Did you know 25 per cent of the websites you visit uses the beautiful open-source platform WordPress? From casual personal blogs to corporate news websites, WordPress being used. If you are just starting with WordPress or already have experience using WordPress platform then you can follow this best security practices to keep your WordPress clean and secure.
WordPress at its core is ultra-secure thanks to its open-source nature and thousands of developers working on it around the world. Any security issues found will usually be patched within a matter of seconds by these developers. WordPress is also known to push security updates immediately to its users.
We through this WordPress security guide will cover some simple security tips you can follow to make your website safe and secure from hacking or malware. You don't need to be a tech-savvy person or have technical skills to improve your WordPress website security. Do note that most of these steps are way easy to apply when you are starting a new WordPress site.
Why do you need to secure WordPress?
Before going further to avoid common security mistakes, we need to know why website security is important. A hacked or malware affected WordPress website can lead to deterioration of your brand reputation. You don't want your website visitors to get redirected to the unwanted website. If you have login feature for your users, then the hacker may even try to steal your user's personal information, passwords etc. SEO wise Google may even ban you from its search results.
If you are earning something from your WordPress site then you must be ready to secure it in all way possible. It's always 'Prevention Is Better Than Cure'. Prepare your website to deal with current and future security issues.
Way to WordPress security
- Change the default 'admin' username - The first thing you should do while installing a WordPress website is to change the default 'admin' username to something different. A bulk of brute-force attacks on WordPress happens because of you keeping the default WordPress admin username as "admin" itself.
If you already have a running WordPress website with 'admin' username, then there are some easy methods to change it.
- Create a new admin user on your WordPress site and assign administrator privileges to it. Delete the old admin user and WordPress by default ask you to move articles written by the old user to the new admin username.
- Or, you can use plugins like Username Changer to quickly change the username. Once the username has been changed, you can safely delete the plugin.
- Change WordPress Database Prefix - Another important factor that can add up to your WordPress security is the database prefix. By default when you install WordPress it uses 'wp_ ' as the prefix for all tables in the database. Using that may make it easy for a hacker to guess your table name and eventually make your website vulnerable to hacking or SQL injection.
We suggest you change the database prefix to something unique while installing WordPress. Plugins like WP Prefix Changer can help you to easily change your existing WordPress database prefix safely. (always take a backup of your database before applying these changes).
- Keep WordPress, Plugins and Themes updated - By default WordPress now automatically installs minor updates (if you have not disabled updates completely). For major updates, you may need to manually initiate the WordPress update. Make sure whenever there is a WordPress core update install it instantly. These updates have security patches and add new features for your WordPress site.
Coming to plugin and themes, you may have installed dozens of plugins and themes on your WordPress site. As these plugins and themes are maintained by third-party developers, make sure to update them regularly whenever an update is available. You may also want to remove those plugins which have not updated for a long time or abandoned by its plugin authors.
If you have using Jetpack plugin (which is by Automattic) then it can handle those WordPress core updates, Plugin updates and theme updates automatically for you.
- Disable file editing from WordPress backend - By default, WordPress allows you easily edit theme files and plugin files directly from the WordPress backend or admin area. In any case, someone with administrator privileges can edit those files and can completely compromise your WordPress security. We always recommend disabling file editing feature on WordPress.
Just add the following code to the wp-config .php file found in the root directory of your WordPress installation.
// Disable file edit
define( 'DISALLOW_FILE_EDIT', true );
- Disable WordPress XML-RPC - WordPress XML-RPC in recent time have been one of the major culprits for brute-force attacks. XML-RPC is enabled by default in WordPress and helps you to connect your site with web apps (like Windows live editor) and mobile apps. If you are accessing and publishing articles remotely then you should enable XML-RPC. Otherwise, you can safely disable XML-RPC on your WordPress site.
If you have installed Jetpack plugin, then you just need to enable 'Protect' module. This will essentially protect your XML-RPC from further attacks. You can also use plugins like Disable XML-RPC by Philip Erb which disables the XML-RPC API on a WordPress site running 3.5 or above.
- Install WordPress security plugins - For you to feel comfortable to a greater extent, install any one of the trusted WordPress security plugins. Most of these security plugins offer an extra layer of security and firewall to your WordPress site. They scan core files, themes and plugins against WordPress.org repository version. They also scan for malware, offer real-time traffic monitoring, block common WordPress security threats and more.
Some of the best WordPress security plugins include Wordfence Security, All In One WP Security & Firewall and Sucuri Security. You can install any one of these plugins and configure it to harden your WordPress security.
- Backup your WordPress - It's always recommended to have a backup solution for your WordPress site. Nothing is 100% secure. A Small security vulnerability or a time delay in updating a plugin may put your WordPress site under risk.
Backups always come to your rescue, as you can quickly revert back to an older backup version in case something bad happens. There are many free and paid WordPress backup plugins you could try. But always make sure you take a regular and complete WordPress backup. This includes WordPress core files, plugins, themes and upload folder. Also, you need to make sure the backup files are kept safe and secure in a different server location (other than your WordPress hosting).
We would personally recommend the Jetpack Personal plan which offers daily backups, one-click restores, spam filtering, and 30-day backup archive. The Jetpack personal plan cost $3.50 monthly or $39 yearly. If you choose the Jetpack Premium or Jetpack Professional plan you could also get daily and on-demand scans for malware and threats with manual or automated one-click resolution. We have an exclusive Jetpack discount coupon which can offer you up to 50 per cent discount on any Jetpack plans.
- Better WordPress Hosting - Choosing a good WordPress hosting providers can make a big difference to your WordPress security. These WordPress hosting providers by default offer protection against common threats. We recommend Bluehost.com WordPress hosting as they offer world-class hosting, faster hardware and extra security on all shared hosting plans.
You could also try to choose managed WordPress hosting like Godaddy and HostGator. This hosting provider takes care of the entire WordPress site, its security, updates and backup. You simply need to concentrate on writing an awesome article.
That's all! hope you have learned more about securing your WordPress site. Choosing the best WordPress security plugins and WordPress hosting providers. Got any doubts, write down your queries in the comment section below.