Free wordpress hosting australia flag
WordPress powers 26.4% of all websites on the Internet. Being so popular, it attracts a lot of attention. Not all of that attention is good. The negative attention that WordPress gets often comes from hackers who want to exploit various WordPress security vulnerabilities.
Unfortunately there are quite a few WordPress vulnerabilities .
According to WPScan (a WordPress vulnerability database) there are 4,284 known WordPress vulnerabilities. WordPress plugins are the biggest source of vulnerabilities. 50% of exposures come from WordPress plugins. 10% are from WordPress themes and the remaining 40% are WordPress core vulnerabilities.
This is confirmed by findings from Wordfence. they go on and say if you can protect yourself against plugin vulnerabilities and brute force attacks, you are accounting for over 70% of the problem.
Plugin vulnerabilities and brute force attacks are the two most common ways to hack a WordPress site (from: wordfence.com).
When it comes to WordPress security, most people make the same common mistakes. they still use “admin” as their username. most of them use an easy to guess password or worse use the same password for every other site.
And finally, a good majority of people completely ignore updates – be it for WordPress core, themes, or plugins. Needless to say, this leads to a whole slew of problems down the road and a lot of headaches for you as the website owner.
21 ways to secure your WordPress site
WordPress.org’s own security czar Nikolay Bachiyskis tips on securing a WordPress site is to
“always complete updates as soon as you can and make sure to use strong passwords. Those two steps go a long way in keeping your site safe. If possible, I recommend enabling auto-updates. Also, when choosing plugins, check to make sure you are using a plugin that is regularly updated! You can confirm this by checking the changelog for a plugin” .
Here we will do a deep dive and examine how you can “Fort Knox-ify” your WordPress site and make sure your WordPress website is safe, hardened and secure because security is must for every WordPress website owner.
Click the internal links and use these symbols to navigate this tutorial.
1. Make sure your username is NOT admin
To this day, there are still plenty of people who use admin as their username. However, this is the username that hackers go with first when trying to break into your site.
In case you are still using admin as your username, it’s not too late to change it.
Simply log in to your WordPress dashboard and go to Users > Add New to create a new user. Choose a username that is not so obvious like your first name/last name combination and fill out the rest of the details.
Don’t forget to use a different email address than the one you used for your original admin account and make sure to set the role to Administrator.
After that’s done, log out of your dashboard and login with your new user information. Go back to Users > All and delete your old admin account. Before you click on the final delete button don’t forget to assign all your old posts to your new admin user.
Alternatively, use the plugin Admin Renamer Extended to change the username directly through your WordPress admin area.
2. Use an Editor account
The Add New User interface.
Speaking of admin accounts, many people make the mistake of using an administrator account to publish their blog posts. This is bad because the information that a hacker needs, such as your username, will be visible when you publish a post.
Now all they need is to guess your password and when they do, you just handed them your site on a silver platter.
An admin account is not needed to publish blog posts and that mistake can easily be fixed by creating a new user with the Editor role.
3. Choose a strong password
Every year, SplashData compiles a list of the most common passwords. And every year the same three ones appear as the most commonly used (and very insecure) passwords, they are 123456. password and 12345678 .
Your password should ideally have 8 characters at the very least. You should also use both lowercase and uppercase letters mixed with numbers and special characters.
You can use a strong password generator to create one for you and if you fear you won’t be able to remember it, then opting for a password manager such as LastPass. Dashlane. or Keepass is a wise decision.
4. Enable two-factor authentication
Two factor authentication (2FA) adds an extra layer of security to your WordPress site to prevent against phishing and brute force attacks. As the name suggests, 2FA requires two sets of authentication methods to be able to log into your WordPress.
This means you’ll need an username and password PLUS an one-time passcode that is sent to your phone in order to log in to your site. Several plugins can be used here including Authy Two Factor Authentication. Google Authenticator. and Duo Two-Factor Authentication .
5. Backup and update regularly
WordPress updates bring new functionality as well as patch important security holes. making it that much harder for hackers to exploit vulnerabilities. That’s why it’s important to keep your WordPress installation up-to-date. That also includes keeping your plugins and themes up-to-date as well.
Before any major update is applied to your site, WordPress will warn you to backup your database. This not only prevents data loss in case something goes wrong during the update but it’s also a good practice to adopt in case the worst happens and your site does get hacked.
The easiest way to backup your site is with a plugin like BackupBuddy. WordPress Backup to DropBox. or VaultPress. BackupBuddy and VaultPress are paid solutions which automatically backup your entire website and allow you to easily restore it.
WordPress Backup to DropBox is a free plugin which allows you to backup your site to your DropBox account. Setting it up is as easy as installing the plugin, activating it, and then linking it with DropBox. After you have successfully authorized your DropBox account, you can select how often the backup should be performed.
While using plugins is an easy solution, there are times when even plugins fail. That’s why it’s a good idea to perform your backup manually as well:
- The first thing you need to do to manually backup your site is to download all your WordPress files into a folder on your computer. If it’s the first time you’re performing a backup, download the entire WordPress folder.
- After that’s done, you have to backup your database, which contains all the information related to your site.Since phpMyAdmin is one of the most widespread applications for managing MySQL databases, let’s see how we can manually backup our database using phpMyAdmin.
- Log in to your web host’s cPanel and then click on phpMyAdmin. In some cases, you won’t need to enter the username and password but if it asks you for the login information use the information provided by your web host.
- Once you are logged in, choose the database that contains your WordPress data by selecting it in the left panel. You can recognize by the default wp_ prefix in the name. You will see the list of the tables forming your database.
- At the top of the screen, you should see a few tabs. Click on the one labeled Export .
- You should be able to see two methods: ‘Quick’ and ‘Custom’. If your website is relatively new, select Quick. Otherwise, choose the Custom option.
- A list will then allow you to select the tables you want to export. If you’ve never done a backup of your site before, select all the tables and then select the default option: Save output to a file. Make sure to select the SQL format.
- Once your options are chosen, hit the Go button to generate a file containing your database. The time it takes to do this will vary depending on the size of your database.
6. Limit the number of plugins and themes
Using too many plugins can slow down your site but it can also leave it vulnerable to attacks if you stop using certain plugins and ignore their updates.
It’s not enough to simply deactivate the plugin if you are no longer using it. The same goes for themes. All the inactive themes and plugins which are still on your server can easily be used to inject all sorts of malicious code.
Do yourself a favor and delete any and all plugins and themes you are currently not using.
7. Be careful of free WordPress themes and plugins
There are loads of awesome free WordPress themes and plugin out there. However free is not always free, and when it comes to WordPress plugins and themes sometimes free comes packed with malicious code, viruses and encrypted links .
Use a common sense approach. WordPress.org is the safest place when you are looking for free themes and plugins. Most plugin and theme creators and major marketplaces like Themeforest and CodeCanyon are safe too but if you are installing a premium/paid theme or plugin which someone made available for free (or nulled) then you are asking for trouble.
» Intermediate WordPress Security Tips
8. Limit Login Attempts
By default, WordPress allows users to enter passwords as many times as they want which makes it easy for hackers to exploit this by using scripts until they find the right combination.
To prevent this, install and activate the Login LockDown plugin. After activation, go to Settings > Login LockDown to configure the plugin’s settings.
Define how many login attempts can be made. After that choose how long a user will be unable to retry if they exceed the failed attempts. You can also define the lockout period for IP range blocks as well as prevent hackers from entering different invalid usernames.
It’s a good idea to also disable the message which lets the user know whether they entered an invalid username or invalid password on failed logins. After configuring the settings, click on Update Settings to save your changes.
9. Change your wp_ database prefix
WordPress applies a table prefix to all database tables which is wp_. Changing the table prefix can help prevent SQL injection vulnerabilities as hackers will need to guess the prefix which makes their job harder.
You will find the table prefix in your wp-config.php file:
Make sure to change the new prefix in the above example to the prefix you have defined in wp-config.php .
You need to run the above query for each database table including all core tables and any additional tables added by plugins.
Next, you need to update the references to the table prefix in the usermeta and options tables, again by using an SQL query.
To update the usermeta table, enter the following SQL query through the PHPMyAdmin SQL tab:
The WordPress admin dashboard default login URL is /wp-login.php (or you can just type in /wp-admin/ and it will redirect you).
Changing the URLs for WordPress dashboard areas add an extra layer of security. You can do this with the above mentioned iThemes Security plugin .
11. Protect Your .htaccess file
The .htaccess file is used to redirect URLs, configure pretty permalinks, and it can also be used to harden WordPress security.
The code snippets below will strengthen the security of your WordPress website. Note that the code has to be placed outside of the # BEGIN WordPress and # END WordPress tags, as anything between those tags can be updated by WordPress, thus overriding your changes.
First, let’s make sure we protect the most important file: wp-config.php .
The wp-config.php file is an important file as it contains your database connection settings, table prefix, security keys, and other sensitive information.
Add this to your .htaccess file:
Again, replace the IP address with your own.
You can learn more here or in case you don’t want to do this manually, then using a security plugin such as iThemes Security is your best option as it allows you to perform all these modifications with a click of a button.
12. Use Correct File Permissions
Incorrect file permission such as 777 could allow a hacker to upload a file or modify an existing file. To change your file permissions you will have to log in to your cPanel, navigate to File Manager and make the necessary changes.
According to WordPress, these are the correct permissions to use on a WordPress website:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
For a thorough guide on setting the correct file permissions, take a look at the Changing File Permissions guide on WordPress.org.
» Advanced WordPress Security Tips
13. Move Your wp-config.php file
As mentioned before, your wp-config.php file is a very important file as it contains your database connection settings, table prefix, security keys, and other sensitive information.
Move the wp-config.php file into the folder above your WordPress installation. For example if your folder structure is this and where WordPress is installed /home/yoursite/public_html/ you would move wp-config.php into /home/yousite/ .
14. Tweak Your wp-config.php file
Your wp-config.php file contains all of the confidential details for your WordPress site. Luckily there are a few tweaks you can make to make your website more secure.
WordPress Security Keys handle the encryption of information stored in the user’s cookies. Those keys need to be generated randomly for each WordPress install. If you are unsure how to change them you can randomly generate them with the help of the WordPress Salts Key Generator .
Alternatively, you can generate new security keys using a security plugin:
If a plugin or theme causes an error, the error message may display your server path, which can be abused by hackers. Therefore, it’s better to disable error reporting altogether by adding the following code to your wp-config.php file:
15. Disable WordPress login hints
When logging into WordPress and typing in an incorrect or non-existent password or username, a detailed error message is shown saying either the username is wrong, or the password doesn’t match with that username.
This can be used to guess a username or password. To override default WordPress login errors and disable login hints add this code to the functions.php. instead a custom error message will be shown.
Alternatively, you can use a plugin such as Security Headers if you don’t want to implement them manually.
18. Add Google Search Console (GSC)
There are lots of benefits to adding your WordPress site to Google Search Console (formerly Google Webmaster Tools ). Not only is GSC useful for SEO and how Google understands your site but another important feature is the “security issues” dashboard.
If Google detects issues with your site and if it has been compromised you will get an alert via email .
19. Consider using SSL
SSL (Secure Sockets Layer) is a technology that allows you to encrypt the connection between your web server and your visitors’ browsers. This is especially useful if your WordPress website is e-commerce oriented and it can also play a role in the search engine rankings.
To enable the SSL for your site, you need to get the SSL certificate itself which may be provided by your hosting provider or you could get it for free from sites like Let’s Encrypt or WoSign .
Finally, you need to integrate it with your WordPress site with a plugin like Verve SSL or WP Force SSL .
20. Use a managed WordPress host
If you can afford it go with a managed WordPress host . In a 2014 study WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the web host itself, so don’t simply go for the cheapest available.
There are several companies offering managed WordPress hosting and whilst you pay a premium for managed WP hosting compared to more traditional shared or unmanaged hosting, it’s worth it.
However, some shared hosting companies like SiteGround are catching up, and are now including security features such as SSLs & HTTP/2, custom WAF rules, automatic updates of WordPress and its plugins, and daily backups of your hosting account.
Their bread and butter is WordPress, a managed WP host only does WordPress and they look after all the WordPress technical aspects such as security, speed, WordPress updates, daily backups, website uptime, scalability and more.
21. Consider using third-parties
If you can afford it you should consider using a third party WordPress security protection service .
Companies like Sucuri and WPWSS offer both subscription based and one-off services like malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection and those extra layers to keep your WordPress site safe and secure.
WordPress security resources:
WordPress security is no laughing matter. While it’s true that WordPress can be an easy target for hackers, if you take the proper precautions you can avoid being a victim of an attack.
What are your favorite WordPress security measures? What do you suggest doing to secure WordPress? Let us know in the comments below!
You'll Also Enjoy.
Are you considering launching an ecommerce site and want to use WordPress but you cannot…
WordPress was released on May 27, 2003, and WordPress has become the world's most used CMS…
StudioPress Sites is a WordPress powered all-in-one website builder tool that is built on the…