WordPress security is critical. Maintaining it should be on the top of every site owner’s to-do list.
There are over 90 000 attacks on WordPress websites every minute! What is more, every week Google blacklists over 20 000 WordPress sites for suspicious activity. When a website is blacklisted, users have to agree with the risks of entering it. This reduces the overall traffic by over 90%.
Website security is serious business. Let’s discuss why it’s important and some of the ways you can better it.
Table of Contents
- Why is WordPress Security Important?
- 10 Ways to Increase WordPress Security
- 1. Secure Hosting Providers
- 2. Changing the “Admin” Username
- 3. Strong Passwords
- 4. Limited Log in Attempts
- 5. Two-factor Authentication
- 5. SSL Certificate
- 6. Keeping WordPress Updated
- 7. Backing up Your Data
- 8. Automatically Logging out Idle Users
- 9. Adding Security Questions to WordPress Login
- 10. Changing WordPress Database Prefix
- How to Restore a Hacked Website?
Why is WordPress Security Important?
There’s probably been an instance, where you leave your house or your car unlocked when leaving for a couple of minutes. What’s going to happen in the two minutes you’re away, right?
This is all much too familiar to people, as we tend to take our security for granted. The same goes with WordPress sites – usually, people only worry about their website security after an attack takes place. Big mistake!
Regardless if you are running a personal blog or a business, getting hacked is always a stressful situation. Of course, a small blog owner will face fewer problems, than someone who runs a prominent, well-established business.
When your WordPress security is weak, hackers can “break-in” and retrieve any information they want – user information, passwords, spread viruses and cause much, much more damage than you could imagine.
For example, if your website gets hacked and blacklisted by Google, you will lose a lot of traffic, money, and time.
To avoid unnecessary stress and problems, take care of your WordPress security. There are many steps you can make, to keep your data safe and sound.
10 Ways to Increase WordPress Security
1. Secure Hosting Providers
Your hosting provider plays a significant role in your WordPress websites security. A good hosting provider, such as Hostinger, takes extra steps to ensure a safe, breach-proof environment.
Hostinger, for example, uses multiple levels of fail-safes, daily or weekly backups and technology like RAID-10, to provide its users with maximum security.
When buying Hostinger services, you need to pay attention to the plan you choose as well. If you get shared hosting, which is the cheapest option, you will put yourself at a higher risk of being hacked.
If a website that shares a server with you gets hacked – chances are you will too.
2. Changing the “Admin” Username
When installing WordPress, your username will be Admin by default.
Always make sure to change it. Keeping the default username will make it easier for hackers to breach your website. After all, it’s one less thing for them to figure out when trying to access your site!
Recent releases of WordPress allow you to change the username, so always use this opportunity. Use a username easy for you to remember, but not something easy to guess.
The harder it is to link you to your username, the harder it will be to hack your WordPress website.
3. Strong Passwords
To ensure everything is at peak condition, start with the obvious – create strong passwords. The most common hacking attempts are done by stealing passwords.
When creating your WordPress admin password don’t use your name, your pets or moms name, anything that can be easily traced back to you — for example – your birthday.
Best thing to do is to use a random combination of numbers, symbols, and both lower and upper case letters.
One more important thing to keep in mind – try not to use the same password for more than one account. If one of your accounts gets hacked, all other ones will be at risk too.
With this, comes another important key to remember. Try not to share your account details. If someone needs to work with you on the same website, make sure that they keep your passwords private and safe, or use a password and collaboration management system.
The more people you have on your account, the more chances there are you’ll be hacked through someone else.
Lastly, don’t forget to secure your internet connection with a good VPN service like NordVPN when connecting to your WordPress account via public networks. This will prevent hackers from being able to see and steal your private information.
4. Limited Log in Attempts
WordPress by default allows unlimited login attempts. Unfortunately, this lowers security and increases the chances of getting hacked.
Hackers can try out different password combinations as long as they want until they get into your website.
This problem has a straightforward solution and strongly improves your WordPress security.
All you need to do is get the log in LockDown plugin.
Go to Settings >> LoginLockdown and setup your preferred settings. You can choose how many login attempts you want, how long will it takes until you can try to log in again and you can even prevent unrecognized usernames from making attempts to log in.
5. Two-factor Authentication
Even with a strong password and username, you can still be a victim of brute force attacks. This is why it’s always smart to use two-factor authentication.
Unlike using passwords alone, two-factor authentication is a multiple (in most cases two) step process. You need two things – something you know, which is a password and something you have, like a phone or an email.
WordPress has a great selection of free two-factor authentication plugins. They offer various methods of two-factor authentication.
Some of the best free two-factor authentication plugins to improve your WordPress security:
- Two-Factor Authentication by miniOrange
- Two Factor Authentication
- WP Simple Firewall
- Rublon Account Security: Two-Factor Auth+
5. SSL Certificate
An SSL certificate is essential, especially if you run an online store.
First of all, Google now requires all websites to have SSL. Otherwise, your URL will be accompanied by a red text saying “Not Secure.” Not very inviting, right?
Secondly, having SSL will make it very difficult for hackers to retrieve sensitive shared data between visitors and your server.
6. Keeping WordPress Updated
WordPress takes security very seriously, thus they improve it with every update. Small updates are automatic, however, sometimes you’ll have to do it manually.
Always make sure that you have the latest version of WordPress. Leaving it out of date can expose you to potential hacks and security breaches.
7. Backing up Your Data
Backing up is a crucial step to your WordPress security. Sometimes, regardless of all the precautions taken, your website still gets hacked.
Backups allow you to restore your website quickly and stress-free.
Always make sure to save your backups in a remote location – not your hosting account. Using a cloud service is the most reliable choice.
There are plenty of WordPress plugins for backing up your site. Our favorites are:
8. Automatically Logging out Idle Users
Staying logged into WordPress increases the risk of a security breach, like having account data changed.
This is the reason why banking sites automatically log out inactive users.
You can apply this to your WordPress website. All you need is a plugin – Idle User Logout being the most popular choice.
In the settings, you can choose what the duration of the auto logout is.
9. Adding Security Questions to WordPress Login
Having security questions improves your WordPress security further. Make sure to use questions only you would know the answer to.
Avoid questions that can be easily traced to you – birthdays, parents names and other information close to you.
You can install the WP Security Questions plugin and easily add a layer of security to your WordPress page.
10. Changing WordPress Database Prefix
WordPress uses wp_ prefix as a default for all the tables in your WordPress database. Having the default database prefix leaves your site easier to hack.
It is highly recommended to change it.
This is a very helpful, however, advanced step you can take to increase WordPress security.
Here is a detailed video tutorial on how to change the WordPress database prefix.
How to Restore a Hacked Website?
What should you do, if your WordPress security was breached and you got hacked?
When hacked, not only is your own data at risk but so is your visitors’.
First things first – if your business got hacked, it is always good to contact a professional. It will cost you, but if you are not experienced in dealing with code, it is the preferred choice.
Hackers can hide harmful scripts very deep in your site’s files, occupying multiple locations. A professional will deal with the problem without putting all of your “healthy” data at risk.
However, if you are comfortable with code or just don’t have the money to hire a professional, there are things you can do to nurse your website back to health.
Here are the steps you need to take:
Step 1. Identify the Problem
When you get hacked, you need to check a couple of things to help you identify the nature of the hack.
Start off by:
- Checking if you can log in to your WordPress admin dashboard
- Seeing if your website is redirecting to another site
- Looking for illegitimate links on your WordPress website
- Seeing if Google marked your website as unsafe
Write everything down, as it will help you solve the problem with your hosting provider.
Change your passwords! Before you start fixing your site, change your login details. This is a crucial step that you will have to repeat once the cleanup is done.
Step 2. Contacting your Hosting Provider
Your hosting provider is the go-to place when a hack happens. Most services provide customer support for bugs and emergencies.
At Hostinger, the customer success team works hard to ensure your website runs smoothly. The people working there know what they are doing and will most likely be able to help you in the case of a security breach.
What is more, if you use shared hosting, not only your website might be hacked. So contacting customer support will prevent more damage from happening.
Step 3. Restoring your Website From Backup
Now, if you backed up your data regularly, having your site up and running will not take much time. You can just replace your data with the backup, removing the hack.
However, if your website has been hacked for a while, there might be malware inside of your backup. In this case, you might have to remove the security breach manually.
Step 3. Scanning and Removing Malware
Since WordPress takes its security very seriously, there are plenty of plugins you can utilize to find files placed by hackers.
- Exploit Scanner
- Theme Authenticity Checker (TAC)
- Sucuri Security
- WP Antivirus Site Protection
These plugins will scan all the files in your database for any malicious code or other kinds of threat. Then, you can either fix the code manually or simply remove the affected file and replace it with the original. For example, if the malware is hidden in a plugin, you can reinstall it – eliminating the threat.
Step 5. Checking User Permissions
When the malware is removed, make sure to investigate the user section and check if all users present are the ones you trust.
If you see any unusual, suspicious users, remove them at once.
Step 6. Changing Your Passwords and Security Keys
After you took all the steps above, you need to change your passwords everywhere – your control panel, FTP, MySQL and anywhere else where you used the hacked password.
Then you need to generate a new security key and add it to your wp-config.php file.
Keeping your WordPress site secure is highly important. Getting hacked is both harmful for you and your users.
There are plenty of steps you can take to ensure peak WordPress security.
However, hacks do happen. If you find yourself in such an unfortunate situation, stay calm and either hire a professional to clean up the problem or try resolving it yourself.
Always make sure to take extra precautions to ensure the best possible WordPress security.