We have an Illusion of Security, We Don’t have SecurityIsaac Yeffet
Nothing is secure nowadays, security is just an illusion. You might have heard this already. But, every single day millions of IoT devices (including your security cameras, refrigerators, and washing machines), ATMs, websites, etc are being hacked for various reasons. Some hack it for fun while others hack in order to cause serious damage.
Why people do it is out of our control and we can’t convince them not to. But, we can take some precautions to protect your WordPress site from hackers.
But hey, you must keep in mind that only a limited level of security can be achieved with the below methods. If someone is hellbent on hacking your site, then with the right resources it is possible to gain access to your website’s confidential files.
Keep your WordPress site, plugins, and themes updated
The very first step to protect your WordPress site from hackers is to keep it updated. If you haven’t updated your WordPress (core), themes, or plugins, now is a good time to do it.
That’s the first line of defense for your WordPress site. Most of the WordPress sites out there are hacked using the exploits that are already discovered published. If you haven’t updated your site to make sure the patches have been applied, then it’s your fault.
Remember that WordPress is supported by a large community of users and there is even a core security team constantly monitoring for issues and helps get them patched up as soon as possible.
Install a good security plugin
Next, you should use a WordPress security plugin to harden your site’s security. WordPress, like any other web application, is not immune to attacks and exploits. These security plugins patch up the shortcomings by hiding a few vulnerabilities and sometimes patching them. Some of the security plugins can hide the version number of the plugins and themes that you are using on your WordPress site.
Though this might be a very basic step it surely helps stop many common exploits used by the script kiddies who take advantage of these patched vulnerabilities.
Wordfence Security protects more than 4 million WordPress sites whereas iThemes Security protects more than 1 million WordPress sites and Sucuri Security protects 800,000+ websites.
Though all of them perform nearly the same job, I would recommend Wordfence Security over the rest based on popular feedback and my experience with testing them.
Apart from that, you can check your site for known malware, blacklisting status, website errors, and out-of-date software using Sucuri’s SiteCheck – Free Website Malware and Security Scanner.
Limit the number of login attempts
Limiting login attempts protects your website site from brute force attacks. A brute force attack is the simplest way to gain access to a site – it tries various combinations of commonly used usernames and passwords along with dictionary words to break into your site.
Limiting login attempts can be easily set up by installing the Limit Login Attempts Reloaded plugin from your WP Dashboard.
Don’t set ‘admin’ as username
Do NOT ever use ‘admin’ as your WordPress login username. It is the very first word that is tried by bad bots and scripts to find out the username of your WordPress site. Once it finds the username of your site, it will try decoding your password.
By using ‘admin’ as your username you are making it easier for malicious actors to move one step closer to cracking your website’s security. It’s like revealing the place where you’ve hidden your money and jewelry to the robber and waiting for him to break in and steal it!
So, think of a creative username for your WordPress site and avoid using typical dictionary words.
Make use of strong passwords
The same thing applies to passwords too. Do not use any common names or words present in the dictionary as your password. Make sure you use a combination of upper and lower case letters along with symbols and special characters. Also, it should be at least 16 characters in length.
Protect your site with a firewall
Protecting your WordPress site using a FREE firewall like Cloudflare can shield your website from getting hammered by bad bots and DDoS attacks. Cloudflare offers DDoS protection, Web Application Firewall (WAF), SSL, Traffic Control™, DNSSEC, and many such awesome tools to enhance your website’s security.
Cloudflare acts as a reverse proxy for your site and all the traffic coming to and from your site are analyzed in real-time for threats and unusual traffic. Cloudflare also offers a free SSL certificate using which all the data is encrypted.
Switch to a reliable WordPress hosting company
Last but not least – choose a well-known WordPress hosting provider with a good track record in their service. Do not go for poor and unreliable hosting services and lose your hard work by getting your site wiped away just because the servers hosting your site were hacked or DDoS’d or simply because they didn’t maintain proper backups of their customers’ sites!
I would recommend you to go with either Bluehost or SiteGround if you have got a personal blog or business website that doesn’t receive much traffic. If you need more server power, go with DreamHost or Kinsta Managed WordPress Hosting.
Other than Kinsta, all of the above-recommended WordPress hosts are officially recommended by WordPress themselves. Here’s a quote from their site –
There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment.WordPress.org
More information on hardening WordPress
I hope that this post helped you in learning how to protect your WordPress site from hackers.