is recommended that you use a premium theme. As much as WordPress has a variety of free templates, they are usually aimed at personal websites or blogs.
However, we leave a warning: buy the template, do not make the mistake of downloading it via piracy. In addition to being illegal, you put your site at risk, as the file may come with some kind of virus or malware and harm your site.
In addition, when purchasing the theme in this way, you are also not entitled to the premium support team, in case you have any problems or need help to adapt the template to your website’s needs.
10. Use strong passwords on the platform
When setting your password to access the WordPress dashboard, the CMS itself points out whether it is weak, medium, or strong. As much as the weaker ones are easier to remember, always opt for strong passwords that are not very obvious.
After all, certain accesses must be restricted internally within the company. Also, you need to protect yourself from intrusions that can happen due to the use of weak passwords.
WordPress itself generates automatic passwords as a suggestion. But if you want to create your own try to use upper and lower case letters, as well as numbers and some special character.
If you run out of good password ideas, you can always use a password generator to do this job for you. There’s plenty of pages on the internet that can help you with this.
11. Delete unnecessary files
Do you know what is the longest that people usually wait for a website to load? Three seconds. So, if your site takes longer than that to display its full content, be aware that many people may choose to abandon it before performing any type of conversion.
One of the factors that slow down websites is the excessive number of files within them: images, documents, videos, among others. Of course, some need these files to provide a better experience for their visitors. But for those that are not needed, it is recommended that you exclude them to optimize the website’s speed.
12. Prevent spam
Truth be told: nobody likes spam. It is commonly seen in email messages, although it can also be seen on social media. But you must be asking yourself: how can it be applied on websites?
The most common way is in response to your contact forms and through blog comments. For this reason, it is recommended to have dedicated commenting tools, such as Disqus.
However, spam techniques are more advanced nowadays, since they invade your site and inject codes that are only displayed to Google bots, which hinders your indexing in SERP. This reinforces the need for a secure website so that this kind of threat does not occur.
13. Prevent registration of new user accounts
A WordPress site can have several people involved in it, according to their role functions. But it is necessary that those are carefully chosen. Check out the WordPress roles below:
- Super Admin: has access to all functions of the site;
- Administrator: has access to almost all functions;
- Editor: can publish content both on pages and on the blog;
- Author: can also create content but only manage their own publications;
- Collaborator: can produce content but cannot publish it;
- Subscriber: can manage only their own profile.
So, grant access to people who fit each role. After all, your company’s main digital data is managed by WordPress, so the administrator profile should be restricted to a few people, such as the website owner and a few administrators.
If you are using a web application firewall, you can lock down a URL path. This way, you can assure that only your IP address will have access to the login page.
Moreover, some 1-click WordPress installers put “admin” as a default username. This can ease the job of attackers to enter your website. So, always change your username.
14. Assign the right permissions for files and folders
In addition to WordPress users, it is also important that folders and files have restricted permissions in order to preserve your WordPress security. Imagine how harmful it would be if someone with access to them, even if by accident, deleted an essential file and damaged the page’s performance.
Therefore, make sure that files essential to your business website, such as wp-config.php, debug.log, among others, are also restricted only to people involved in the website’s administration.
15. Make sure the debug file is well protected
The debug file collects the most sensitive information regarding your website. Thus, it should be kept as hidden as possible so that it is not seen by attackers.
If you or a developer who works for your business needs to use the debug file at some point, make sure debug.log has a secure permission setting.
16. Change the database table prefix
The database is used to store and organize information about your website. The prefix of your table is represented by wp-table. Like with wp-admin, it is recommended that you change it to a different name.
After all, using the default prefix makes the database vulnerable to attacks. If you are unsure of how to make this change within the site, there are WordPress security plugins that perform this function.
WP-DBManager is one of them, like iThemes Security, which we mentioned earlier. Before making this or any modification to your database, we recommend that you back up your site.
17. Connect the server correctly
When configuring your website with the server, prefer using SFTP or SSH. Although FTP is preferred, especially by developers, the two mentioned have more security features.
Thus, you can transfer files to the host in a more secure way. Actually, there are hosting servers that offer these services, so you don’t have to run them manually.
By following these 17 WordPress security tips, you will be able to make your company’s website more protected. That way you will have peace of mind for the success of your business in Digital Marketing.
However, good WordPress security is not enough if you want to have a successful website. For that you need PAGESPEED. How’s the pagespeed of your website? Want to check it out for free? Just put your URL below and check how you can improve your performance.