With its clean code, user-friendly interface and support for interchangeable plugins, WordPress is the preferred content management system (CMS) by millions of experienced webmasters. Using the platform, you can quickly build a fully functional website without messing with complicated HTML and CSS code.
Like other CMS platforms, however, WordPress isn’t immune to cyber attacks. If a hacker gains admin access to your site, he or she may steal your data, redirect users to another website or serve malware to visitors. To protect your WordPress site from cyber threats such as these, follow the 10 cybersecurity tips listed here.
1) Choose Plugins Wisely
Plugins allow you to add functionality to your WordPress site effortlessly, but you should choose them wisely. Vulnerable plugins offer a medium through which a hacker can infiltrate your site. When a plugin contains a security vulnerability, a hacker can exploit that vulnerability to gain admin access or other unauthorized privileges. According to a study conducted by Sucuri, this is the most common cyber threat to which WordPress sites are susceptible.
You can protect your site from this type of threat by limiting your use of plugins and choosing only trusted and reputable plugins. And when a developer releases a new version, update the plugin as soon as possible to minimize the risk of attack. Outdated plugins are more likely to contain security vulnerabilities than current, up-to-date plugins.
2) Change Your Username
A hacker only needs two things to log in to your WordPress site and modify the HTML code for their nefarious purpose: the administrator’s username and the corresponding password. By default, WordPress creates the administrator account with the “admin” username, which is typically displayed at the top or bottom of new posts depending on the theme’s settings. Therefore, a hacker only needs the password to infiltrate the site.
To protect your WordPress site from this vulnerability, change your username to someone other than “admin” and modify your site’s settings to prevent this name from displaying. That involves logging in to your site and choosing Users > Add New, after which you can create a new username with the Administrator role. Once created, access the new user under Users > All Users and create a different name for the “Nickname” field. Finally, click the drop-down box for “Display name publicly as” and select the new nickname. WordPress will now display your nickname in posts and pages instead of your admin username.
3) Update WordPress
Because they often contain unpatched security vulnerabilities, running an outdated version of WordPress on your site increases the risk of cyber attack. When they discover a security vulnerability, WordPress developers fix it by releasing a new version with the necessary security modifications. That protects all websites using the latest version against the vulnerability. Sites that continue to use an older version, however, will remain susceptible to the vulnerability.
By default, WordPress will automatically update its core files for minor releases but not major releases. For the best protection, you must update your site’s WordPress installation manually by clicking the “Please update now” button at the top of your site’s dashboard. Check your site at least once a week to see if a new version of WordPress is available, keeping it updated to the latest version.
4) Use a Strong Password
A strong, unique password is your website’s first line of defense against cyber threats. According to a study conducted by WP WhiteSecurity, 8 percent of all WordPress intrusions are attributable to a weak password. If your site has a weak password, a hacker can use software to automatically spam your site’s login with thousands of phrases until he or she finds the right one, which is known as a brute-force attack.
WordPress now features a password generator that creates iron-clad passwords consisting of two dozen random characters. Rather than using an easy-to-remember word or phrase as your password, use the generated password. Alternatively, you can create a passphrase consisting of four random words, either with or without spaces.
5) Enable Two-Factor Authentication
Though it takes longer, a determined hacker can still crack your site’s login by using a brute-force attack. Two-factor authentication protects your site from such attacks by adding another step to the login process. In addition to your username and login, for instance, you may also be required to enter a PIN sent to your email or mobile device. Unless a hacker has access to your email account or smartphone, he or she won’t be able to access your site, regardless of whether the hacker knows your password. Install a two-factor authentication plugin on your site to implement this feature.
6) Switch From HTTP to HTTPS
Switching your site from HTTP to HTTPS creates a stronger more secure connection that’s less susceptible to cyber threats. With the standard HTTP protocol, a hacker can see all data transmitted between your site and its visitors by using a man-in-the-middle (MITM) attack. HTTPS prevents this from happening by encrypting your site’s traffic. All data sent between your site and its visitors is encrypted, ensuring that no one else can see it.
To upgrade your WordPress site with HTTPS, you must purchase an SSL certificate from a certificate authority (CA), install it on your server and configure your site’s address to reflect the new domain prefix. Contact your web host for more information on how to set up HTTPS.
7) Limit Number of Login Attempts
WordPress doesn’t limit the number of times you can attempt to log in. If you can’t remember your password, you can keep trying without WordPress locking you out. But this also means that hackers can make an unlimited number of login attempts, creating a security risk for your site.
You can limit the number of login attempts allowed by your site by installing a plugin such as WP Limit Login Attempts. If someone attempts to log in to your website using the wrong username and password combination five or more consecutive times, the plugin will lock them out for 10 minutes.
8) Change the Login URL
Consider changing your site’s login URL so that it’s harder for nefarious individuals to find. WordPress typically uses yourwebsite(dot)com/wp-admin for the login URL. If a hacker knows or suspects your site is running WordPress, he or she can visit this standard URL and attempt to log in as the administrator.
To change your site’s login URL, you’ll need to install a plugin such as WPS Hide Login. Once installed, anyone who visits the standard login URL will see the message “Oops! That page can’t be found.”
9) Install a Cybersecurity Plugin
Of course, installing a cybersecurity plugin can also protect your site from cyber threats. Searching the WordPress plugin repository for “cybersecurity” will reveal dozens of cybersecurity plugins. With more than 2 million downloads, Wordfence is a popular choice. It features a firewall that analyzes traffic for signs of suspicious activity and automatically blocks requests for malicious content.
10) Backups
Failure to create regular backups (see «Does your web host really offer backups?» article) could result in a severe headache if your site gets hacked. You may discover your posts and pages deleted and your theme’s code modified. Depending on the size of your site and the extent of the damage, it may take hundreds of hours of work to restore your site to its original, pre-hacked state.
Although there are plugins that automatically create backups, they don’t always work as intended. You can create manual backups in just a few easy steps. That involves downloading your site’s files from its server using a File Transfer Protocol (FTP) program and downloading your site’s database from your web hosting control panel (e.g., world, cPanel).
Don’t let hackers ruin the website that you worked so hard to build. Follow these 10 tips to create a strengthen your site’s security.
About us
PlanetHoster is proud to privide web hosting in Canada and web hosting in France. We host about 100 000 WordPress websites. Feel free to contact our team if you have any questions.
Other WordPress related articles :
- https://blog.planethoster.com/en/5-free-must-have-wordpress-plugins-for-e-commerce/
- https://blog.planethoster.com/en/wordcamp-paris-2015-follow-up-a-success/
- https://blog.planethoster.com/en/performance-test-of-cmsscripts-on-shared-hosting/
- https://blog.planethoster.com/en/wordcamp-paris-here-we-are/