The Ultimate WordPress Security Guide – Step by Step (2021) – Part ONE
Hello Everyone !
Every web site owner must think about their web site. If you are so serious about your website, then you need to pay attention highly to the WordPress security best practices. In this guide, we will share with our fans all the top WordPress security tips to help you protect your website against blacklist hackers and malware.
We have a number of actionable steps that you can take to protect your website against security vulnerabilities.
To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.
Table of Contents
Basics of WordPress Security
Why WordPress Security is Important?Keeping WordPress UpdatedPasswords and User PermissionsThe Role of Web Hosting
WordPress Security in Easy Steps (No Coding)
Install a WordPress Backup SolutionBest WordPress Security PluginEnable Web Application Firewall (WAF)Move WordPress Site to SSL/HTTPS
WordPress Security for DIY Users
Change the Default “admin” usernameDisable File EditingDisable PHP File ExecutionLimit Login AttemptsAdd Two Factor AuthenticationChange WordPress Database PrefixPassword Protect WP-Admin and LoginDisable Directory Indexing and BrowsingDisable XML-RPC in WordPressAutomatically log out Idle UsersAdd Security Questions to WordPress LoginScanning WordPress for Malware and VulnerabiliesFixing a Hacked WordPress Site
Ready? Let’s get started……..
We start from Basics of WordPress Security
Basics Of security
Why Website Security is Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users. Worst, you may find yourself paying ransomware to hackers just to regain access to your website.
In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.
Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week. If your website is a business, then you need to pay extra attention to your WordPress security. Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.
Keeping WordPress Updated
WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.
Strong Passwords and User Permissions
The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, Web hosting account, and your custom email addresses which use your site’s domain name.
Many beginners don’t like using strong passwords because they’re hard to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager.
Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.
The Role of WordPress Hosting
Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shred hosting provider like blue host or site ground take the extra measures to protect their servers against common threats.
Here is how a good web hosting company works in the background to protect your websites and data.
They continuously monitor their network for suspicious activity.All good hosting companies have tools in place to prevent large scale DDOS attacksThey keep their server software, php versions, and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version.They have ready to deploy disaster recovery and accidents plans which allows them to protect your data in case of major accident.
On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.
Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon). You can also try Liquid Web which is a good alternative for WP Engine.
Finished ! Next Topic…………
WordPress Security in Easy Steps (No Coding)
We know that improving WordPress security can be a terrifying thought for beginners. Especially if you’re not techy. Guess what – you’re not alone. We have helped thousands of WordPress users in hardening their WordPress security.
We will show you how you can improve your WordPress security with just a few clicks (no coding required).
If you can point-and-click, you can do this!
Install a WordPress Backup Solution
Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress site in case something bad was to happen.
There are many free and paid wordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).
We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.
Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.
Thankfully this can be easily done by using plugins like UpdraftPlus or BlogVault. They are both reliable and most importantly easy to use (no coding needed).
Best WordPress Security Plugin
After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website. This includes file integrity monitoring, failed login attempts, malware scanning, etc.
You need to install and activate the free Sucuri Security plugin.
Upon activation, you need to go to the Sucuri menu in your WordPress admin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.
The next thing, you need to do is click on the ‘Hardening’ tab from the settings menu. Go through every option and click on the “Apply Hardening” button.
These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.
We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.
After the hardening part, the default plugin settings are good enough for most websites and don’t need any changes. The only thing we recommend customizing is ‘Email Alerts’.
The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.
This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.
Enable Web Application Firewall (WAF)
The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).
A website firewall blocks all malicious traffic before it even reaches your website.
DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.
Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.
The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).
This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.
Move Your WordPress Site to SSL/HTTPS
SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.
Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.
SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.
To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.
Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your WordPress website.
If your hosting company does not offer one, then you can purchase one from Domain.com. They have the best and most reliable SSL deal in the market. It comes with a $10,000 security warranty and a TrustLogo security seal.
Stay With Us
Permanent link to this post here