4 WordPress Security Best Practices That Are Absolutely Essential in 2019
WordPress powers the internet.
Every year, it’s used to create hundreds of thousands of websites. Many of these websites are used to collect or store secured personal information, such as the payment information of clients visiting an e-commerce store.
Because WordPress(.org) is a household name, many users believe that it is inherently invulnerable to being hacked. The truth is usually quite the opposite.
The truth is, WordPress – like any software – is full of vulnerabilities. However, when a WordPress site is attacked, the blame usually does not lie with WordPress… but rather, with the user. Users often fail to follow basic security recommendations to keep their site protected.
As we get into 2019, it’s fair to expect that there will be more unique attacks on WordPress sites. The question that you need to ask yourself is, what steps are you willing to take to prevent your site from getting hacked?
The following four WordPress security tips will help you protect your WordPress site this year.
1. Protect the Login Page
Your login page is your first line of defense against cyber attack. As such, you should defend it as best as you can. Here are five things you can do today to protect your login page:
1. Everyone knows how to access the WordPress login URL page. It is simply /WP – login.php or/WP – admin. Add this to the end of your domain name and you are off to the races. The first step then in protecting your WordPress site is customizing the login page URL.
2. One thing we recommend you do is use a website lockdown feature that will lock the site down when there are a number of failed login attempts. This can protect you from brute force attacks. Whenever someone repeatedly hacks your site with the wrong password, the site gets locked down and you get a notification telling you that someone is attempting to access your site without authorization. There are a number of plugins that are available for this purpose.
3. Two-factor authentication for the login page is an additional security measure. This means that a user will need to provide two login details with different components. You as the owner of the website, you are able to decide what those details and components are. It could be a regular password with a secret code, it could be a set of characters, or you can use an app to send a secret code to your phone. The latter option guarantees that only a person who has your phone, which hopefully is you, has access to your site.
4. Regularly update your passwords. Change them on a regular basis. Use a mixture of uppercase and lowercase characters with numbers and special characters. You might opt for a long password that you can easily remember. A long password is going to be almost impossible for a hack to figure out.
5. Users should automatically be logged out of your site. An idle user that walks away from their screen leaves your site vulnerable. Anyone who passes by can change the information on your website or even break your site completely. Protect yourself by idling users after a limited time of inactivity.
2. Use Ultra-Secure WordPress Hosting
Securing your WordPress site means more than simply just locking the site down. You need to protect your site on a web server level. This is something that your web host should be responsible for. It is imperative that you take the time to do your research and find a host that you can trust. If you are using a personal VPS, then you should have the tech savvy to know how to protect your site.
You want your server to have server level firewalls as well as systems to detect intrusion before you install WordPress on it. This will keep your site protected, even during the WordPress installation process and while you are constructing the site.
If you’re using managed cloud hosting (which we strongly recommend), then your hosting provider should be able to guarantee that the software they have installed on their machine to protect your WordPress site will be compatible with the latest updates for WordPress. You want the server you use to be configured and to be using secure networking.
Most secure, managed cloud hosts will keep audit logs as a defense against social engineering attacks, or come bundled with plugins that handle audits and log tracking. Also note: file transfer encryption protocols should be in place so that prying eyes and malicious individuals do not have access to your information.
3. Keep your WordPress Site Up-To-Date
If you want your WordPress site to be secure, you need to do the proper maintenance, which includes keeping everything on your site up-to-date — starting with WordPress itself.
In the same way that you need to change your oil and mow your lawn, you have to do maintenance on your WordPress site. Your WordPress core, your plug-ins, and your themes need to be updated frequently.
A recent report by WP White Security found that “over 47% of WordPress vulnerabilities are based on either plugins or themes that haven’t been updated or patched. Vulnerabilities are dumped on the open web and people looking to exploit these loopholes know exactly where to start”.
According to Malcare, that number could be much higher – nearly 80%. There’s a reason why WordPress is updated so frequently. Newer versions have security patches and bug fixes. WordPress has identified vulnerabilities. With each update, they take steps to protect from those vulnerabilities. If you don’t update, you are leaving yourself wide open for an attack.
So, regardless of whether or not you like new WordPress features (looking at you, Gutenberg editor), updating is not an option – it’s mandatory.
4. Don’t Keep Multiple WordPress Sites On the Same Host Server
Imagine you have five websites on the same web hosting server. Two of the websites may be very popular, so they get updated regularly. You might completely forget to update the other ones.
A hacker could find the vulnerabilities in the sites that are not updated regularly and gain access to your backend web host’s server. Then they will upload scripts that can take complete control of your server and hack the file data that is on your server.
When a hacker is able to exploit a vulnerability on one WordPress site, they may be able to access the other websites on the same server. So while it might be a little bit more expensive to purchase separate hosting for every website, in the long run, it could save you time and money, especially if a hacker is able to keep your website down.
Before you fret about using shared hosting, it’s worth noting that the best web hosts have very small server clusters. This means that few sites are hosted on the same server, so if one of them gets hacked, the attack is limited to a handful of websites… reducing the probability that your own site(s) will be collateral damage.
Wrapping it Up
Here are some other tips you can make use of during 2019 to keep your WordPress site secure:
- Use reliable WordPress themes. Do your due diligence before selecting a free WordPress theme.
- Do not use admin as a username. Sadly, many WordPress users have admin as their username, so it is easy for nefarious individuals to crack the login on their WordPress website.
- Disable file editing through the WordPress dashboard.
What steps are you planning to take to keep your WordPress site secure during 2019? We would love to hear from you. Let us know your suggestions in the comments section below.