Nowadays nothing is secure. From IoT devices, Automated Teller Machines, Game Servers to International bank transactions everything can be cracked (Not hacked. Both are different. Read this post by TechRepublic to understand the differences between both the terms). Now coming back to the topic, we must understand that total security is not attainable. It’s just a lie; an illusion.
Only a limited level of security can be achieved with the methods I’m going to discuss in the below sections.
We have an Illusion of Security, We Don’t have Security ~ Isaac Yeffet
Table of Contents
Keep your WordPress core, plugins & themes updated
The first step in protecting your WordPress site is to keep it updated. If you haven’t updated your version of WordPress or its themes and plugins, now is a good time to do so.
That’s the first line of defense for your WordPress site because most of the WordPress sites are hacked using the exploits present in these outdated versions of themes and plugins. They are continually fixed and patched up by the developers.
Install a good security plugin
Next, you should use a WordPress security plugin to harden your site’s security. WordPress, like any other web application framework, is not immune to attacks and exploits. These plugins patch up the shortcomings by hiding the vulnerabilities and sometimes fixing them. Some of the security plugins can hide the version number of the technologies you are using in your WordPress site. Though this might be a very basic step it surely helps stop many common exploits used by the script kiddies!
Some of my favorite WordPress security plugins are Wordfence Security, iThemes Security, and Sucuri Security.
Wordfence protects more than 1 million WordPress sites whereas iThemes Security protects more than 800,000 WordPress sites and Sucuri Security protects 200,000+ websites.
Though all of them perform nearly the same job, I would recommend Wordfence over the rest based on my feedback on testing them.
Apart from that, you can check your site for known malware, blacklisting status, website errors, and out-of-date software using Sucuri’s SiteCheck – Free Website Malware and Security Scanner.
Limit the number of login attempts
Limit login attempts to protect your site from brute force attacks. A brute force attack is the simplest way to gain access to a site – it tries various combinations of commonly used usernames and passwords along with dictionary words to break into your site’s administrator dashboard.
It can be easily set up by installing this plugin for your WP Dashboard or via FTP.
Don’t set ‘admin’ as username
Do NOT ever use ‘admin’ as your WordPress login username. It is the very first word that is tried by bad bots and scripts to find the username of your WordPress site. Once it finds the username of your site, it will move on to decode your password.
By using ‘admin’ as your username you are directing it towards the correct path. It’s like revealing the place where you’ve hidden your money and jewelry to the robber and waiting for him to break in and steal it using his tools!
So, think of a creative username for your WordPress site and avoid using typical dictionary words.
Make use of strong passwords
The same thing applies to passwords too. Do not use any words present in the dictionary as your password. Make sure you use a combination of upper and lower case letters along with symbols and ambiguous characters and is at least 16 characters in length.
In case you’re not able to think of such a complex password, use a tool such a Strong Random Password Generator or Norton’s Password Generator.
Protect your site with a firewall
Protecting your WordPress site using a FREE firewall like Cloudflare can protect your site from getting hammered by bad bots and DDoS attacks. Cloudflare offers DDoS protection, Web Application Firewall (WAF), SSL, Traffic Control™, DNSSEC, and many such awesome tools to enhance your website’s security. Cloudflare acts as a reverse proxy for your site and all traffic to and from your site are analyzed in real-time for threats and unusual traffic. Cloudflare also offers a free SSL certificate using which all transmitted data is encrypted.
Also Read: Optimize WordPress to Reduce Server Overload.
Switch to a reliable WordPress hosting company
Last but not the least – choose a well-known WordPress hosting provider with a good track record in their service. Do not go for poor and unreliable hosting services and lose your hard work by getting your site wiped away just because the servers hosting your site were cracked or DDoS’d or simply because they didn’t maintain proper backups of their customers’ sites!
I would recommend you to go with either Bluehost or SiteGround if you have got a personal blog or business website which doesn’t receive much traffic. If you need more server power, go with DreamHost or Kinsta Managed WordPress Hosting.
Also Read: Grab SiteGround WordPress Hosting at just $3.95/month!
Other than Kinsta, all of the above-recommended WordPress hosts are officially recommended by WordPress themselves. Here’s a quote from their site –
There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment.
More information on hardening WordPress
Thus I hope that this post helped you learn how to protect your WordPress site from hackers.
Thanks, I read the list and am happy to report that I am doing the things to make my site secure!
You’re welcome Michele, it looks like you really care about your blog and you’re doing great. Your blog must be proud of you, happy blogging!
I use Bluehost and I seem to go through phases where I am not actually hacked, at least I don’t think I am, I just get crazy comments.
Hey Victoria, Bluehost is one of the most recommended WordPress hosts mainly because they automatically update the core WordPress files if the user fails to keep them updated. Quite sometime back they achieved the feat of upgrading very old WordPress installations without breaking users’ sites. That was truly commendable!
Coming to comments spam, you can use a free anti-spam plugin like Akismet to prevent your site from being bombarded with spam. Hope that helps.
I am a Wordfence fan also. Thanks for sharing this post on #TrafficJamWeekend.
You’re welcome Kimberly. I was a fan of Wordfence too but right now I’m using Sucuri + Cloudflare for protecting my site.