Web Application Firewall

18 Steps To Securing Your WordPress Website

WordPress is one of the most popular content management systems (CMS) for building websites. In fact, a whopping 43% of all websites on the internet are built using it. Its ease of use, flexibility, and availability of plugins and themes make it a go-to choice for many businesses, bloggers and creators out there. However, its popularity also makes it a target for hackers and bad actors, which is why securing your WordPress website is essential if you have not already. This blog post will cover the best practices for securing your WordPress website, protecting your data and ensuring valuable information is kept safe.

If you want to strengthen your WordPress site's security, take a look at the 18 steps below. Implementing these actions below will keep making your website stronger and less likely to be targeted. We have ranked each step in difficulty for you as follows. No Problem, Moderate and Ninja.

 

1. Keep WordPress updated - No Problem

WordPress release updates all the time that address security issues, improve performance, and add new features. Updating WordPress is essential to a secure site and it's really simple. You can do it with just one click from the WordPress dashboard.

Before you update, it's important that you take a backup of your site. This way, if anything goes wrong during the update process, you can easily restore your website to its previous state.

 

2. Use strong passwords - No Problem

Be honest, if you really think about it, how complicated is your password? If you are reading this and your password is "password" then go and change it this instant before thinking long and hard about what you have done.

Weak passwords commonly cause website breaches, hacks and information theft. Use a strong password that includes a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable passwords like your name, birth date, or "password." Also, consider using a password manager such as Last Pass to generate and store strong passwords. many web security programs have a password tester which will evaluate the strength of your password and tell you how long it will take to crack.

 

3. Limit login attempts - No Problem

Limiting login attempts is a simple yet effective way to prevent brute-force attacks. Brute force attacks are when hackers try to gain access to your website by repeatedly trying different username and password combinations. Limiting login attempts makes it harder for hackers to succeed in these attacks. You can limit login attempts in your WordPress site settings or use a security plugin which will include the feature.

 

4. Use two-factor authentication - No Problem

We've all seen two-factor authentication now, it can be annoying, but the truth is, it makes your accounts a lot safer. Two-factor authentication (2FA) adds an extra layer of security to your WordPress login page. With 2FA enabled, you'll need to enter a code generated by a 2FA app on your phone or sent via SMS before you can log in to your WordPress dashboard. This way, even if someone knows your password, they can't log in to your account without also having access to your phone.

 

5. Install a security plugin - No Problem

WordPress security plugins can help you identify and fix vulnerabilities on your website. Security plugins can scan your website for malware, brute-force attacks, and other security threats. They can also help you enforce strong passwords, limit login attempts, and enable 2FA. Weblok is an ideal security system for your WordPress website and it incorporates many of the steps we discuss as standard giving you less hassle and worry over your site security. With Weblok unlike other security plugins, you also get 24-hour, 7-day-a-week support managers on call to help you at any time.

 

6. Use HTTPS - Moderate

This is something you might not think makes a difference but it is one of the most important aspects of securing your domain. HTTPS is an encryption protocol that secures the data exchanged between a website and its users. It's essential to use HTTPS, especially if your website collects sensitive information like credit card numbers or personal information. To use HTTPS, you'll need to purchase an SSL certificate from a trusted provider. Once you have an SSL certificate installed, your website will show a green padlock icon in the browser's address bar. Yes, you have to buy one but it's worth every penny.

 

7. Keep plugins and themes updated - No Problem

Like WordPress, plugins and themes can also have security vulnerabilities. On average, WordPress websites contain around twenty plugins. The more plugins you have, the higher the chance that someone is going to find a doorway into your site. It's essential to keep your plugins and themes updated to the latest version to ensure any security vulnerabilities are patched. You can easily update your plugins and themes from the WordPress dashboard.

 

8. Disable file editing - Ninja

By default, WordPress allows you to edit your theme and plugin files directly from the dashboard. This can be convenient, but it's also a security risk. If a hacker gains access to your WordPress dashboard, they can edit these files and insert malicious code. You can disable file editing by adding the following line to your wp-config.php file: 

define( 'DISALLOW_FILE_EDIT', true );

 

9. Backup your website regularly - No Problem

Backing up your website regularly is essential in case of a security breach or server crash. There are many WordPress backup plugins available that can automate the backup process for you. Weblok is a great choice because, unlike other backup plugins, Weblok has a dual remote backup, which means your site is backed up in two separate locations so that if one goes down because of a fire or a powercut, your site is still backed up and safe.

 

10. Use a strong username - No Problem

Using your WordPress site's default "admin" username is not recommended because it's easy to guess. Instead, use a unique username that is difficult to guess. You can create a new username in the WordPress dashboard under Users > Add New. Once you have added your new user make sure you get rid of your old one. You don't want any unused users on your site waiting for a hacker to take advantage of them.

 

11. Disable XML-RPC - Ninja

XML-RPC is a remote access protocol that allows third-party applications to communicate with your WordPress site. However, it can also be used to launch brute-force attacks on your site. If you're not using any third-party applications that require XML-RPC, it's a good idea to disable it. You can disable XML-RPC by adding the following code to your .htaccess file:

 

Disable XML-RPC

 

Replace "123.123.123.123" with your own IP address to allow access to XML-RPC from your own IP address.

 

12. Use a Content Delivery Network (CDN) - No Problem

A CDN can help protect your website from DDoS attacks by distributing your website content across multiple servers. It can also speed up your website by serving content from servers closest to your website visitors. Weblok includes a CDN in its plugin so you don't need to worry about content vulnerabilities.

 

13. Monitor your website for suspicious activity - No Problem

Keeping an eye on your website's activity log can help you identify suspicious behaviour and prevent security breaches. You can use a WordPress security plugin like Weblok to monitor changes made to your website, including login attempts, plugin and theme installations, and file modifications.

 

14. Use a web application firewall (WAF) - No Problem

A WAF is a security tool that monitors and filters incoming web traffic to your website. It can block malicious traffic, including SQL injection attacks, cross-site scripting (XSS) attacks, and DDoS attacks. Weblok is the perfect WAF for you to use in securing your WordPress site. With a simple installation on our Pro Plan or above, you get a robust firewall as well as a support agent on call 24 hours a day 7 days a week.

 

15. Disable directory listing - Moderate

By default, WordPress allows visitors to see a list of files and folders in directories that don't have an index file. This can reveal sensitive information about your website's file structure, which can be used by hackers to launch attacks. To disable directory listing, add the following code to your .htaccess file:

Disable directory listing

 

16. Use a hosting provider that specialises in WordPress - No Problem

Choosing a hosting provider that specialises in WordPress can help ensure that your website is secure and running smoothly. These hosting providers typically have security measures in place that are tailored specifically for WordPress sites, such as automatic updates, malware scanning, and backups for extra peace of mind.

 

17. Restrict access to sensitive files - Ninja

Some files in your WordPress installation are more sensitive than others, such as your wp-config.php file, which contains your website's database credentials. It's important to restrict access to these files to prevent unauthorised access. You can do this by adding the following code to your .htaccess file:

Restrict access to sensitive files

 

18. Use secure hosting and server settings - Moderate

In addition to using a secure hosting provider, it's important to ensure that your server settings are also secure. This includes using secure protocols like SSH and SFTP for file transfers, disabling directory listing, and using strong passwords for server accounts.

By implementing these best practices, you can significantly reduce the risk of a security breach on your WordPress website. Remember to keep your website, plugins, and themes updated, use strong passwords and usernames, and backup

 

Weblok's Solution

You can see from the steps above that there are many ways for bad actors or hackers to exploit your website. It's important to keep your website safe no matter what, especially if you are handling payments and card information. 

Many of the steps above are covered by simply installing Weblok. With a state-of-the-art web application firewall, dual remote backup, CDN and site security scanning features, Weblok can do most of the work for you to secure your WordPress website. Unlike all other security platforms, we offer a round-the-clock account manager on Pro Plans and above. Your account manager is available any time day or night, seven days a week. 

In addition to all the amazing security features that Weblok offers, it will also speed your website up which is a huge ranking factor in your keyword optimisation. So the price of a Pro Plan from Weblok can easily be earned back in site speed, rankings, more traffic and sales. It's a no-brainer! 

Weblok also offers emergency hack clean-ups and removals for those who were unfortunate not to take out security on their site in time. 

Take a look at Weblok's plans here and secure your website today.