WordPress Security: Protect Your WordPress Site Like a Boss

How to protect WordPress site. Keep hackers away with this step by step guide to securing your WordPress. Easy to follow guide for bloggers

You only have yourself to blame when someone hacks into your WordPress site.

You’re using a secure content management system.

And when a hacker gets in, it’s usually because you haven’t put security measures in place.

Don’t wait for someone to hack your site.

Use this WordPress security guide to protect it right now even when you’re not great at code.

Before Anything Else, Decide How You Want to Do It

There are two ways to harden WordPress:

The easy way and the slightly more advanced way.

The Easy Way

Like many things on WordPress, the easy way uses a plugin. If you’re short on time or you don’t like to deal with code, do this.

The Advanced Way

Do it the advanced way if you´re comfortable with writing code. It’s a bit more work but you go above and beyond what’s needed to secure WordPress sites — (and it makes yah feel so good!)

Note: the legal mumbo jumbo

This could break your site if you don’t know what you’re doing. Always download a backup of your website before you do any of these changes. And if you’re not confident of your skills, then get your webmaster to do this for you.

WordPress Security: The Quick & Easy Way

This easy way of securing WordPress sites is all I do for most of my small niche sites.

From experience, these precautions have been more than enough.

So without keeping you any longer, let’s get this show on the road.

Here are the 3 important steps to secure your WordPress the easy way.

1. Secure your login details

It’s surprising how many people often overlook this very easy-to-implement security measure.

Your login details are your first line of defense. It’s also the first place a hacker’s bot is going to come snooping in.

It’s the doorway to your site.

And if you don’t want a crook to get in, you better bolt it tight.

There are two things you must do to secure it.

1. Use a secure password

We know that a secure password is very important.

And yet, it continues to be one of the reasons behind a WordPress security breach.

Your password is a hacker’s first stop…

It takes 1 month and 25 days to hack the password, “June86abc.”

But the password, “>pu+YC,’$7\5C8_} ?

349,514,003,019,396,100,000 years

So go change your password if you don’t have a secure one yet.

Use http://passwordsgenerator.net . Make sure you include a combination of numbers, letters and symbols.

Secure password generator

❗️If you only do one thing right now, make sure that it is to make your login password secure.

2. Stop using admin or administration for your username

This is the default WordPress user ID and if you’re still using it for your username, then go change it.

I’m serious.

Stop reading this article and go change it RIGHT NOW.

2. Install a security plugin

This is the easiest way to secure your site:

Use a reliable WordPress security plugin.

There are many of these plugins and you can spend days just deciding which is better.

Here are two that I use and recommend.

I use Ithemes Security.

It doesn’t matter which one you choose. They’re both good.

Just choose.

  1. Ithemes Securi: I like this for its ease of use. It does many of the things that I mention in the second version of this article, too.
  2. Sucuri: specializes in website security services. If you get their paid Pro version, they do everything for you from site protection to fixing it if it gets hacked. You should definitely check them out if you want to pass on the burden of securing your website to a company.

WordPress Security Plugin Video Tutorials

Have you decided which plugin to use? Here are video tutorials of each plugin.

Ithemes Security Settings

Sucuri Settings

3. Always Update Plugins and Themes

So you’ve secured your login details and you’ve protected your site with a security plugin.

Now what?

You should now be vigilant with updating plugins, themes and the WordPress core.

This is a continuous process for as long as your website exists.

And it’s easy to take it for granted.

But don’t.

In 2016, 61% of infected sites were out-of-date WordPress versions.

And 52% of the vulnerabilities reported by WPScan are caused by WordPress plugins

Every day, “bot” hacking programs visit WordPress sites to find a vulnerability they can take advantage of.

And if you don’t want them to get into your site, regularly update the WordPress core, plugins and themes.

The Advanced Way: Harden WordPress Like A Boss

If you have the time, technical knowledge and the confidence to tweak the bowels of WordPress, then the next steps are for you.

Big fat warning: this could potentially damage your site if you don’t know what you’re doing. So if you’re not savvy this way, call your webmaster (although I hope he has already done this for you as part of the service). It’s worth it.

Protect WordPress - The easy guide for boggers. Secure wordpress like a Mama bear protects her young! (text). with image of a growling brown bear

1. First, do all three steps in the first part of this guide.

2. Make use of a two-factor authentication

This is an extra level of security when logging in to your site.

I admit it’s a bit of a hassle.

But I love this feature — It gives me a sense of bullet-proof security.

The thought that there’s another level of defense before a hacker gets to my site makes me feel all warm and fuzzy. Ha!

A two-factor authentication means there are two steps to log in before you can access your dashboard.

First, you use your username and password.

If this is correct, you then have to go through another authentication method. This can be a code that’s sent to your email or mobile device.

It can feel much fuss to log in.

But it’s a security precaution that could save you from a lot of hacking nightmares.

I use a two-factor authentication not only on my WordPress sites but also for hosting and domain registration accounts.

If you want to use one for your site too, check out miniOrange’s Google Authenticator

Google authenticator screenshot. WordPress plugin by miniorange for two factor authentication

3. Secure file permissions

Think of every page or folder on your site as a doorway.

Others can see them, a few have the keys to them, and some people can make modifications to them.

In WordPress, we call these file permissions: read, write or execute.

And you allow every person who visits your site one or more of these permissions.

You do these by setting the proper permissions in your site’s files and folders.

Go to your website’s Cpanel and find the file directory.

Go through the following files and folder to make sure they’re set to the correct permission settings.

  • No directory should have 777
  • All folders should be 755 or 750 except for
    • wp-config.php : 400 or 444
    • Wp-includes: 644
  • All files within wp-content: 644

Here’s Bluehost’s guide on how to change the permissions in Cpanel.

4. Get A Secure Hosting Service

It doesn’t matter if you follow all the steps here:

If you have insecure web hosting, hackers can still get you.

Here’s something for you to think about.

In a study on hacked WordPress sites, over 41% were hacked through their hosting.

So don’t take your hosting lightly and make sure your site is hosted in a secure platform. It plays a very important part in your site’s security.

5. Only install trustworthy themes and plugins

If you’re using free themes and plugins, use only the official ones on the WordPress.org site. Also make sure they are compatible with your current WordPress version.

Why should you do this?

Because plugins which are not updated may have insecure files that make it easier for hackers to get in.

Now, in my experience, most plugin and theme developers bear no bad intentions.

It is possible, however, for someone else to add a code into these themes to make it easy to get into your website.

This is why you should only download from the WordPress.org site or other sites you fully trust.

You don’t let dodgy people into your house. You shouldn’t allow dodgy programs to set foot on your website either.

6. Login using a secure computer

Wordpress security tips : Guide to 2 different ways to secure your WordPress site. One includes a plugin and some basic site tweaking and the other is for more advanced users who are comfortable with tweaking their .htaccess

Login to your site only when you know you’re using a secure computer.

And make sure you regularly check your computer for malware, spyware and viruses.

Also, if you have a static IP, limit access to your admin area to only this IP by adding this code to your .htaccess

First, go to your site’s file directory and download .htaccess

  • Open the file in Notepad and add the code below.
  • This example limits it to one IP address. Change the numbers to your own static IP address.
<IfModule mod_rewrite.c>RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.112\.113\.114$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
  • Save the file as .htaccess (not .txt which Notepad usually adds to saved files) and upload it to your WordPress directory.

7. Protect wp-config.php

Remember the name: wp-config.php

Hold it close to your heart. This file holds the secrets of your WordPress site.

It holds all sensitive information about your database, username and password.

So guard this file with your life.

Here’s something you can do to secure your wp-config.php by using the code below in your .htaccess file.

 # protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

8. Hide WordPress login Page

This one’s sneaky and quite clever.

WordPress has a default login page.

This is http://www.yoursitecom/wp-admin or http://www.yoursite.com/wp-login.php.

It’s the same page for every fresh install of millions of WordPress sites.

And because it’s the same URL for every new WordPress build, it’s like an advertisement to every hacker:

Hey look! Here’s the door to my website. Why not get your lockpick and come practice your lockpicking skills here.

So how do you stop this from happening?

Change the page!

Easy peasy lemon squeezy.

Another level of protection a hacker has to overcome.

So, Instead of using the default URL above, use one that’s unique to you.

It can be something like https://www.yoursite.com/thisismylogin or https://www.yoursite.com/z0Q

Use any alternative page login url.

And don’t advertise it to the world. Only you and your team should know about it.

The best way to do this is by using a plugin such as WPS Hide Login. Here’s Jakson showing us how to do this on WordPress

9. Backup.. Backup…Backup

The complete guide to hardening WordPress - whether you want to use a security plugin or change your .htacess or wp-config files, you'll find the tutorial here

Always have a backup of your site.

It’s a precaution that will save you in the unfortunate event that you get hacked.

And if your business relies on your website, this is an important thing to do for your sanity.

In the unfortunate event of a WordPress hacking, your loss (and not to mention your stress level!) is going to be MANY times lower.

Why?

With a backup, you can easily put your site back online with minimal downtime.

If you have a site that you regularly update, back it up daily. But if you hardly ever change your site, you can do it once or twice a week.

Conclusion: secure Your WordPress Site

WordPress is a secure content management system out of the box.

However, you also play an important part in making the WordPress security system work.

If you don’t want any trouble or stress, if you don’t want your website to go down for days because someone hacked it, if you want your personal data to be secure…

then follow the steps above and you will sleep soundly at night.

Pin It for Later!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.