Nowadays nothing is secure. From IoT devices, Automated Teller Machines, Game Servers to International bank transactions everything can be cracked (Not hacked. Both are different. Read this post by TechRepublic to understand the differences between both the terms). Now coming back to the topic, we must understand that total security is not attainable. It’s just a lie; an illusion.
Only a limited level of security can be achieved with the methods I’m going to discuss about in the below sections.
We have an Illusion of Security, We Don’t have Security ~ Isaac Yeffet
The first step in protecting your WordPress site is to keep it updated. If you haven’t updated your version of WordPress or its themes and plugins, now is a good time to do so.
That’s the first line of defense for you WordPress site because most of the WordPress sites are hacked using the exploits present in these outdated versions of themes and plugins. They are continually fixed and patched up by the developers.
Next, you should use a WordPress security plugin to harden your site’s security. WordPress, like any other web application framework is not immune to attacks and exploits. These plugins patch up the shortcomings by hiding the vulnerabilities and sometimes fixing them. Some of the security plugins can hide the version number of the technologies you are using in your WordPress site. Though this might be a very basic step it surely helps stop many common exploits used by the script kiddies!
Wordfence protects more than 1 million WordPress sites whereas iThemes Security protects more than 800,000 WordPress sites and Sucuri Security protects 200,000+ websites.
Though all of them perform nearly the same job, I would recommend Wordfence over the rest based on my feedback on testing them.
Apart from that you can check your site for known malware, blacklisting status, website errors, and out-of-date software using Sucuri’s SiteCheck – Free Website Malware and Security Scanner.
Limit login attempts
Limit login attempts to protect your site from brute force attacks. A brute force attack is the simplest way to gain access to a site – it tries various combinations of commonly used usernames and passwords along with dictionary words to break into your site’s administrator dashboard.
It can be easily set up by installing this plugin for your WP Dashboard or via FTP.
Do NOT ever use ‘admin’ as your WordPress login username. It is the very first word that is tried by bad bots and scripts to find the username of your WordPress site. Once it finds the username of your site, it will move on to decode your password.
By using ‘admin’ as your username you are directing it towards the correct path. It’s like revealing the place where you’ve hidden your money and jewellery to the robber and waiting for him to break in and steal it using his tools!
So, think of a creative username for your WordPress site and avoid using typical dictionary words.
The same thing applies to passwords too. Do not use any words present in dictionary as your password. Make sure you use a combination of upper and lower case letters along with symbols and ambiguous characters and is at least 16 characters in length.
Protecting your WordPress site using a FREE firewall like Cloudflare can protect your site from getting hammered by bad bots and DDoS attacks. Cloudlfare offers DDoS protection, Web Application Firewall (WAF), SSL, Traffic Control™, DNSSEC and many such awesome tools to enhance your website’s security. Cloudlfare acts as a reverse proxy for your site and all traffic to and from your site are analysed in real-time for threats and unusual traffic. Cloudflare also offers a free SSL certificate using which all transmitted data in encrypted.
Also Read: Optimize WordPress to Reduce Server Overload.
Last but not the least – choose a well-known WordPress hosting provider with a good track record in their service. Do not go for poor and unreliable hosting services and lose your hard work by getting your site wiped away just because the servers hosting your site were cracked or DDoS’d or simply because they didn’t maintain proper backups of their clients sites!
All the four of them are officially recommended by WordPress themselves. Here’s a quote from their site –
There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment.
More information on hardening WordPress –