How to Secure and Protect Your WordPress Website
Anyone who regularly uses the internet these days has likely learned the basics of improving their computer’s cybersecurity: they have antivirus software installed, don’t click on spammy-looking emails, and try not to go to shady parts of the internet. But when you build a website, WordPress or otherwise, you open a whole new can of worms!
Websites themselves can become targets to hackers and other security threats… just like your computer. So to ensure your website remains well-defended, you typically need to develop a few new habits and engage a few new tools! Don’t let your website be one of the almost 75 percent of WordPress websites which are considered ‘vulnerable’ to hackers.
So, what are some of the best tips and tricks to keep your WordPress website secure?
Keep Everything Updated
Many webmasters simply ignore (sometimes for months or years) the requests of WordPress themes and plugins to update. This is a serious issue, as the vast majority of updates are published for security reasons! This is most especially true of updates which are published for your WordPress framework. But even plugins release security patches in their updates.
If there’s a plugin or theme you’re not using, it can still provide a ‘back door’ into your website; so it’s important to download the updates for these, too! Even having a plugin deactivated isn’t a sure-fire way to ensure it can’t hurt you, so if you can’t regularly install its updates, it’s better to just delete it.
Secure Your Dashboard and Admin Area
A great way to protect your WordPress site is to restrict access to to its backend to only specific IPs if you don’t have a lot of users. One easy way you can do this is by editing the .htaccess file in your admin folder. You can simply add these few lines of code:
<Files wp-login.php> order deny,allow Deny from all Allow from (insert your IP address here, without parentheses) </Files>
And guess what? You can add multiple IP addresses! Just copy the ‘allow from’ line and add whichever additional IP addresses you want to include. This way your office, home, and any other common IP address you access your site admin area from (a local coffee shop, perhaps?) will be allowed, while all others will be denied.
While this is one of the best WordPress safety tricks, it can cause problems for those who access their admin a lot while traveling, or trying to access the admin area from different public wifi IP addresses.
Securing Your Login Credentials
There are a few simple ways to secure your login credentials; because brute-force hacking attempts aren’t uncommon, and many WordPress users all have the same inclinations… like using ‘admin’ as their username. So utilize a different username, one that’s unique to you, and ensure that you follow the WordPress recommendations on creating a secure password. Ideally, you should update your password once or twice a year, and always have ‘limit login attempts’ enabled. Poor password protection is one of the key ways hackers can gain entry to your website and hosting.
You can add another layer of protection by using two-factor login systems such as the ‘Clef’ option which WordPress recommends: this means that every login attempt requires not just a username and password, but a more unique and secure login action as well (such as responding to a text) to ensure that the right individuals are logging in.
Secure Your Hosting
If your hosting isn’t secured, your website likely isn’t, either; so regularly check to see if you can update your PHP version, which is as important as updating your WordPress. You can also update your MySQL database, and use hosting-provided benefits including firewalls, intrusion detection systems, and account isolation policies. If you’re uncertain how to do this, or what additional layers of protection are offered by your hosting provider, call their customer support! Many of these services are all included in your hosting payments.