Many WordPress users agree that a skilled hacker could easily break into their websites. However, only a small number of them do something to strengthen their website security. The common conception is that a real hacker will always identify a vulnerability and will hack the website.
This is true; every WordPress website is hackable. Even the most protected sites have been hacked. For instance, the Panama Papers hack (a data breach showing how politicians hid astronomical amounts of money) was determined by a plugin vulnerability.
However, a hacker’s ability to break into well-protected websites is not a valid reason to ignore your site security! A hacker could also break into your website, but it takes a lot of resources to do it. It’s a matter of profitability, and any hacker knows this fact perfectly. It isn’t profitable to spend days hacking a website that generates tens of dollars per day. It’s way more rewarding to get strategic information or break a bank server.
Average WordPress users can considerably improve their website security in just a few hours (including a coffee break). By doing so, websites wouldn’t be unconquerable, but hacking them will be a complete chore.
Without any further ado, here are:
Ten Simple Tips to Improve Your Website Security
Complex Passwords
Cracking the password is one of the most common ways to hacking a website. Paradoxically, people don’t pay the necessary attention to this aspect and use simple passwords. When it comes to passwords, size matters. In fact, it matters a lot! Better Buys did a great job creating an informative post about passwords. Did you know that a pro hacker can crack a seven-character password in less than a second? By adding just one more character, the same hacker needs five hours to break it.
Update Everything
Updating the WordPress version, the theme, and the plugins require less than five minutes a day for a website. On top of that, these updates can be done by everyone; it’s a two-click job. By updating the software, you avoid being the victim of a zero-day vulnerability.
Use a Security Plugin
A plugin can decisively strengthen your website security. Luckily, developers have created reliable, free and stable plugins that defend your WordPress website against hackers. Wordfence is the most downloaded security plugin, and it’s rated 4.8 out of 5 stars. Not bad at all, is it? iThemes Security and All in One WP Security & Firewall are two alternatives that also improve website security.
Reduce the Number of Plugins and Themes
It’s another no-brainer, but many WordPress users are too idle to delete installed themes and plugins. It’s a huge mistake to ignore them because these unused themes and plugins have an adverse impact on loading speed. Apart from that, the more plugins you use, the more vulnerabilities you have. Limit the number of plugins used and delete all themes except for the one you use.
The themes and plugins used should be downloaded from trusted sources. If you have enough time, it’s not a bad idea to read comments of other users and check if there is any support from the developer of the theme or plugin.
Hide Your Login Page
Any WordPress user knows that the login page of a website has an address identical or quite similar to this format http://website/wp-login.php?. You can add an extra layer of security by hiding this page, and you can do so with the help of a plugin. Lockdown WP Admin is a plugin that does this job for you.
Disable Login Hints
WordPress informs you when the username or the password is wrongly typed. It’s an indication letting you know which field is mistyped. It may be unnoticed by many WordPress users, but it’s invaluable for a hacker. Get rid of this hint, and there are two possibilities to do so. You can use a security plugin that does it for you (Wordfence) or add this snippet to your functions.php:
function no_wordpress_errors(){
return ‘You are unlucky, it’s my website’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );
You can customize the return value; delete it and replace with your words.
Limit Login Attempts
Limiting login attempts is another essential measure to fortify your website. Many websites were hacked using the brute force method, which uses a script to generate password combinations until it guesses the correct password. In addition to whitelisting the IPs of users or clients, limiting login attempts is efficient and straightforward to implement. There are couples of plugins that restrict login attempts. Jetpack Protect and Login LockDown are two great tools in this regard.
Connect to the Server Through SFTP
If you read any beginner’s guide to launching a website, almost all of them recommend using an FTP (File Transfer Protocol) solution. It’s free, simple, and reliable but not secure. SFTP (Secure File Transfer Protocol) adds an extra layer of security, and your sensitive data isn’t sent in plain text. Switch to SFTP if you are accessing your website many times using an FTP tool.
Use an HTTPS Encryption
An SSL certificate confirms that your website uses an HTTPS (Hypertext Transfer Protocol Secure) encryption. It is responsible for dealing with clients’ data using a secure protocol. The green padlock icon in a website address bar is the graphic sign confirming the existence of the certificate. We have previously explained how to add free SSL to your WordPress website.
Choose a Secure Hosting Provider
Choosing the best hosting provider isn’t simple at all, and you should take into account a lot of factors. Select the host that provides the best services at the lowest price. According to WP White Security, out of all the WordPress websites that have been hacked, 41% of them were hacked due to the poor security on the host platform. It’s a percentage that can’t be ignored. If you chose a secure host provider, almost half of your problems are gone.
Furthermore, the users don’t realize how important the security is until their website is hacked. Luckily, only a few measures are enough to strengthen your site. The above collection is a good start for anyone willing to stay secure.
In conclusion! Do you agree with these tips? Do you have a secret tip to make a website impossible to hack? Please share your ideas with us.