Having your WordPress site hacked is not fun. That’s why we at Charleson take security matters very seriously.
When running a website, there are some potential security risks beyond your control. That’s why as the website owner, should pay attention to these potential security risks to ensure the safety of your website.
With this in mind, you can take the following 10 things to improve your WordPress security;
1. Use secure hosting
Not all web hosting providers are created equal, in fact, hosting vulnerabilities account for a large part of the hacked WordPress sites.
When choosing a web hosting service provider, don’t just choose the cheapest one you can find.
Do your research and make sure you use a mature company with a good track record for implementing strong security measures.
It’s always worth paying a little more, because you know your website is secure, so you can rest easy.
2. Update everything
Each new version of WordPress contains patches and fixes that address actual or potential vulnerabilities. If you don’t update your website to the latest version of WordPress, you may be left vulnerable.
Many hackers will deliberately target older versions of WordPress with known security issues, so please pay attention to the notification area of your control panel and don’t ignore those “update now” messages.
This also applies to themes and plugins. Make sure to update to the latest version when it is released. If you keep everything up to date, your chances of hacking the site will be greatly reduced.
3. Strengthen passwords
About 8% of hacked WordPress sites are due to weak passwords.
If your WordPress administrator password is similar to `letmein`, `abc123`, or `password` (more common than you think!), you should change it as soon as possible.
For passwords that are easy to remember but difficult to crack, I recommend creating a good password recipe.
If you feel lazy, you can also use a password manager like LastPass to remember all your passwords. If you use this method, make sure that your master password is good and strong.
4. Never use “admin” as your username
If you use “admin” as your username and your password is not strong enough (see # 3), then your site is vulnerable to malicious attacks. It is strongly recommended that you change your username to a less obvious one.
Before version 3.0, the WordPress installation automatically created a user named “admin”. This has been updated in version 3.0, so you can now choose your username. Many people still use “admin” because it has become the standard and is easy to remember. Some web servers also use self-installation scripts, and the user name “admin” is still set by default.
The solution to this problem is simply to create a new administrator account with a different user name for yourself, log in as the new user, and then delete the original “administrator” account.
If you have posts published by the “Administrator” account, when you delete them, you can assign all existing posts to your new user account.
5. Hide your username in the author’s archive URL
Another way an attacker can access your username is through the author’s archive page on your website.
By default, WordPress displays your username in the URL of the author’s archive page. For example, if your username is sanjayblogs, your author archive page will be similar to http://yoursite.com/author/joeblogs
This is not ideal because the reason is the same as the username “admin “above, so it’s easy to change The user_nicename entry in the database hides this idea, as described here.
6. Limit login attempts
In situations where hackers or robots are trying to brute force your password to crack, it may be helpful to limit the number of failed login attempts from a single IP address.
Limit Login Attempts does this, allowing you to specify the number of allowed retries and how long the IP will be blocked after too many failed login attempts.
There are some ways to solve this problem because some attackers use a large number of different IP addresses, but it is still worth doing as an extra precaution.
7. Disable file editing through the dashboard
In the default WordPress installation, you can navigate to Appearance> Editor and edit any theme file directly on the dashboard. The problem is that if a hacker manages to access your admin panel, he can also edit your files in this way and run any code he wants.
Therefore, it is a good idea to disable this file editing method by adding the following to the wpconfig.php file:
define (`DISALLOW_FILE_EDIT`, true);
8. Try to avoid free themes
As a general rule of thumb, it is best to avoid free themes if possible, especially if they are not created by reputable developers.
The main reason for this is that free themes usually contain content such as base64 encoding, which can be used to secretly insert spam links or other malicious code that may cause various problems on your website, as shown in this experiment, 8 of the 10 sites reviewed provide free themes with base64 code.
If you need to use free themes, you should only use themes developed by trusted theme companies or themes available from the official WordPress.org theme library.
Note: The same logic applies to plugins. Only use plugins listed on WordPress.org or plugins created by well-known developers.
9. Keep a backup
We cannot emphasize the importance of regularly backing up your website. This is something that many people postpone until it is too late.
Even if the best security measures are available for you, you never know when unexpected events may occur, making your site vulnerable to attacks.
If this happens, you want to make sure that all your content is backed up safely so that you can easily restore your website to its former glory.
WordPress Codex tells you exactly how to back up your site. If this seems too much work, you can use plugins like WordPress Backup to Dropbox to schedule regular automatic backups.
10. Use WordPress security plug-ins
In addition to all the above measures, you can also use a large number of plug-ins to improve site security and reduce the possibility of hackers.
Don’t panic!
All this sounds scary, especially if you are a beginner. I want to point out that this is not to scare anyone, it is important to discuss security issues regularly because we want to make sure you are one step ahead of hackers!
You don’t have to do everything on this list (although it certainly won’t hurt). Even if you just delete the “admin” username and start using a stronger password, your site will be more secure.
Did you find this article helpful? Then why don’t you subscribe to our Charleson biweekly newsletter for more digital marketing insights? You definitely won’t regret it.
We are the best digital marketing agency in Kenya that offers you services including SEO, web development, e-commerce development, social media management, etc. in Kenya. Talk to us today, we’re ready to help you scale your business.
Until next time, cheers!
