Securing Your WordPress Website
WordPress is the windows of the internet. Because of this, it is a large target for hackers. It is a target for both manual and bot attacks that target the newest websites that have default themes to the most secure websites online. If you are going to invest your time and money into developing a website, it is important to understand what it going on in the background so that you can protect your investment and asset.
Change Your Default WordPress Login
The default login URLs for WordPress are /wp-admin and /wp-login.php. Every WordPress installation has the same login URLs. Every hacker already knows this and therefore it’s the first place they are going to target whether they are manually trying to login or are using an automated dictionary brute-force attack. With that said, this is the first hole to patch. Simply changing this one thing can significantly stop attacks on your website. This plugin allows you to set a custom URL to use when logging into your site and disable the default WordPress ones. Whether you are being attacked manually or by a bot, the attacker or the bot won’t know where to look!
Recommended WordPress plugin: WPS Hide Plugin
Disable XML-RPC on Your WordPress Website
XML-RPC is a protocol that allows a website to communicate with an external application. If you have the WordPress application on your phone and you use it to write and post blog posts from your mobile device, you are using XML-RPC. Most people don’t use their phones or external devices to log into their website and create content so it is worth disabling. Hackers can use this protocol to hack into your website using brute-force attacks as they can use a dictionary to try and ‘guess’ your password. I recommend disabling this feature on your website if you aren’t using an external application to log into your website. Install my recommended WordPress plugin and make sure to set the XML-RPC feature in the settings to “Completely Close”.
Recommended WordPress plugin: IP Geo Block
Block Login Attempts By Geography
Most attacks will come from outside of the United States. Even though you blocked your default URL as I mentioned above, I would take the additional step of blocking attempts to your custom login URL that you selected by geography. Essentially, you can block access attempts to different areas of your website by country. If an IP that is outside of your selected country attempts to access these admin areas, these individuals will be blocked. You can set this up in the plugin I recommended for disabling XML-RPC. You can also see logs of attacks and their origin in this plugin’s settings.
Recommended WordPress plugin: IP GEO Block
Require Two-Step Authentication to Login
Absolutely make sure that you set up two-step authentication on your website. There are different types of two-step authentication. You can set things up so that when you enter your username and password, you have to click ‘accept’ on a link that was emailed you to by the WordPress plugin. You also have the option to require scanning the bar code populated on your computer screen after entering your username and password using a required app on your phone. I prefer to have a notification pop up on my phone that asks whether to accept or deny the login attempt after entering my login credentials.
In other words, even if someone happens to find out your custom URL, is in the United States (if you are in the U.S.), and happens to know or crack your login credentials, they will still need to have your phone. This makes it pretty much impossible for someone to hack into your website via the login screen. You have all of these options plus a few more in the free version of my recommended plugin.
Recommended WordPress plugin: MiniOrange 2 Factor Authentication
Setup Recurring Backups of Your WordPress Website
This might seem obvious but I am sure many people don’t have any type of backups set up on their WordPress sites. You have to ensure that you are also including your SQL database in your backups. If you setup your WordPress plugin to do ‘complete’ backups, your SQL database will be included. If you don’t know what your .SQL database is, it’s the file that contains all of your content and post comments. If you regularly add content to your site, you should have backups created more frequently. You can set up automated backups via Softaculous inside of your cPanel area of your website. You can do them manually in Backups inside of cPanel as well.
It is also worth having three or more backups saved at a time. This way, depending on your backup frequency, the newest backup will replace the oldest backup and so on and you will always have a few backups handy. You can also save these backups to your server inside of your WordPress installation folder which can be accessed in File Manager inside of your cPanel or you can have them saved in an Amazon S3 account, OneDrive, or Dropbox off of your server which I recommend. If you’d like to have more features and flexibility or would like to have control of your backups within your WordPress dashboard itself, there are many plugins for scheduling backups of your website.
Recommended WordPress plugin: UpdraftPlus
Additional WordPress Security Recommendations
Ensure that you are using a quality hosting company. Your hosting does matter when it comes to the security of your website. There are so many hosting companies out there so it is difficult to know which ones are secure and have great support at a competitive price. I only use and recommend one hosting company.
Recommended Website Hosting: Namecheap
Try to use the least amount of plugins in your WordPress website. Each plugin introduces its own vulnerabilities. Makes sure you keep these updated in addition your WordPress. However, I rather update them manually. If you have twelve plugins that update automatically, you risk logging into your website one day and finding out something broke on your site and you won’t know which plugin caused it.
Keeping the fewest plugins possible also helps keep compatibility issues between plugins minimal. Also, the more plugins that you have, the larger your backups will be. Plugins also affect page load speed. Choosing plugins with lots of reviews and downloads and that are frequently updated is your best bet. Always look at the date of last update on WordPress.org or on the plugin’s information page on the Add New screen in the Plugins area of your WordPress dashboard.
If you have any security tips or go-to plugins for WordPress security, let me know and I will check them out and add them here. Happy blogging!