If you use WordPress to run your website and looking for ways to secure it, then you are in the right place. Today we will see why securing your WordPress site is important and what are some of the most effective ways to secure your WP site.
WordPress is no doubt one of the most popular content management systems. Around 64% of the websites on the internet use WordPress as their CMS. And there’s a valid reason behind it. WordPress offers everything to host a website in a more controlled and customized manner. No matter what kind of website you have, from a simple landing page to a blog and from portfolio to giant eCommerce store, WordPress has got you covered.
Why its important to secure your WordPress Site?
WordPress is an open-source content management system. And it offers a plethora of tools, plugins, and ways by which you can manage your site the way you want. With all the goodies and flexibility that WordPress has, it comes with its own vulnerabilities which are at all costs need to be prevented. It doesn’t matter if your site is big or small, one should always strive to protect his site. And for that, we might need to tweak some things which will ensure that our site is protected from unwanted attacks.
We will discuss different ways by which you can secure your WordPress site so that you may live with peace of mind. So let’s get started.
Here are the Most Common WordPress Vulnerabilities
- Outdated WordPress, Theme and Plugins
- Bruce Force Attack
- DDoS Attacks
- Use of Cracked/ Nulled Themes or Plugins
6 Best Ways to Secure Your WordPress Website
- Change WordPress Login Page URL
- Enable Limit Login Attempts
- Install SSL Certificate
- Configure Your Site with Cloudflare to prevent DDoS and other attacks
- Use Strong Password
1. Change WordPress Login URL
When you set up your WordPress site, by default the URL to access your website is ex- “YourWebsite.com/Wp-Admin”. If you keep the same login URL, you might face brute force attacks. Brute force attacks happen when a system is set up against you to try thousands of different combinations of usernames and email addresses. This try-and-error method is used until hackers get to know what’s your username and password are.
To avoid this from happening, the best way is to change the WordPress login URL. Think of it as a door to access your website. If you hide the door in the first place, no one will be able to access it. Let alone the username and password be aside. So this could prove as a brilliant idea to prevent hackers from accessing your site in the first place.
You can use WPS Hide Login Plugin to change your WordPress site’s login URL.
All you have to do is to install the WPS Hide Login and go to Settings > WPS Hide Login. Scroll down a bit until you see the Login URL option beneath the WPS Hide Login section. Simply change it to whatever you like but beware while doing so make sure to not use any generic words. Treat it as a standalone password that will keep bad people away from your site in the first place.
2. Enable Limit Login Attempts
Here is another great example to protect your website from brute force attacks. As discussed above brute force attacks are done until hackers don’t get your site’s login username and password. Thousands of combinations of usernames and passwords are used to login into the site. So it’s a trial and error method. And might take a lot of time in order to find out your credentials.
You can prevent this from happening by limiting login attempts. It’s the best way to defend against brute force attacks. You can set how many times a person can log in after specified failed attempts. The ideal number for failed login attempt would be 3 or 5.
We recommend using the Limit Login Attempts plugin. Just install the plugin and you will see all the settings you can tweak in order to make your site more secure. Apart from setting limit login attempts, you can also receive notifications on your email when multiple logging attempts are made on your website.
So if you set the value of login attempt as 3, any user who is trying to log in will not be able to log in again after he fails the specified login limit attempt. You will also be notified with an email that someone is trying to access your site with the wrong credentials.
3. Install SSL Certificate
SSL certificates are the most important for not just WordPress sites but for all types of websites as well. SSL means Secure Socket Layer and it’s an encryption-based internet security protocol. So if your website has an SSL certificate, then it will maintain privacy and data integrity while transferring data between your website and visitors.
In layman’s terms, SSL acts as a bodyguard which will prevent your site from unauthorized attacks so that the transfer of your data is valid.
SSL has 3 Advantages
1. SSL has an authentication process called Handshake. It detects and verifies that the transfer of any communicating devices is valid and they are authentic devices.
2. SSL also makes sure that the data is not tempered, intercepted by any means while traveling between 2 devices.
3. The most important benefit of SSL is that it shows a green padlock or secured lock sign in the browser when visitors visit your website. This makes your website look more credible and legit. So make sure to have your website configured with an SSL certificate.
How to Install SSL Certificate?
SSL certificates are basically Free and you don’t need to pay for them unless you want some extra customization or flexibility. It doesn’t really matter if you are using free or paid SSL, you have got to have one.
Most of the hosting companies offer free SSL certificates for your website if you purchase their hosting plans. Some vendors also issue an SSL certificate if you purchase a domain from them.
But if you don’t have a certificate yet, don’t worry. You can get your SSL certificate with the help of the Really Simple SSL Plugin for WordPress.
To set up free SSL on your site, simply install this plugin on your site and follow the instructions given in the Really Simple SSL plugin. That’s it. This is a must thing to have if you own a site, doesn’t matter big or small.
4. Configuring Your Site with Cloudflare
Cloudflare is a web performance and security company that protects your website and keeps it safe from internet attacks. it is also popularly known for CDN called as Content Delivery Network. Cloudflare has a global network of websites where it manages the websites and keeps records of potential threats and vulnerabilities. It also offers your website a free SSL certificate if you don’t have one.
You can proxy your site traffic through Cloudflare to be able to leverage good features that Cloudflare offers for all users for free. By configuring your website with Cloudflare, you will get the following benefits which are important to secure your site from threats.
Benefits of using Cloudflare
- Protection from Brute force attacks- Cloudflare detects and defend your website against brute force attacks which use try and error method to get access to your site.
- Filters traffic intelligently – Cloudflare also filters traffic and allow only good visitors, crawlers and bots to visit your website.
- DNS Security- When you proxy your traffic with Cloudflare, it protects you from forgery vulnerability. Another area where hackers could target your website.
- Automatically blacklists bad IPs- Cloudflare has a wide list of IPs that are used for malicious and hacking attempts. Cloudflare puts them automatically to blacklist which prevents them accessing your site.
- Free CDN- Apart from protecting your site, Cloudlfare also offers a free CDN service for all of its users. CDN AKA content delivery network speed up your site loading speed by distributing your website files to servers located all over the world. So whenever someone visits your site away from the hosting server, instead of requesting your site from main server, the visitors will request from the nearest location. This reduces page load time and load on your main server.
How to configure your website with Cloudflare?
- To configure your website with Cloudflare, simply go to Cloudflare.com, then click on the Sign Up on the top right corner.
- Enter your email and password and verify your email. Once you have verified your email, simply login to Cloudflare dashboard and in the websites section, click on Add a site button.
- Enter your website URL and then you will be asked to proxy all the traffic through Cloudflare. Just check if all the cloud icons are turned orange. If not simply click on cloud icon and make it orange.
- After that, all you have to do is to change the nameservers of your domain. You can do this by going to your registrar account from where you have bought the domain.
- Cloudflare by dafault will assign 2 unique nameservers for you. Simply replace these 2 nameservers given by Cloudflare with your existing nameservers.
Note that changing nameservers of your website won’t affect hosting, it will just proxy the traffic through the Cloudflare network.
5. Use Strong Passwords
Well, while this could be the most common advice given to protect your identity online, many people still overlook it and use generic passwords. And if you are doing the same, then you could be in serious trouble. Stop using generic and simple passwords. Try using a combination of letters, numbers, and special characters. Also, use a good combination of upper and lower case letters.
This is the first thing that you need to care about if you want your website to be in your hands not in the hackers. So beware, choose your passwords wisely and make it almost impossible to guess or predict. Stop using 1234 or your name as a password. It will only make work easy for hackers.
WordPress Vulnerabilities Explained
Outdated WordPress, Theme and Plugins
Using outdated WordPress core, Themes and Plugins can hurt your website’s security. Hackers can target older versions of WordPress core versions, Themes, and Plugins to get access to your site. So make sure you update everything on your site as soon as the new update rolls out.
Brute Force Attack
Brute Force attack is another common practice when it comes to taking control over WordPress sites. As you may all know, to access the WordPress site, users need to enter a username and password, hackers can try combinations of usernames and passwords until they get access to your site.
To prevent this from happening, the simple solution would be to change WordPress Login URL or use Cloudflare to protect your site from such malicious attempts.
DDoS attacks are done deliberately by the bad guys to jam the website traffic. In this type of attack, your website sees a surge of traffic coming from a huge number of computers and other devices. This unexpected surge of traffic can put a load on your origin server as well as break down your site if it’s not properly configured to defend against such attacks.
Another important factor in DDoS attacks is that it is difficult sometimes to differentiate between the original traffic and fake surge traffic.
That’s why we recommend using Cloudflare to dodge such attacks to avoid breaking down your site or losing traffic. Cloudflare has a global network of websites where it manages and protects the traffic of millions of websites. You could use this expertise to your advantage to protect your site from DDoS attacks.
Use of Cracked or Nulled Themes & Plugins
Don’t ever use cracked or nulled plugins for the sake of extra features. You will comprise the security of the website by doing so. Cracked or nulled themes and plugins can harm your site and take control away from you. Cracked or nulled themes or plugins could be injected with malicious codes to gain access to your site. So beware and use only popular and trusted themes and plugins.
We strongly recommend you to use the popular and legit themes, plugins that are free and offer great features. Don’t fall for the trap of extra features. Instead, save some money and go buy yourself the premium versions of themes and plugins.
Hotlinking is done when a website uses images or videos hosted on another website. So, it’s a kind of theft to steal someone’s bandwidth.
Hotlinking is done by putting the link of an image hosted on website A, is put in website B, instead of hosting on website B server.
This could cost a lot of money for the website A owner as the resources are loading from website A’s server.
There are multiple ways by which you can avoid hotlinking. Two of the most popular are enabling hotlink protection from the hosting provider itself. The second one is enabling it through the CDN provider.
So these were some of the ways by which you can secure your WordPress website. Securing your WordPress site is of utmost importance as you might have your business, blog, eCommerce store running on WordPress. If anything goes wrong and you lose access to your site, you will lose hundreds of hours of work, your reputation as well as the money that went into making the site. You will lose profit as well. So make sure to try and do your best to safeguard your online asset from hackers.
Let us know what do you think of these methods to protect the WordPress sites. Do you have any other suggestions to improve website security or have any doubts? Kindly reach out to us through the comment section below. Thank you!