In 2016, we switched from our 4 years old custom-coded HTML site we had been running since 2012 to the WordPress site that we have now. It’s getting another redesign these days and if all goes well, an awesome site would be ready in about a month. Ever since we have had this current website built on WordPress, it has gone through different security issues and malware attacks.
This site had been completely hacked once back in 2017.
And we’ve learned fast from those mishaps and today we are implementing a few security measures to make sure our site remains well protected from hackers and malware attacks. I’m going to put them all together here in this article, so you can learn and implement those very techniques to keep your WordPress site secure at all times (if you have not been applying them already).
WordPress has been under frequent cyber attack.
Ever since WordPress has come to existence, hackers have been targeting the CMS, its core files, the theme, plugins, contact and login pages etc. all the time. One hacker can scan over a thousand pages a day. And most likely, several other hackers are active at the same time. They try many different ways to attack websites. They also use automated software programs to scan websites and find any weaknesses in them.
Currently, over 30 thousand websites are attacked every day across the globe. This is a huge number and obviously a great concern for website owners too.
Here are 6 of the most effective security measures that you can implement.
Install a Firewall
In order to protect your WordPress website from any potential cyber attack, the first thing you can do is install a Firewall. Some of the best WordPress Firewall plugins available today are:
- Sucuri
- Cloudflare
- Wordfence Security
- BulletProof Security
- Jetpack
All of these Firewall plugins are programmed to allow only the legitimate bots like Google and Bing, and block all other unusual activities that look like breaking certain rules. If the security plugin finds that a visitor or bot engages in unusual or abusive behavior by attempting to scan too many pages in a very short time, the Firewall blocks the bot. The Firewall plugin allows the publisher to block the bot by their IP address or their fake browser user agent.
Usually, a user agent is an information string that a browser uses to let the website recognize the name of the browser and the name of the OS it is operating on. There are some bad bots that use many different types of user agents to hack websites. Your Firewall program can allow you to create a rule and block those bad bots. Most bad hacker bots are able to change to new user agents, and when that happens your Firewall security plugin allows you to combine the rules and block large list of those hacker bots.
You can unlock more features with a paid version of the Firewall plugin. With a paid version of Wordfence Security Firewall in particular you can block the entire countries that you are not looking to get visitors from. The Wordfence Security premium version plugin can also protect your WordPress site in advance from compromised themes and plugins even before the developers fix the compromised themes and plugins. So, Wordfence Security Firewall is a great security plugin for your WordPress website.
You can trust tools, apps and other promotional platforms that have five star reviews online. There are certain tools that don’t have the best reviews or feedback from users, but they are great tools. If you find them helpful, then there’s no harm to give them a try. After some time and a couple of uses you will automatically understand whether they are authentic sources or not.
Sucuri Security (owned by GoDaddy) is another excellent security plugin for your WordPress site. Sucuri gives an additional layer of protection by blocking certain kinds of bad bots. The malware scanning feature of Sucuri checks if any files are changed by the hackers. Every time someone logs into your website, Sucuri alerts you, so you would know whether it is a genuine visitor or a hacker that has logged into your website. The free version of Sucuri has a lot of security features to offer already. The paid version offers a website firewall.
Install SSL certificate
Almost all hosting providers are offering SSL certificate for free making sure your WordPress comes with the ‘https’ protection and your domain is secure.
You must enable HTTPS for your wp-admin and all logins. Your WordPress’s admin area and login form are very sensitive areas, and vulnerability issues can occur there that easily invites hackers to be active. This is why you need to enforce TLS/SSL in those areas. TLS or SSL provides data encryption facility to the websites and web applications. This gives added security to your WordPress site.
Limit the number of logins to your site
The Wordfence firewall plugin blocks the bad bots that try to log into the site repeatedly in a given amount of time by filling in user names and passwords on your website’s login page multiple times in that given time frame.
There is a plugin called Limit Login Attempts Reloaded that allows you to limit those login attempts. It automatically blocks the website visitors or hackers after a certain number of failed attempts to log into the site. You can set that number.
Not just WordPress sites, but also all other modern-day software-run applications and websites are using this security feature on their login page. Usually, the website owners or publishers prefer to set that number as three (“3â€), which means the system blocks the login activity after three failed attempts.
The login blocker plugin has a multitude of great features to offer. The Limit Login Reloaded plugin, in particular, offers a great and really fast way to block bad bots or hackers that are trying to login to the site by guessing the password.
Backup your site regularly
If you are not keeping backups of your website regularly, start doing that from today. Website backup has a lot of benefits in the long run, and one very useful benefit is ‘enhanced security’ for your website. If you are keeping regular backups of your website, it’s easy for you to restore your website when it gets hacked, or any data lost or stolen.
There are a great number of handy tools that provide automatic backups of the website on a regular basis (mostly daily). Most hosting providers are offering daily backups for your website for free if and as long as your website is hosted by them. Some of the most popular backup plugins for WordPress sites are:
- BackupBuddy
- Jetpack
- Duplicator
- BlogVault
- UpdraftPlus
While doing changes to your website you never know what you might encounter and even a tiny unintentional change sometimes can cost you by removing some pages or even the entire look of your WordPress site. With a backup plugin in place, you can safely restore your website to its original look. It’s very easy to restore your WordPress site with the help of a reliable backup plugin.
Keep updating your installed theme and plugins
If your WordPress site has some out-of-date plugins installed, hackers can find an easy way to gain access to your website. They also try to exploit the vulnerabilities in your theme if that is not up to date. You have to make sure your WordPress theme and all installed plugins are up to date.
In WordPress, you can enable the auto-update feature, so all plugins get updated automatically. That is a really convenient way of keeping all your plugins and your WordPress site safe without much headache.
We do check that auto-update option for certain plugins and for others, we simply choose to update manually. My developers do it at least twice a week. You should also do it for your website at least once, if not twice, a week.
Make sure you have the latest versions of WordPress, PHP, CSS, the theme and the plugins.
Don’t use abandoned or compromised plugins
Old and abandoned plugins are a great choice for hackers to target. They buy those plugins and add some pieces of malware code to them. Since those are old or abandoned plugins their developers would rarely fix the bug or malware, and in turn your site can be in a spot of bother.
Do NOT use any abandoned or old plugins that have not been updated for a long time.
Other than the above 6 common security measures, you should ensure to remove inactive users from your WordPress site. In case you have some inactive users in your WordPress database, you must assign them the role of ‘Subscriber’, not ‘Administrator’.
When you are choosing to install a security plugin to your WordPress site, make sure that plugin is free from all sorts of vulnerability issues because in some cases, certain security plugins also contain bugs in them.
WordPress is an easy target for hackers, so you must do all that you can in order to keep your WordPress site secure.
All the best for your future endeavors!