How to Secure a WordPress Website from Hackers
Worried that someone will break into your WordPress dashboard and mess up months or even years of hard work? It could be a lunatic hacker who just wants to do you harm, or a competitor who wants to destroy your business and take your clients and customers to himself.
First of all, I highly suggest backing up your WordPress files on a regular basis. UpdraftPlus is the most popular free plugin that automates this process.
I personally use it from time to time to save my WordPress files to my computer. Doing this will ensure that even in case of a security breach or a server crash you can bring your website back to its normal state in a short period of time. And you’ll finally be able to sleep at night!
Having said that, you should also do your best to raise your cyber defenses against hackers. Here are the best ways to do it:
1. Use a big hosting provider
The first step to securing your website is to use a reliable web hosting provider. Why? Because if your website is running on uncle Jimmy’s unsecured server, who knows how many viruses and malware can creep inside.
In comparison, large hosting providers like BlueHost, Hostgator, Squarespace and others hire the best cyber security engineers to keep their servers secure at all times. They perform the necessary updates and take care of any signs of a security breach. Something that uncle Jimmy unfortunately doesn’t have the funds to do.
Hosting is really affordable through these large companies and there’s no reason to mess this up. Simply create an account on one of these 20+ largest web hosting providers, set up a hosting plan that fits your website(s) requirements and you’re good to go.
I personally use Hostgator. I have a “Baby” plan which allows me to host multiple websites for just $12 per month. If you pay for a few months or 1-2 years in advance it can be even cheaper. But I like to keep my options open even if it means paying a few dollars more.
2. Keep your plugins up-to-date
Make sure that the plugins you install are highly rated and updated regularly, at least every few months. If you start noticing errors on any plugin, deactivate and remove! Because you just can’t know if the error is due to a security breach or not.
Also, many people use WAY TOO MANY plugins. While they’re great for customizing a website, they also slow down the loading speed and they can start too cause trouble if there are too many of them and they don’t sync well.
I’m a complete minimalist when it comes to plugins. I try to limit myself to Yoast SEO, WordFence Security and Easy Table of Contents. After all, chances are that your website visitors are more interested in what you have to offer rather than how your website looks.
As long as it looks nice and clean, there’s no reason to complicate things. Just keep it simple and focus on what’s truly important – providing value.
Premium themes that have many users are updated regularly. They sync well with the latest WordPress updates, plugins and latest changes online. In contrast, free themes are rarely updated so an old piece of malware could slip under the radar and infect the theme. Then you upload it and your whole website is up for grabs.
I use the X Theme for most of my websites – here is one example. It’s updated every few months, it’s easy to use and has many customization options. Which leads me to the next big reason to use premium themes.
Free themes don’t allow much customization, which can lead the user to download many plugins to get some customization options. This slows down the website and increases the likelihood of getting hacked through an infected plugin. A premium theme is simply faster and safer, while having more customization options available.
If you’re keen on trying out a free theme, the best bet is to search for those with many positive reviews that were updated at least 4-6 months ago.
4. Install the WordFence plugin
This is the only plugin I recommend for enhanced security. It gives you notifications through email and in your WordPress dashboard if someone tries to log in as admin. It also reduces the amount of times someone can insert the wrong password.
Once you activate WordFence, you can test it out by trying to log in through a different device. You’ll immediately receive an email notifying you that someone has logged in through a new device. If a hacker tries to do it, you can act quickly and change your password, create backups and do anything else you think is necessary.
5. Use a STRONG password
All of these tips won’t do much if you’re using a weak password. Or if your admin password is the same one you’ve used on many other websites, emails etc.
The more you use the same password, the higher the chance is that one of those websites or emails will be hacked. This can place all of your other web property in danger.
I highly advise using different passwords for different log-ins. To create a powerful password, combine large and small letters, numbers and signs.
Here’s an example of a strong password: CringeBasin33!!
Sounds weird, right? Well, that’s the goal. Make it hard to connect the dots.
Using random personal names is also a good idea. Here’s a password that fits the bill: JackieSchmeichler%%5.
No one is crazy enough to type that up by accident. And it makes it almost impossible for password cracking programs to connect the dots, because, there are no logical dots – you just made it up in your head!
6. Be careful with file uploads
Just like plugins, photos, videos, avatars and all other file uploads can place your website in harm’s way.
That photo you downloaded from a random website and uploaded as a featured image for your blog post? If could very well be infected by dangerous malware. If you’re going to use free photos, get them at large, reliable websites such as Pixabay. Or get premium photos.
Another safe way to get free photos is to use the free snipping tool to capture screenshots. This is sort of a grey area from a legal standpoint, but you can go to some random videos on Youtube for example, and take snippets of scenes that you’d like to use as photos. If you’re going to do this, do it on videos that were uploaded by random users that don’t have many subscribers. And also from videos that aren’t too popular.
Steer clear of popular videos, especially from big brands. Also, don’t take snippets of scenes with recognizable faces. For example, if you’re writing an article about bicycles and need a relevant photo, take a snippet of a bike from a random video. But use a scene where there’s no people around the bike.
7. Set HTTPS
HTTPS has become sort of a necessary for most websites. Google favors websites that have it through their search engine because it provides safer user experience. Basically, it ensures that users are talking to the server they expect. So they can safely enter their private information to post comments, log into the website or its forum section, pay for a service etc.
Let’s Encrypt is a completely free and automated certificate provider. It can be used to enable HTTPS, and it can automatically set it up for you. You can also get this certificate through most large hosting providers like HostGator, but getting it this way can cost around $50.
8. Test your website with security tools
If you’ve done everything I suggested in this article, your website will be a mighty fortress that only the top hackers in the world would dare to lay a siege on.
But it doesn’t mean that it’s completely secure. That’s almost never the case since new offensive tactics are being developed all the time.
So how secure is your website exactly?
You can test it out with website security tools, also known as penetration testing tools. They work by trying to hack your website and then providing you with a report of the security weaknesses your website has.
There are many tools available. Some are free and others are premium. Premium tools will do more testing and may provide more detailed advice on how to resolve the weaknesses.
For most users however, free tools are a good starting point, and most of them can be upgraded if you want more in-depth features. Here are the most popular free tools:
- Netsparker – It has a free and premium edition. Good for testing SQL injection and XSS
- OpenVAS – This is one of the most advanced open source security scanners. Good for testing known vulnerabilities, currently scans over 25,000.
- SecurityHeaders.io – This is a unique tool that provides a quick online check.
- Xenotix XSS Exploit Framework A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples. You can run it to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.
Most of these tools will show you dozens if not hundreds of potential security weaknesses. I wouldn’t worry to much about at least 95% of them if you’ve got a small website. If you’re running a financial institution or something along those lines, that’s of course a whole other topic, and you’ll probably want to address every possible weakness you can find.
Final Thoughts on Securing a Website
Let’s be honest, many website owners use just one or two passwords everywhere; their emails, that strange site they visit when they’re alone in the incognito tab, and finally their WordPress website.
Lazy password usage is the main reason websites get hacked. Using a unique password will eliminate most security threats, so that’s definitely the priority. The second major priority is to use a reliable web hosting provider. I use Hostgator but I’ve heard great things about BlueHost as well.
While I definitely encourage you to utilize all of the tips I’ve shared in this article, if you end up using just these two tips I will consider this article a job well done.