19 essential steps to secure your wordpress website · 19 essential steps to secure your wordpress...

19 Essential Steps toSecure your WordPress

Website

by Vera Evans

19 Essential Steps to Secure your WordPress Website

Being a WordPress website owner, you may or may not be aware of the

necessity to take some essential steps to secure your website against

unwanted intrusions. In this post, I am giving you the 19 best security tips

that I have found in my research to assist you in keeping your site as secure

as possible. These tips are for those business owners or blog owners who

have their own website being hosted with a hosting company.

It is important to realise that website security is not a one-off event. Rather,

it is an ongoing practice to ensure that your website can do its job of

attracting your customers.

1. Choose the best hosting service possible.

You will need to do your research to know what you need so that you are

able to choose the best option for you. For example, if you are expecting to

attract a lot of traffic to your website, like over 50,000 hits per day, you may

want to avoid shared hosting and look at dedicated hosting or a service with

cloud hosting.

2. Pick a good, unique username.

DO NOT use admin, test or your website name! Part of this includes using a

good strong password as well. Use this link to check how well your password

performs https://howsecureismypassword.net/

3. Install the Wordfence plugin.

This is hands down the best security plugin out there. The free version deals

really well with such things as limiting login attempts, blocking unregistered

users from trying to login and blocking random bot attacks. The settings are

quite comprehensive and allow for customization as well. If you feel you need

extra security, you can always opt in for the premium paid version. Check out

all the necessary documentation here:

https://docs.wordfence.com/en/Wordfence_Official_Documentatio



4. Find out if a website username is hidden or not.

Type in a website domain and follow it with /?author=1 and hit enter eg

www.yourdomain.com/?author=1 This reveals the username to log into the

site if not properly secured. If the site is properly secured, the user is referred

to a Page that says No Results.

5. Limit login in attempts to your website.

5 is a good number. Enough to still let you in if you make a mistake yet not

enough to allow someone else to gain access. The Wordfence plugin has

settings that allows you to do this. It also allows you to select how long the

user has to try those 5 login attempts and then allows you to choose the time

frame that they are locked out for. (See image below).

6. If you are comfortable going into your website backend, hidethe core WordPress file wp-config.php.

This is the main file to make your website function. It is typically stored in

your WordPress installation directly. By moving it up to the public_html/

folder, it makes it inaccessible to hackers.



7. Select a good and reliable backup plugin.

The best plugin will depend on the size of your website. For smallish

websites, free plugins like Duplicator or Updraft Plus are good choices.

Updraft Plus is also a good choice for larger websites. You can store your

backup files locally or in a location of your choice (see image for Updraft Plus

choices). The settings in Updraft Plus means you can schedule backups at

regular intervals automatically. A good practice is before making any changes

to your site, always make a backup first.

8. Make sure the latest version of WordPress has been updated.

Before you do this, backup your site! Updating the WordPress version

prevents hackers using out of date versions to gain access. Hackers can find

this information just by viewing source code. It is best to remove the version

of the WordPress file. The Wordfence plugin will remove this for you, you only

have to tick the box to achieve this.



9. Consider your computer’s security to your website.

Run an anti-malware software program regularly on your computer to make

sure it is safe.

10. Check if your website files are opening for public view

Go to your domain name and type it into the url followed by /wp-includes

If you are redirected to your homepage that is good.

Should you see a list of files on your web page that means you are not

safe.

Add 2 lines of code to your .htaccess file to prevent folder browsing. Add

it right at the beginning of the file.

# Prevent folder browsing options

Options All-Indexes

11. If you have multiple authors, regularly review what users aredoing.

Doing this allows you to see if there is any suspicious activity. Make sure you

set up new users properly with only the permissions they need to access your

site. Remember to backup your site before adding a new user. Then, Pay

attention to:

Who is logged in

When they logged in (at odd times)

What they add/delete/edit (ie what are they changing?)

You can use the plugin WP Security Audit Log to record activity if you are

concerned about the activity you see.



12. Password protect your most vulnerable website files.

You can do this In your hosts cpanel by going to Password protect your

Directories. DO NOT PASSWORD PROTECT YOUR MAIN ROOT

DIRECTORY! However, It is ok to password protect the wp-admin folder

with a username and password. Again, make sure you use a strong

password. https://howsecureismypassword.net/

13. Choose your theme or plugin from a reputable source.

Do this by reading the reviews and doing your research.

14. Take note of when themes and plugins were last updated asthere is increased risk if they are out of date.

This means you can see if changes were made to any files that were not part

of the update. It also means if they are out of date (see item 14).

15. Make sure you always keep your themes and plugins up todate

Out-dated plugins and themes are often exploited by hackers to gain access

to websites. Ensuring yours are up to date will prevent hackers from using

this tactic to gain access to your site.

16. Uninstall any themes and plugins you are not using.

These take up space on your website and can contribute to slowing down

your website.

17. Ensure you keep your WordPress version up to date as well.

Usually if the WordPress version is out of date it means it was updated

because there was some kind of vulnerability detected in the current version.

Keeping your WordPress version up-to-date ensures you are covered in this

instance.



18. Back your website up regularly.

Having regular backups gives you peace of mind. Store the backups in

several locations so that if one location falls over, you still have a backup

plan to save your website.

19. Be active in your website security.

Gone are the days where you put up a website and you forget about it. Your

website is a living tool, that adapts and changes to your marketing needs.

Being active in your security is a key component to keeping your website

secure and attracting your clients to your business.

While this is not a fully comprehensive list, it is a great start in keeping you

safe. If you have any trouble with any of the steps you can contact us and we

can implement them for you. We have great value maintenance plans on

offer to make this easy for so that you can be assured your site is safe.

Do You Need Your WebsiteSecured?

Let ET Digital Designs help you by making your WordPress website

as safe and secure as it can possibly be, so that you have peace of

mind!

Learn more


19 essential steps to secure your wordpress website · 19 essential steps to secure your wordpress...

Documents