WordPress is a popular CMS, but its widespread use makes it a common target for cyber attacks. To keep your WordPress site secure, follow these specific guidelines:
- Use HTTPS
- Regular Updates
- Use Strong Passwords and Different Default Username
- Use Two-Factor Authentication
- Protect wp- config and includes
- Regular Backups
- Monitor Activity
Use HTTPS
Make sure your website uses HTTPS in its URL and not just HTTP. It can appesr as a padlock before the URL in some browsers. HTTPS encrypts the data exchanged between your website and its visitors, safeguarding sensitive information like login credentials and payment details. You can get an SSL certificate from your web host or a trusted certificate authority to enable HTTPS.
You can also use HTTPS and verify its usage with the Really Simple SSL plugin for WordPress.
After installing and activating the plugin, it automatically detects your SSL certificate and configures your website to use secure connections, handling the necessary changes to your site’s URLs and settings and ensuring that all content is served securely without requiring manual adjustments. This not only protects your visitors’ data but also boosts your site’s credibility and search engine ranking.
Update Regularly
Ensure that your WordPress core, themes, and plugins are always up-to-date. Updates often include security fixes that address known vulnerabilities.
You can enable auto-updates for WordPress within your dashboard under Updates, or set them to security releases only.
To keep plugins auto-enabled, head to your dashboard > Plugins > Installed Plugin. Click “Enable auto updates” next to each desired app. Usually it’s best to keep important apps auto updated, and manually update others to avoid any new feature or possible bug to cause unnoticed issues
Use Strong Passwords and Change Default Usernames
Set strong, unique passwords for all user accounts, including your website’s admin panel and email, and avoid using the default “admin” username (or change to something less predictable if already set up).
You can create a new user with full privileges within ” Users > Add New” selecting the Administrator roles. Then you can use it to log in then delete the default user.
Enable Two-Factor Authentication (2FA)
Add an extra layer of security by enabling two-factor authentication (2FA). This requires you to enter a code sent to your phone or generated by an app, in addition to your password, making it harder for unauthorized users to gain access.
There are many plugins that offer 2FA like the popular “WP 2FA” app by Melapress. Get it from your plugins dashboard under: Plugins > Add New > search “wp 2fa.”
Protect wp-config.php and wp-includes
The official doc on wordpress.org (https://developer.wordpress.org/advanced-administration/security/hardening/) recommends protecting wp-config and wp-includes. You can do so by editing the default .htaccess in the main directory:
Protect wp-config.php by adding this line near the top:
<Files “wp-config.php”> Require all denied </Files>
Protect wp-includes by including the following before the “BEGIN WordPress” line:
Block the include-only files.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L] </IfModule>
This prevents unauthorized users from accessing critical WordPress files.
Correct File Permissions
Ensure directories have property file permissions. WordPress’ default permissions are 755 for directories and 644 for files. This limits write access to essential files and directories only. Many FTP clients and web hosts allow you to check and modify this within the File Manager tools.
Regular Backups
Implement a reliable backup solution that includes regular backups of your WordPress files and database in the event of any issue or hack. Store copies of backups in a secure, offsite location.
Monitor Activity
Use security plugins and tools in your web host to monitor login attempts, detect malware, and track changes to your site. Regularly review logs for any attacks or unusual activity.
Leave a Reply