How to Secure your WordPress site?

If you’re new to WordPress, you’re probably still learning how to use the content editor, or choosing what plugins you need. However, there’s another side that’s extremely essential, which is how to secure your WordPress site. In this article, you’ll learn why you need to secure your site, how to secure your WordPress site, and also a few extra security tips.

Why do you need to Secure your WordPress site?

Your WordPress site might be important to you. It may help bring more money into your house. That site took time, and money to put together. However, after you’ve put your site together, and have told the world about it, you have more to do, in order to ensure that your site remains up.

While WordPress core code is secure, things happen over time. Some code becomes outdated or hackers create code to try to hack into your site. Now please note, most hackings aren’t targeted at specific individuals. They are created on servers that find random sites that may have poor passwords or the code isn’t secure.

Additionally, even if your web host provides some levels of security, you should always secure your WordPress site. At Verpex, we provide secure servers and regular monitoring on our web hosting, but it’s always good to have some more security implemented with your site, that is specific to WordPress.

Although all that sounds scary, there’s some simple things that you can do in order to secure your WordPress site.

8 Steps to Secure your WordPress website

Please note that this tutorial is for beginners. The following method is the easiest to implement for beginner WordPress users, and works well for most web hosts, themes, and plugin combinations.

Security Plugin you will need: Shield Security

Shield Security is an all-in-one type security plugin. It allows you to add some levels of security to your site, like helping against comment spam, preventing brute force attacks from bots, password protection, malware scanning, and much more. Shield Security has a lot of great features with the free version, but also has a premium paid version that offers more options. In the case of most sites, having at least the free version should suffice.

When installing Shield Security from your plugins section of your WordPress dashboard, you’ll search for “Shield Security” and the following is what you’ll install and activate.

Recommended settings for Shield Security

Step 1. Shield has a simple walkthrough Wizard. It’s best to start here.

I recommend watching the video in order to familiarize yourself with the plugin before continuing.

Step 2. You can add your IP address to help whitelist you, while you log into your site. However, you may want to avoid this step, especially if you use multiple devices when using your website. In the case you want to use this feature, you can click the link and it will give you an IP address from where you’re located. Otherwise you can google “What’s my IP address” and Google search will display your IP

Step 3. Brute force login protection deals with reducing bots from trying to get into your site, that will try to add malware or malicious content injections. When you log in, you’ll simply click an extra box that’s unable to be detected and used by bots. This is optional, but you can try it out. If you’re using any Login Attempt or plugins dealing with login protection, then you’ll want to disable and remove those, as they may conflict with Shield Security’s login protection feature.

Step 4. The Comment Spam feature is a fantastic feature. If you’re using Akismet (a plugin dedicated to combating spam) already, then you’re doubling your chances of reducing comment spam. Now, please note that this feature doesn’t entirely eliminate comment spam, but it greatly reduces the problem.

Step 5. Exit Wizard and go to the Shield Overview

After the 5th Wizard step, it’s mostly asking you to either consider purchasing the premium version or subscribe for updates. You can purchase and the plugin will do things like help fix files. With the free version, you’re sent an email with a list of your site’s health, from number of bot attacks, any plugins or themes that need updates, any plugins that are abandoned by their developer, and any suspicious file changes. With this list, you’ll need to take action if you think something seems strange.

From here, most of the default settings, you won’t need to tamper with.

Step 6. Disable XML-RPC. This is found under the API & XMP- RPC tab of the Config section of Shield Security. This is important to disable, in order to prevent any remote access from other servers.

Step 7. Disable file editing and Force SSL for Admin. This is found under the Permissions tab of the Config section of Shield Security. Disabling file edit prevents file editing from the WordPress admin area, which is good to prevent other users from accessing and accidentally messing up your site. It also prevents bots that got in, from editing those files too.

As for the Force SSL Admin, this is optional and should ONLY be used if you have a valid SSL certified properly installed on the website. What it does is keep your data secure when you enter anything into any form field in WordPress. Honestly, if you already have SSL properly installed, this option might not be needed.

Step 8. Hide Login Page. This is found under the API & XMP- RPC tab of the Config section of Shield Security. This security feature is a fantastic option. WordPress has been around for a long time, so there are a lot of bots designed to look for the default login page. When you rename it to something else, the bots can’t find it and try to hammer it down (also known as a DDoS attack), in order to get into your WordPress administration area. If you do this, you will need to remember your new login page, so you might need to write it down or bookmark it.

That’s all you really need to configure for Shield Security.

Bonus: WordPress Security Tips

• Always keep your WordPress site up-to-date.

• Choose a secure WordPress password.

• Choose good plugins and themes that are actively being developed.

• Make sure your web host login password is secure.

• Make sure your FTP/sFTP passwords are secure.

• Make sure your PHP is at the latest recommended version by WordPress.

• Don’t use ‘admin’ as your username.

• Remove plugins that you’re not using.

• Remove any themes, except your active theme, and the latest default WordPress theme.

• Install SSL.

• Set roles for other users, if you don’t want them to have administrator access.

• Regularly backup your WordPress site.

Always keep your WordPress site up-to-date.

Of the top reasons that your WordPress site can be hacked, not keeping WordPress core, your plugins, and themes are the cause. Keeping all these up-to-date, keeps the code secure, and running smoothly.

Choose a secure WordPress password.

Don’t choose a simple password. This is another top reason for your site to be compromised. You can use a password generator site like Secure Password Generator, or a password protector site like 1password. 1password and encrypts your password. When you log in, using your browser, you simply use 1password to help log you in.

Choose good plugins and themes that are actively being developed.

Choose plugins and themes that are popular and well reviewed in the WordPress community. Also make sure that their last time they were updated is no later than 2 years. Any plugin or theme updated more than 2 years ago, could possibly be vulnerable to hacking.

Make sure your web host login password is secure.

Even if your WordPress password might be difficult to hack, you need to make sure your web host password is also complicated. Even though you might be tempted to make a password you can remember, it might not be the best idea.

Make sure your FTP/sFTP passwords are secure.

If you use File Transfer Protocol (FTP) or Secure Transfer Protocol (sFTP) to upload your files to your site, just like your web host login, and your WordPress login, this should be created to be difficult to decipher.

Additionally, in regards to FTP and WordPress, don’t use File manager type plugins for WordPress. This is not to be confused with the File Manager that comes with cPanel. Learn FTP or sFTP, and use that. The File manager plugins out on the WordPress plugin directory are not secure, no matter what their description says. It opens a hole into your files on your web host.

Make sure your PHP is at the latest recommended version by WordPress.

Hypertext Processor, or PHP is the scripting language that WordPress is built with. This helps display all your content, process your forms, and more. It’s important to keep this up-to-date. WordPress recommends having no less than PHP version 7.4, in order for your site to run smoothly. Each PHP update comes with security updates and even helps speed your site up a little too!

If you don’t know how to check your site’s PHP version, then you can ask your web host about it.

Don’t use ‘admin’ as your username.

When it comes to brute force, bots look for the username ‘admin’ first. If you’re using this username, then you need to change it immediately. You can use the Easy Username Updater plugin. Once you’re done using that plugin, then deactivate and remove it.

Remove plugins that you’re not using.

Plugins that are sitting and not activated or being used can become a security hole over time, so it’s better to remove them to save a possible headache

Remove any themes, except your active theme, and the latest default WordPress theme.

Like unused plugins, themes that aren’t active could be problematic if they aren’t updated and become vulnerable. It’s just better to not allow them to sit in your WordPress admin area.

Install SSL.

Secure Socket Layer (SSL), when installed on your site, allows you and your visitors to securely transmit data over forms. This data is encrypted through the browser, as the form is processing, so hackers can’t rob your information.This includes contact forms, credit card processing forms, comment forms, newsletter subscribe forms, WordPress content editor, and more. All of your websites should have SSL.

Set roles for other users, if you don’t want them to have administrator access.

If you’re not the only one using your site, and you don’t want them to have access to everything, make sure to adjust their role in your Users area of your WordPress admin area. This is handy if you have several editors or contributing writers that don’t need access to everything.

Regularly backup your WordPress site.

Backups can really save you a lot of grief. You can read why here, as well as how to back up your site. Backups can allow you to restore your site to the time before it was hacked or messed up, so you can fix it, without your website being down for a long time.

If you’re curious about more WordPress Security tips for beginners, you can check out these SlideShare slides on an Introduction to WordPress Security.

In Summary

Now that you know a lot of basic WordPress security tips, and even a way to help secure your site, it’s time to put all of this into plan. Your site’s security is important for both you and your website’s visitors, in order to have a safe online experience.

Frequently Asked Questions

Is a website on WordPress safe?

Websites on WordPress are safe, however to avoid hacking keep your website up to date.

Why choose Verpex for WordPress?

As the leading CMS out there, we’ve made it our mission to offer the most comprehensive and streamlined WordPress solutions on the market. Backed by a responsive customer care team and reliable site enhancement tools, we ensure our users get the full WordPress value and support for a reasonable price.

How do I keep WordPress plug-ins up to date?

In most cases, your plug-ins will scan for updates automatically, but it’s always worth logging into your dashboard on a regular basis and performing a manual scan. This can usually be done in just a few clicks.

How easy is it to upgrade a WordPress plan?

It’s very straightforward and WordPress sites can be easily scaled. Simply get in touch with our customer service team to discuss your needs.