We all know that WordPress is the most popular Content Management System (CMS) out there and is used by nearly 75 million websites.
According to WordPress, Over 409 million people view more than 23.7 billion pages each month and Users produce about 83.1 million new posts and 44.5 million new comments each month. (WordPress Activity)
However, According to statistics, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacking attacks.
With that being said, here are the security tips that might help you to protect your WordPress website.
- Apply Login Attempts
Brute Force is one the most used hacking attacks for hackers. If you just let them, they will try to login to your WordPress website until they find your password. Fortunately, there are security plugins like Login LockDown that allow you to limit the number of login attempts from a specific IP Address.
- Avoid Using Many Plugins
You do not need to have many plugins that performs same process on your website. Only use with the most updated and most downloaded plugin.
- Back Up Your Website Often
Seriously, it doesn’t matter how secure your WordPress website is, you should always backup your website. There are many WordPress plugins that can help you to ensure you keep a regular backup such as VaultPress and BackWPup.
- Consider Automatic Core Updates
If you’re running an Old WordPress Version, all of the security issues of that version is common knowledge to the public. It only means that hackers can easily use those security issues to attack your outdated WordPress website. You can insert a few codes into your wp-config.php file to configure your WordPress website to install major core updates automatically.
- Delete any plugins or themes you’re not using
Deactivating WordPress plugins isn’t enough; you must click DELETE. Removing plugins you don’t need will reduce the probability of being hacked.
- Don’t use “Admin” as your username
“admin” is the most used username on WordPress and most hackers try to get your password by trying to perform a brute force attack on “admin” username. Luckily, you can easily change your “admin” username on your database after installing WordPress.
- Eliminate PHP Error Reporting or Turn of the DEBUG mode
If your plugin doesn’t work correctly, it displays an error message publicly. Error Messages is definitely helpful for the owner of the website when troubleshooting, but the problem is, these error messages sometimes contains sensitive information like full server path. Add the code below in your wp-config file to eliminate PHP Error Reporting.
- Enable Two-Factor Authentication Login
One of the best way to protect your WordPress website from brute force attack is to enable the Two-Factor Authentication (2FA). With this method, after successfully inputting your username and password, 2FA will require you to input a randomly generated code that is sent to your mobile phone or email address. You may use Google Authenticator plugin.
- Ensure Scripts, Plugins, and Themes are Up-to-Date
Keeping your stuff updated is another way to protect your WordPress website from potential hacking attack. You can insert few codes into your wp-config.php file to configure your WordPress website to auto update plugin and themes.
- Install Security Plugins
You should also install security plugins to protect your WordPress website from different kind of security threats. These are the most used security plugins: Wordfence Security, iThemes Security, and All In One WP Security & Firewall.
- Protect Your Sensitive Files and Directories Using .htaccess
Implementing this tip can have such a huge impact on your entire website security. You may insert the code below in your .htaccess file to prevent public user from viewing your website’s directory.
- Secure The wp-config.php File
The wp-config.php file contains the confidential information of your WordPress website. It is one of the most important file of your website so make sure it is secure. To protect this file, add the following code below in your .htaccess file.
- Use HTTPS