WordPress.org powers billions of pages worldwide. A study says that 33% of websites are now working on WordPress. WordPress.org is a self-hosted version of WordPress CMS. This is where the major security attacks happen. Every day millions of attacks are prevented by security plugins and server firewalls. I am here publishing a WordPress security guide for beginners.
Even statistics and experts say that WordPress is highly vulnerable to security threats and malware attacks. However, WordPress has got enough security measures to protect your site from hackers. By the way, make sure you are choosing a hosting server that offers air-tight security to your site with optimal hardware and firewall protections.
WordPress.org Vs WordPress.com
As I mentioned earlier, WordPress.org is the self-hosted version of WordPress CMS. WordPress.com is the in-house hosted solution for WordPress’s official company “Automattic.”
If you use the WordPress.com, then the Automattic takes care of the security measures for your WordPress blog or website.
In WordPress.org, as we are downloading WordPress CMS files and hosting in our rental servers, we are the responsibility to the security of our WordPress blog or website.
Why we need to go for WordPress.org instead of WordPress.com, is alone worth a separate blog post topic. But I am not going to dig into there as tons of tutorials are available on that front.
We are going to see the security measures of our WordPress self-hosted blogs. I have ten security procedures for you. I go one by one now.
- WordPress.org Vs WordPress.com
- WordPress Security Methods
- Why Should We Care About WordPress Security?
- WordPress Security Guide
- Guide #1. WordPress Updates
- Guide #2. Change WordPress Default Admin
- Guide #3. WordPress Admin Access
- Guide #4. Limit Login Attempts
- Guide #5. Change WordPress Database Prefix
- Guide #6. Disable WordPress directory folders and files indexing
- Guide #7. Disable PHP Execution In Specific Directories
- Guide #8. Disable Try Editing Theme Editor
- Guide #9. Akismet
- Guide #10. Firewall
- Guide #11. Backup Solution
- Guide #12. WordPress Managed Hosting
WordPress Security Methods
If your site is safe now and not affected by any attacks, then you can just go through each WordPress security measure one by one and do the job in order.
In case you are here because of your site already got attacks, then you use this “go-to quick navigation” for the respective security issue you are facing. Once you recovered your website entirely out of the security issue, you can come again to this in-depth WordPress security guide and implementing the security measures one by one. Bookmark it until then.
Why Should We Care About WordPress Security?
It costs enormous to recover your website after you get attacks. WordPress security freelancers and experts charge around $49 to $500 for business websites. Why do they charge hefty fees for recovering your WordPress blog?
If a business website gets malicious attacks and DDOS attacks, then the business website losses visitors until it recovers fully from the attack. Your website users will see a severe spam warning before entering your website, and they close the browser tab and run away from your website.
If a website does not recover completely from the attack then Google de-lists or de-indexes the affected pages for a few days. Loss of search engine visits! If a business website makes daily $200 profits, then see how much it will lose if Google does not send any visits for a month. This is why WordPress security experts and freelancers charge you hefty larges fine, sorry fees.
WordPress Security Guide
First, we will start with the basics. It is essential your blog or website must have implemented these security measures. Take these security issues seriously and implement them right now.
Guide #1. WordPress Updates
When I do see some of my clients come to me with the affected pages and the first thing I check on their WordPress dashboard is the WordPress version installed. It is usual to see the blogs not updated the WordPress version for so long get serious damage from security issues.
I will work on such website first to remove the attack, update the WordPress and update the plugins or themes if it is a requirement for upgrading WordPress.
Always have the habit of updating all your plugins and themes whenever you see the notice in the WordPress admin dashboard.
Guide #2. Change WordPress Default Admin
It is normal & default to have the word “admin” as the WordPress admin dashboard username. As this is universal, attackers write codes to spam the website with the “admin.”
Do not make the job of spammers and attackers so easy for them. Make it hard.
Change the username “admin” into something, maybe with your name. Do not use a plugin for such a simple change. Use a one-line code to change the username from admin to some other.
Guide #3. WordPress Admin Access
WordPress admin is the most powerful role, and there are other roles Editor, Author, Contributor, subscriber and Super admin (Super admin role is available only in the Multisite network).
Each role provides some responsibilities in the WordPress dashboard. Know the roles and responsibilities of WordPress in detail. Give only the necessary access and be safe.
For example, an author role able to publish the posts and later they can delete the posts too. If an author exits your company in-not-so reasonable terms, then he might delete all his published posts previously.
Guide #4. Limit Login Attempts
WordPress allows unlimited login attempts by default.
This flexibility makes the job of hackers who make brute force attacks. They can try to log in using unlimited variations of the password through programming spam software.
You can install the Login Lockdown plugin which provides settings for limiting the number of login attempts and limit the time before next login attempt.
This login lockdown plugin helps you keep safe from your WordPress logins.
Guide #5. Change WordPress Database Prefix
You can see your database tables through your cPanel. WP_ is the database prefix, WordPress uses by default. As this is known to hackers commonly, they can hack the database files very easily by programming a few lines code.
What you can do is, change the default database prefix to something different. You can do this manually or through plugins. I suggest you go through the manual method as using numerous plugins will only slow down your website and increases the possibility of security risk.
Guide #6. Disable WordPress directory folders and files indexing
Normally if a website or blog uses WordPress, you can just go to your browser and type http://websitenamehere.com/wp-content and see what sub-folders and files they have inside.
The closure look of folders and files gives the hackers the information about vulnerable files, and they can target them to attack.
You can disable this using .htaccess files. Most WordPress hosting companies allow .htaccess files in cPanel files. If you have one, then open the file, add the below line to disable indexing the WordPress directories and files.
| Options – Indexes
Guide #7. Disable PHP Execution In Specific Directories
If you see no need for PHP normally in specific WordPress directories, then you can disable PHP execution in these directories.
Open a text editor or Notepad and paste the below code.
Save the file with name as .htaccess
Upload the file to the folder in which you want the PHP execution disabled.
Guide #8. Disable Try Editing Theme Editor
WordPress, by default, has Code editor and most probably at least once you could have tried to edit your theme files by tweaking the codes, in that File editor.
Most of the time, the tweaks won’t give you the necessary changes you want in your themes. The reason is that the WordPress theme you use with the WordPress overrides the default file editor edits.
But the tweaks can break the site and throws some error in browsers. To avoid this, you should disable the Theme File Editor.
For this, you have to add the below one line code in your wp-config.php file. You can access this wp-config.php file either through FTP or cPanel file editor.
Guide #9. Akismet
Akismet is a spam protection plugin from Automattic. Akismet has been downloaded by millions of time so far. If your site does not use this spam protection plugin, then you would get spam emails every day, I bet.
Akismet official site says the plugin protects equal to the number of Los Angels’ population for every hour. Think then the effect of spams worldwide.
Akismet is so powerful that protects almost every WordPress website.
Akismet is a common see from your blog to any professional bloggers’ blog.
Guide #10. Firewall
Allow your website visitors to access your website first letting through the firewall and then your website. You have to use Firewall service if your hosting company does not use any Firewall by default. Firewall service blocks the attacks and sends the legit traffic alone.
Hint: User does not feel any time slow to see the websites. The firewall works so fast you couldn’t see it does work.
Sucuri’s Website Application Firewall
You can use Sucuri’s WAF (Website Application Firewall) service which is a premium paid service. Many of the world’s popular companies use enterprise-class solution of Sucuri so you can trust the Sucuri’s service.
Sucuri’s Website Security Solutions
Website security solutions – a premium service which includes malware removal, SSL support, https:// via Firewall, CDN website performance, and WAF malware protection.
Guide #11. Backup Solution
You can do a dozen of security methods to safeguard your website from hacks and malicious attacks. Still, there is no guarantee that your website won’t meet a disaster.
The only way to have some peace of mind is to have a backup always safely far from your servers. If every safety plan goes for a toss, then you can restore your backed-up data to get back the website live.
Hosting Level Backups
Ask your host what backup they take (off-server and On-server) and how frequent they do the backup. If the backup is off-site, then we can trust it. Else if the backup stored on the same server where your website resides, there is a perfect chance if your website server encounters the problem, then the backup data also meets the problem.
In such case, your hosting backup is of no use. You must have a third-party solution to take the off-server backup.
Backup Plugins: There are some backup plugins to take, manage, and restore the backup. I recommend BackupBuddy plugin to take backups. BackupBuddy helps you to take backup of whole website files, folders, and stores at your preferred location
There is another plugin called Wp-DB-Backup which helps to take the backup of only the WordPress database. This Wp-DB-Backup plugin doesn’t back up your website images and uploaded files.
There are some premium backup solutions to manage all your backup needs. VaultPress is one of them. It is a WordPress backup solution comes from the WordPress official company Automattic. VaultPress is a plugin sits on your dashboard and does the job pretty.
Guide #12. WordPress Managed Hosting
As the term “WordPress managed-hosting” gets favourite year after year, those hosting companies started taking more responsibility. One of the responsibilities they make now is to offer extreme enterprise-grade security for the servers and our websites.
Security is not a choice anymore. Security is vital and in-built.
WordPress Managed Hosting Providers’ Security Features
- Free malware removal and protection
- Free DDOS attack protection
- Free Firewall
- Free SSL
- Fast Http2:// support
- Free Off-site backups
- One Click restoration of backups.
Google suggests daily tens thousands website as suspicious for the browsing users and warns them for possible spam and malware attack.
WordPress security attacks grow every day faster too.
With the rising WordPress security and backup plugins, you can see how much priority you need to give for your WordPress security issues. I suggest you act proactively and block all the possible ways the hackers could enter your website.
To summarize all, you need to know the importance of WordPress security, how much does it cost to get back a hacked website, what are the security solutions in the coding level, need of off-server backups, and using premium WordPress managed hosting service.
Having the best WordPress managed-hosting for your website alone can make a big difference. They can give you security solutions in-built of their hosting plans, free malware removal help in case your website gets affected, backups, 1-click restoration help and staging area where you can work on your website fixes
Let me know if you use any WordPress security steps on your websites or blogs. I would add the steps here in this in-depth WordPress security guide.