How to keep your WordPress site secure from attacks

A compromised website damages your brand reputation and can lead to loss of leads and sales due to the damage the vulnerabilities expose

I’ve outlined some of the most common reasons why your WordPress website might be exposed to attacks and how you can prevent this from happening in the future. As a caveat to this article is this won’t protect you 100% but it will lead to best practices and easy wins to help protect your site.

1. Strong passwords

One of the most common and easy ways to hack a website is something called ‘brute force’. This is when a bot is aimed at sending a large number of passwords at a login screen till it finds the correct one. The simplest way to help stop this is by creating passwords that are hard for the brute force bot to guess/calculate. It is good to create a long password of uppercase and lowercase letters with numbers and special characters. Understandably these types of passwords can be hard to remember so using a password manager to securely store your passwords is a good way to keep these safe.

Users

Not only should the password for your administrator be strong but you should also try and stay away from naming your administrator username ‘admin’ or ‘administrator’ as this is a common username and will be the first thing the brute force bot will try. Creating a username that also resembles a password with uppercase and lowercase letters with numbers and special characters will add a further layer of preventing your site from brute force attacks.

Database and FTP

Attacks are prone not only to the WordPress admin but also directly to the database and files. Database and FTP credentials and server software such as cPanel and Plesk should be as secure as they can be.

2. Don’t use WordPress’ default prefix

As default WordPress will prefix your database tables with ‘wp_’. You will want to change this to something more obscure. The easiest way to make sure that WordPress uses a different prefix is to set this at installation.

If you want to change the prefix on an existing website it is a bit more tricky but this tutorial will tell you how to do it just make sure you backup everything first.

https://help.one.com/hc/en-us/articles/360002107438-Change-the-table-prefix-for-WordPress-

3. Change your WordPress dashboard login URL

The WordPress dashboard login URL for all WordPress websites is yourdomain.com/wp-admin. This gives the brute force bots a really easy starting point. By changing the login URL it gives an extra layer of protection against forced attacks. If you’re skilled enough you’ll be able to change this URL in several different ways, however, there is a plugin WPS HIDE LOGIN which will safely change the URL of your administrator login.

4. Update your PHP version

PHP is the programming language WordPress uses and keeping this up to date is a fast and easy way (depending on your hosting) to a more secure website. Your web host should be ensuring that they supply you with the option to upgrade to the latest version as with time older versions become obsolete and are no longer supported making it more likely to be at risk of vulnerabilities. It is in the best interest that web hosting companies ensure that they remove older versions of PHP and update their servers to newer versions as they are released. If they cannot supply this then it might be time to change web hosts to a more reliable service.

How to update your PHP version

https://wp-rocket.me/blog/why-you-need-to-upgrade-to-php-7-asap-and-how-to-do-it-right-now/

https://www.siteground.com/blog/managed-php/

5. Use HTTPS/SSL

Web browsers have been actively encouraging website owners to install SSL (secure socket layers) for several years to increase security. Secure Socket Layers ensures the encryption of data between computers. This means the data between the visitor’s web browser to the website’s server prevents any other computers/servers that the data might pass through harder to understand. So with SSL, information such as usernames and passwords becomes more secure from prying eyes.

Your web hosting company should offer you the option to add SSL’s to your website whether this is a paid option for added encryption or free versions such as Let’s Encrypt.

6. Keep WordPress and plugins up to date

It is important to keep WordPress and plugins up to date as soon there is a new release launched. When a vulnerability is found it is usually public knowledge and hackers can use this information to scan WordPress websites that could have this vulnerability.

Be careful of updating plugins and WordPress core on live websites as there is potential that the update could have a knock-on effect when your WordPress and plugins are not compatible with each other. It’s always good practice to create a development/staging environment to update the plugins first before doing this on a live environment.

7. Minimise the use of plugins

Good WordPress websites limit the number of plugins they need and functionality and development are provided directly on the theme. This helps with the long-term upkeep of making sure everything is up to date and also minimizes the chances of having a plugin with a vulnerability.

Some plugins are used at the development stage and can be removed once the website has gone live.

8. Install security-specific plugins

It’s a good idea to install security plugins that will prevent an attack from happening on your website. WordFence is one of the most popular security plugins available. It comes with a firewall that will prevent and block malicious traffic. It comes with handy features such as live monitoring traffic, IP blocking, and two-factor authentication, and in the unfortunate event of an attack, it will be able to identify any changed files or new files that are malicious or create a backdoor into your website in the future. It also has email notifications that will give you instant updates on anything it seems suspicious including when an administrator logs in to the dashboard.

9. Subscribe to security news updates

I’m a big fan of Murphy’s law “Anything that can go wrong will go wrong” and that certainly rings true for web security. If you do not maintain your website security the chances that it will get compromised increase. There are several email subscriptions and websites that do a good job at informing of any discovery or vulnerability so you can patch your website as soon as they need to be fixed.

Here are some of my favorites

https://www.wordfence.com/subscribe-to-the-wordfence-email-list/

https://portswigger.net/daily-swig/vulnerabilities

https://www.scmagazine.com/home/security-news/vulnerabilities/

10. Back up regularly

Not a security feature but backing up your website regularly will mean you’ll be able to restore a stable version if the unfortunate happens and it becomes compromised. Being able to do this quickly helps prevent any downtime that your website might encounter and any damage to your brand minimized.

UpdraftPlus is a free plugin that regularly backs up your website and has the option to back your files to an external service such as Dropbox, Amazon SE, Google Cloud.