There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk.

Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.

Probably more than just once, right?

It is natural for us to forget about managing risky situations and put them on the back burner.

Human nature encourages us to feel positive wherever possible, and we like to think that most people and circumstances are to be trusted and that nothing untoward will happen.

Although that is true in most cases, there are times when the odds aren’t in our favor, and when that occurs, it will be too late to do anything about it.

If your home or car is broken into due to lapse security, you will be left picking up the pieces knowing that you could have prevented a very unfortunate situation.

With regards to WordPress, the same logic applies, and hoping that your site won’t get hacked is most definitely not the best course of action.

Obviously, nobody wants their site attacked, and if that happens, there are likely to be serious consequences; your website could get blacklisted from search engines, may get far less traffic, and last but not least you could lose valuable clients.

In this article, we will introduce some steps you can take to minimize any potential vulnerabilities. Read on to get some handy tips on how to secure your site!

The WordPress landscape

WordPress powers over 29% of The Internet (2017) and has around 40,000 plugins designed by developers from all over the world. In addition, there are tens of thousands of themes available so that you can customize the look of your site.

There is a popular misconception that WordPress isn’t safe to use. However, this simply isn’t the case as the team at WordPress work extremely hard to prevent security issues. The reality is, most vulnerabilities in WordPress are caused by poorly designed plugins and themes created by unskilled developers.

Many people love to use WordPress because of its extensibility which allows you to tailor your site specifically to your needs; however, you should be aware that because WordPress is so commonly used, it is a popular target for malicious attacks and hackers.

Types of hacks

There are two main types of hacks that occur on WordPress websites.

The first type is a targeted attack where a hacker makes a deliberate decision to breach your website. More often than not, this is most likely to happen with popular websites where a hacker or activist group may strongly disagree with the content of a website, or perhaps hold a grudge, for example.

The second type of hack is a non-targeted, general attack, which isn’t aimed at anyone in particular. Hackers send out automated attacks capable of scanning a wide range of IP addresses that look for known security issues on a certain version of WordPress, or a plugin or theme. Once a weakness is found, there may be a chance it can be exploited.

A backdoor attack has the ability to access your site’s server remotely by bypassing usual authentication procedures such as logging in. Once someone has access to your server, they can steal important data, including passwords and bank account details.

Defacement is where an attacker deliberately changes the appearance of one or more of the pages of a website by disfiguring it. Part of the defacement may display the hacker’s name tag to “show off” their hacking skills.

If your site is taken over, then your web page can be replaced by a phishing site, which will attempt to lure the next visitor into providing valuable credentials.

Malicious software known as malware can be installed on websites to spy on users’ or to spread further viruses.

Hackers can bring a website down by launching a denial of service attack, often “recruiting” other websites to assist them.

Important: Before making any changes to your website, you should run a full backup to ensure you can restore your site if there are any issues. If you’re not comfortable making these changes, we recommend hiring a developer to implement these tweaks for you.

8 WordPress security optimization tips

Now that you know a bit more about WordPress security, it is time to implement the following preventative measures on your website:

1. Install a WordPress security plugin

Before installing a security plugin, ensure that you study the configuration settings and any documentation.

A correctly set up plugin can mitigate a lot of the risk and reduce the likelihood that your website will get hacked.

iThemes Security can prevent brute force attacks by stopping illegal login attempts; it is also good at finding bots that seek out weaknesses. In addition, this plugin can conceal vulnerabilities and run system scans.

All in One Security & Firewall is a plugin that blocks user agents and IP addresses. It also provides database and user login security, so is definitely worth checking out.

Wordfence Security offers security scanning and allows you to enforce two-factor authentication. Another great feature is that it identifies malicious attackers.

2. Don’t use common passwords

You would be surprised how many people use easily guessable passwords such as qwerty or password.

Passwords with sequential characters should also be avoided as password cracking software find them easy to figure out.

Creating a secure password is essential to fortifying your login page. In order to do so, ensure that you use a strong password generator that uses a combination of characters.

3. Change the default username

Although it is far easier to keep your WordPress site’s username as the default of “admin”, by doing so, you are setting yourself up for a serious security breach.

Many attacks will use “admin” as a login because hackers hope that site owners won’t have had the foresight to amend it.

Go ahead and make this critical change by creating a new user via Users > New User, and then give your new login administrative rights.

Afterwards, sign in with your new administration account and delete the old default “admin” account.

Note: fortunately a lot of hosts now avoid the using the default username “admin”.

4. Set up two-factor authentication

An additional measure that can be taken to further secure your WordPress installation is to set up two-factor authentication.

Even if you have taken the step to use a strong password and amended your admin username. Enabling 2FA will prevent access to an intruder in the event that your login details are compromised.

To help you set this essential feature up, you can use plugins such as Authy, Rublon, UNLOQ, and Keyy.

5. Assign least privileged principles

When giving a new person access to your site, set up a new login which has no more security privileges required to enable them to do his or her job.

For example, you wouldn’t give someone full-blown administrative access when all they need to do is some simple editing.

5. Turn off file editing

Take a backup of your wp-config.php file and then amend the original by adding the text below:

define('DISALLOW_FILE_EDIT', true);

By adding these useful few lines of code, you can prevent hackers from making changes to your site via the appearance editor in WordPress.

6. Hide your version number

WordPress like to know how many sites are currently active by checking version numbers. This can cause issues, however, as some versions of WordPress are vulnerable to malicious attacks.

To remove your version number from display, amend your functions.php file by adding the following code (remember to take a copy of it first):

add_filter( 'the_generator', '__return_null' );

7. Update WordPress, plugins and themes regularly

It is a pain constantly having to check that your site is always up to date.

By implementing automatic updates, you can rest assured that themes and plugins are updated automatically each time the latest version comes out.

You can use the Advanced Automatic Updates plugin or alternatively add the code below to your wp-config.php file to set up automatic updates:

add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );

8. Use the best themes and plugins

Never download premium plugins without paying for them, and always make sure that you purchase your plugins from reputable sites.

The consequence of downloading free premium plugins is that they can be infected with malware, meaning if you install them they will cause serious complications.

Carry out some prerequisite checking before downloading a plugin or theme. Have a look at reviews and find out when it was last updated.

If a plugin or theme hasn’t been updated for a while, then it is possible that the developer is no longer working on it and it will be outdated. It is also wise to check for compatibility with your WordPress version.

Keep an eye on the plugins that you have already installed. If you are no longer using them, uninstall them.

Conclusion

Managing a website would be far easier if we didn’t have to worry about malicious attacks. However, in the real world, increasing your website’s security should be at the top of your list. Even if you own a small website, automated hacks are still a cause for concern.

On the positive side, by setting up the few security measures above and taking regular backups, you can drastically reduce the chance that your website will be hacked.

The proactive action you take to harden your site’s security now will protect your site well into the future.

Posted by William Hagerty

William is a WordPress mechanic at Fixmysite.com. Where he spends most of his time fixing sites and, in some cases, even removing malware from hacked websites. He is also a huge classic rock fan!