When it comes to keeping your website safe, don’t leave it up to WordPress to take care of it for you. The truth is no matter how many updates and security patches WordPress makes to its core; your site can still be compromised. Just check out the latest report from Sucuri, and you’ll see what I mean.
If you want to take care of the health of your website (and your brand), do your due diligence and cover your site’s security from all angles.
20 Ways to Enhance Your WordPress Website’s Security
Just one hack or breach can result in a major loss of business and reputation for your company. If you want to stay in the clear, here is how you can increase your site’s security today:
Raise the Walls Around You
#1: Start with Yourself
Make sure your computer has security software and malware protection in place. The same goes for any members of your team or contributors to the site who have access to WordPress.
#2: Install a Firewall
If network security threats are a concern (and they should be), make sure you’ve activated your computer’s and network’s firewall as an extra safety precaution.
#3: Secure Your Host or CDN
Most reputable hosting providers and CDNs offer security packages or add-ons for their WordPress customers. Check with yours to see about getting one.
#4: Get an SSL Certificate
If you’ve ever received a message blocking access to a site because of “mixed content”, this is a sign that a website may be unsafe to visit. That’s why a Secure Sockets Layer (SSL) certificate is a must in this day and age. This will enable you to move your website to secure HTTP and ensure you’ve got a secure connection through which visitors can access your site.
Protect Your WordPress Files
#5: Use SFTP
If you use FTP to manage, transfer, or move files for your website, use SFTP to create an extra layer of encryption. Your host can set you up with this if you don’t use it already.
#6: Move wp-config
One of the easiest ways to block hackers from getting access to your site’s files is by moving the wp-config.php file out of your WordPress directory and up one level.
Monitor Your Tools
#7: Use Security Plugins
Security plugins are always a huge help in enhancing safety, monitoring your website, receiving real-time notifications, fixing issues, and rolling back to previous iterations (if needed). Check out this list of the top 10 security plugins for WordPress.
#8: Use Tools from Trustworthy Providers
If you’re using themes or plugins (including the security ones above), always be sure they come from a reputable source. Read the reviews, check the ratings, and only use the ones that are frequently updated by the developer.
#9: Update Tools ASAP
Updates—whether they be for third-party tools like plugins and themes, or to the WordPress core itself—signal a necessary change. This can often be reflective of a bug or security patch, and that’s why you should process any updates as soon as they come through (or else you could end up like this law firm).
#10: Get Support
Did you know that you can outsource the maintenance and support of your website to a specialist? Even if you just want someone to manage site backups and updates, there are service providers who offer these monthly management services for a reasonable fee.
#11: Clean out Your Tools
If you’re not using a plugin or theme, then they’re taking up unnecessary space and may pose a risk if you don’t keep tabs on them. Don’t be afraid to trash any third-party WordPress integrations you don’t use.
Fortify Your Admin
#12: Re-route wp-admin
Did you know the default admin URL for WordPress websites can be changed? Well, it can, and it should be—since everyone knows that’s where the front door is for every site.
#13: Enforce Strong Passwords
It doesn’t matter whose password it is—yours, an employee’s, a guest contributor’s, or a member of your website—you need to enforce stronger passwords across the board.
#14: Two-step Authentication
In order to keep your admin and website safe, make it extra difficult for hackers to break through without burdening your users. Two-step verifications just require your users to log in as usual, and then verify the attempt by entering a code sent to their mobile device or email.
#15: Limit Login Attempts
The same thing applies here. You’ve got to make it difficult for hackers to get into your site, so always have a limit on the number of login attempts that can be made.
#16: Ditch the Admin
Ditch the admin username that is. This is the same issue that happens with the wp-admin access URL. Hackers know that the default WordPress user is named “admin”, so get rid of that as soon as you can.
Control Access and Visibility
#17: Eliminate PHP Error Reports
Every time a PHP error report is thrown, your full server path is displayed—which is a major problem if a hacker stumbles upon it. This is why you should disable PHP error reporting.
#18: Disable Trackbacks and Pingbacks
While it might seem great to see all the trackbacks and pingbacks your site receives (those are when another site links back to your own), these can pose a serious security risk. Hackers actually use trackbacks to launch DDoS attacks, so it’s always advisable to disable these.
#19: Use a CRM
If your site were to be hacked, the last thing you’d want to do is offer your customers’ information on a silver platter. Make sure that any sensitive information you receive from customers goes directly into your customer relationship management (CRM) software and isn’t stored in WordPress.
#20: Restrict Dashboard Access
When you open your WordPress dashboard to others, that doesn’t mean they need to be able to access every part of it. Find a user management plugin to help restrict other users’ movements within the backend of your site.
A security breach for your WordPress website can spell awful news for your company:
- A drop in business and sales due to downtime.
- Bad publicity if the customer and other sensitive information are compromised.
- Loss of customer trust and website traffic if your site has known insecurities.
- Blackballed by search engines for having an unsafe site.
- And a negative reflection on your brand due to lack of proper security measures to protect users, site visitors, and your company.
Nathan Oulman owns and operates Dailyhosting.net which features web hosting reviews and technical information on web tools.
Disclosure: Some of our articles may contain affiliate links; this means each time you make a purchase, we get a small commission. However, the input we produce is reliable; we always handpick and review all information before publishing it on our website. We can ensure you will always get genuine as well as valuable knowledge and resources.