Some common questions these days are “how to keep your WordPress website secure” or “how to avoid your WordPress website being hacked“. These are good questions because all websites are under a constant attack from bots and hackers and WordPress security is an important topic. They search for all kind of vulnerabilities and try to take over your website. But there is no reason to panic. You can keep the situation under control if you do at least some of the things below:
- Always use strong passwords;
- Don’t Use “admin” as your username;
- Keep your WordPress core, theme and plugins up to date;
- Limit the login attempts;
- Use 2FA (2 factor authentication);
- Use SSL encryption on your website (HTTPS);
- Choose a good hosting company for your site;
- Use a safe computer to access your dashboard;
- Change the login error messages;
- Disable the theme editor.
Let’s take them one by one and add more details.
- Always use strong passwords.
I think this is the most straight forward thing to do when you install WordPress. I know there are a lot of passwords, we need to remember, but using a very easy to guess one might make your website very vulnerable. More than that, there are applications, like KeePass for example, where you can generate and store very strong passwords.
- Don’t use “admin” as your username.
Why? Because these bots that I was talking about before, try to login to your admin area using all kind of combinations. And guess which usernames are used most often? Admin is one of them. Here is a screenshot taken from the firewall of one of our websites. Test is another bad example.
- Keep your WordPress core, theme and plugins up to date.
You will say: of course I will keep my website updated. But you will never guess how many times we told our clients to do this and they didn’t. We are still trying to understand why people don’t keep their websites up to date. Maybe time is limited, but how much time will you loose if your website gets hacked? Or maybe they are afraid to do it. What do you think ?
- Limit the login attempts.
By default, WordPress will let you try the user and password for as many times as you like. Hackers create scripts, that will try many combinations of username and password, and use them, in an attempt to take over your website (a practice called “brute force attack”). After limiting the login attempts, if someone reaches the number of attempts, he or she will have the IP blocked for a period of time. There are several options you can use and Wordfence is one of them.
- Use 2FA (2 factor authentication).
Using 2 factor authentication on your WordPress site can improve the security a lot. You could even forget about limiting the login attempts, discussed earlier, since you will have to enter a code each time you login. This code will be deliverd by SMS or by using the Google authenticator app. This plugin uses the second approach.
- Use SSL encryption on your website.
A SSL certificate provides an encryption key that will allow your site to use the HTTPS protocol to communicate between the user’s browser and your server. The “S”, at the end, stands for “secure”. While this is a must for an e-commerce website, it is good to have it on any other type of site. Beside the security aspect of using the HTTPS protocol, you could possibly gain more trust through your visitors.
- Choose good hosting company for your site.
All security measures are for nothing if the attack comes from the hosting platform. For this reason, choosing a good host, that takes security seriously, is very important. When choosing the host, you should also take into account if they offer back-up solutions, if they offer SSL and if they use the latest technology. We had good experiences with SiteGround.
- Use a safe computer to access your dashboard.
When you log in into your WordPress dashboard, make sure you do it from a clean computer/laptop/phone. And by clean I mean one that does not have malware or viruses. If your password is stolen, all other safety measures are for nothing.
- Change the login error messages.
When someone inputs bad credentials into the login form of a WordPress website, by default, the error message will tell if the username or password is wrong. This information can be helpful for someone trying to break into your site. To change the error message, add this code to functions.php:
function custom_wordpress_error_message(){
return 'That was not quite correct...';
}
add_filter( 'login_errors', 'custom_wordpress_error_message' );
- Disable the theme editor
When you first build your website, it can be useful to edit the child theme files directly from the dashboard, without having to upload them through ftp. However, if your website is finished and you don’t make changes to these files too often, it is better to disable the theme editor. If someone gains access to the admin area, and to the editor, he can very easily break your site. To disable it, open wp-config.php and add the following line:
define('DISALLOW_FILE_EDIT', true);