Security in WordPress is a crucial topic.
According to MalCare Security reports, about 30,000 websites are hacked daily. Now that’s a scary statistic.
Every WordPress user must take an interest in WordPress security.
After creating a WordPress website, the security of WordPress and your database must be settled once and for all.
In this in-depth guide, I will discuss 12 Security in WordPress fixes you must make once your website is live on the internet.
If you which to view this important guide in the video, then watch below;
These WordPress security boxes must be checked. That’s because they are crucial to your WordPress website’s safety. They are so easy to carry out. They are all free to add, and you won’t need to know anything about coding to get them implemented.
So, if the security of WordPress site is an important topic to you, then this guide is exactly what you need.
12 Security in WordPress Best Practices
- Activate a strong login password
- Limit WordPress admin login attempt
- Activate the right WordPress user permission
- Keep WordPress tools updated
- Use a secure WordPress hosting
- Incorporate two-factor authentication
- Install a WordPress backup solution
- Automatically logout idle users in WordPress
- Use an effective scanning and firewall security WordPress plugin
- Move your WordPress site to SSL/HTTPS
- Disable file editing
- Disable PHP file execution in targeted WordPress directories
1. Activate a strong login password
When you have an easy WordPress login password, you make life unnecessarily easy for hackers.
If your password is too easy to guess, or short, you should consider upgrading it to a stronger level.
This will have a significant impact on the security in WordPress and make life much more difficult for potential intruders.
How to change your current WordPress login password
- Log in to your website cPanel account. You can access your cPanel through your URL/CPanel or log in through your web hosting account
- Scroll down and locate WordPress and click
- Locate and click the Manage User tab
- Click to be sure you are in the Change Password tab
- Select your Username (if you have more than one user, pick the one whose password you want to change)
- Type in your new password (a tip here is to use a long password that also contains caps, numbers, and special characters)
- Save your changes
After your changes are saved, go ahead and test your new password from the WordPress admin login page.
Another recommendation to consider is to also strengthen the passwords of your hosting account, cPanel account, FTP client account, and other databases.
2. Limit WordPress admin login attempt
There is a security in WordPress feature that let you limit the login attempt of intending admin logins.
This feature enables you to easily track suspicious login attempts on your WordPress admin login.
How this work is that, after a number of login attempts, you will be notified and then you can quickly act, and choose what action you want on such login attempt’s IP.
You can easily block any further action.
How to use add the limit login attempt feature to WordPress
To add this feature, we will need to install a security WordPress plugin called Limit login attempt reloaded.
With this security WordPress plugin, you can do the following:
- Login to the WordPress admin dashboard
- Locate the Plugin tab >>Add New and type in Limit login attempt reloaded
- Click Install and then Activate
- Once installed, click Settings
- Impute the email you will like to receive alerts on
- Choose how many lockouts before you get a notifications
- Type how many login retries you want to permit before such an IP is locked out
- Input also, how long before reset
Apart from email notifications, you will also see login attempts data on your WordPress admin dashboard if you enable it.
3. Activate the right WordPress wp user permissions
Activating wp User permissions is a great feature in WordPress if you have a team that you want to be a part of your website.
But, you must understand the User roles and Capabilities of users before you go ahead to activate them. If not, your security in WordPress can be compromised.
If you activate the wrong wp User permissions role, it can lead to events that will get your WordPress website compromised in the long run. Therefore, be careful while assigning User roles.
To activate the wp User permissions role, go to your WordPress admin dashboard and locate and click the Users tab.
- Click New user
- Click Add New and fill in the new user’s details
- Click the drop-down button at the Role field to choose the role you want your new user to fill
- Click the Add New User to save and activate the New User role
4. Keep WordPress tools updated
Apart from your WordPress itself, you will also have plugins for WordPress and themes installed on your website.
Leaving software outdated is a sure signal to wooing hackers.
Usually, you will see the red notice if you need to update any of your WordPress software(including theme, WordPress, and plugins).
Don’t delay updating them once there is a new update or upgrade available.
Better still, you can set up all of these tools to automatic update mode. So, you don’t have to always check up on your WordPress admin dashboard every other day.
How to set your WordPress Tools on automatic update
Go to your WordPress admin dashboard
- Locate and click the Appearance tab
- Click themes
- On the theme to set up the automatic update, click the theme details
- Click enable auto-update
Plugins for WordPress
Still at the WordPress admin dashboard
- Locate and click Plugins
- Click installed plugins
- if you want to turn on the auto-update individually, keep clicking the Enable auto-update on each plugin
- If you want to turn on auto-update for all the plugins, then use the bulk action option, click the Select all box and Apply.
This action enables auto-updates on all your plugins and themes.
It is always a good decision to back up your Website, even if you want to manually update your WordPress software.
5. Use a secure WordPress hosting
Many WordPress users think of a good WordPress host in terms of speed and features.
It will also interest you to know that choice of web hosting service does determine the security of WordPress websites.
A great hosting service monitors its network for suspicious activities, prevents large-scale DDOS attacks, and uses up-to-date server software, and PHP versions among other things.
If you are not decided on what web hosting service to use or are not sure if you are currently with a secure web host, then I will recommend you go for Hostgator or Bluehost.
Note also, that your choice of hosting plan will have an effect on how secure your website is.
For instance, using a dedicated server or WordPress hosting plan will always be more secure than a Shared hosting plan which exposes your WordPress website to a higher degree of cross-site contamination tendencies.
6. Incorporate two-factor authentication
I’m certain that you use software such as Facebook or Google. Then you should already be familiar with the two-factor authentication feature.
This security in WordPress safety feature requires WordPress users to log in to WordPress by using a two-step authentication method.
In step1, you will be required to log in with your Username and password. In step 2, you will need to authenticate your WordPress login with a separate device or app.
How to add two-step authentication to WordPress
- Install and activate a plugin for WordPress called Two-factor authenticator
- Once installed, click the Two-factor auth link
- Get your phone and install an authentication app on it. Much such software exists. I will use the Last pass authentication for demonstration
- After installing on your mobile, launch the app and click on the Add button
- Select the scan bar code option and point your phone’s camera here
- This will be saved
- Next time you log in to your WordPress admin, you will be asked to provide a two-factor auth code after you added your password
- Launch the authenticator app on your phone and then, enter the code displayed on the screen.
- Once done, logging in will be successful.
7. Install a WordPress backup site solution
WordPress backup site solution is compulsory security in WordPress tip for all WordPress users, including you.
You must back up your website. Why?
The answer is simple
Irrespective of how good you think you are, anything can go wrong with your website at any time and the worst feeling of your life will be losing all your hard work.
The surest way to make sure such never happens is to back up your website. With a WordPress backup site solution, you can always restore your data even if you lose everything.
How to carry out backup for WordPress
There are several plugins for WordPress backup solution, but I will use Updraft Plus for this demonstration.
Go to the Plugin tab in the WordPress admin dashboard and search for Updraft Plus
- Install and activate Updraft plus
- Click the settings tab
- Click settings again
- File backup schedule, that is the number of times you want your backups to be made. I will choose weekly for mine. I will choose weekly also for the Database backup schedule
- The next option shows you the external cloud that you will love to save your backups on. I will choose Google drive. Feel free to choose anyone for yourself
- I will sign in with Gmail whose drive I want to use for saving my backups
- Complete your backup setup
Go ahead and make your first backup if you wish to do so. Click the blue Backup Now button.
But do know that this setup will automatically backup your website depending on the backup schedule you’ve earlier set.
Finally, anytime you have a need to recover your files, scroll down and click the Restore
8. Automatically logout idle users in WordPress
You or anyone with User permission working on your WordPress admin dashboard sometimes wander away while still logged in. This might create a loophole for attacks.
Several sensitive organizations like banks or other data handling bodies do protect their computers with the auto logout features.
You too can add this feature to your WordPress site or do so for your clients.
How to add auto-logout idle users feature in WordPress
To add this feature, we will install another security WordPress plugin called Inactive logout
Install the Inactive logout plugin and then;
- Locate and click Configure
- Click Inactive logout
- Set the time duration
- add a logout message
- Once active, anytime a User stays inactive for longer than the time configured, the User is automatically logged out and has to re-login afresh to access the WP-Admin dashboard.
9. Use an effective scanning and firewall security WordPress plugin
We are already talking security and every plugins for WordPress I already discussed can be classified as a security WordPress plugin.
But here, when I mention security plugin, I’m specifically referring to a multifunctional plugin that has the ability to defend your website against cyber attacks by scanning through your WordPress website and providing Firewall protection.
There are several effective plugins out there in the WordPress repository but I was able to filter out a few from which you can pick one for your WordPress site.
Anyone of Sucuri security, Wordfence, Ithemes, and Malcare will help.
This post doesn’t intend to distinguish between them.
They are all freemium plugins. If you want a security plugin that’s effective and easy to use, then you can give Malcare a go.
In this guide, I will demonstrate how to set up Malcare security plugin.
Malcare security plugin
Install and activate Malcare security plugin
- Once installed, fill in your email address
- Head over to your email inbox and verify your email
- Wait for this plugin to sync with your website
- You can also add another site to your Malcare account.
- Head over to your WordPress dashboard, this security plugin now got your website covered.
10. Move your WordPress site to SSL/HTTPS
SSL is simply a protocol that makes it hard for anyone to steal the information of visitors to your website.
A site with a positive SSL is automatically operating on the HTTP mode.
I’m sure you know that Google takes this security feature seriously. A positive SSL protocol is denoted by the padlock sign in front of its URL while on a browser.
If your website doesn’t have a positive SSL protocol, then you should have it fixed immediately as this greatly impact how the public rate your website. Also, without a positive SSL, sooner than later, you will run into various security issues.
Most web hosting services will offer it for free. So you have no excuse for not getting yours fixed.
If you are finding it difficult to get one for your website for free, you can comment below and I will find a way to get one done for you for free.
11. Disable file editing
WordPress comes with a built-in code editor which allows you to edit your plugins and theme files from your WordPress admin area.
Sure, you can guess what that will mean if a wrong hand gets there! And you need to know that these files are usually a major target for attack.
Common WordPress security sense demand that you disable this editing feature so that editing such sensitive files is disabled.
How to disable WordPress file editing
We will disable this feature in the wp-config.php file.
Now, do know that this section of your WordPress directory is absolutely sensitive, so be careful while making these changes.
Good enough, if your website already has a backup as we already discussed, then you know even if anything goes wrong, you know you are safe.
- Install an FTP client to your computer. A good one that is free and works for all operating systems is Filezilla. So go ahead and download FileZilla and then install it on your computer
- After installation, launch this software and input your FTP login credentials. FTP login details would have been sent to your email when you registered your domain hosting. Check it up or contact your host provider
- To do this, open Filezilla>>File>>Site manager>>New site>>enter your login details
- Scroll down to the right side and locate the wp-config.php file in the root folder
- Right-click on this file, select download
- Open this downloaded file in an editor(you can use notepad)
- Copy the code below
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
- Paste code into this file. Don’t touch any other thing
Once you do this, the file editing feature of your website files will be disabled and no one can perform any editing on your website behind your back.
12. Disable PHP file execution in targeted WordPress directories
Disabling PHP file execution in directories where it’s not needed is another way to upgrade your WordPress security.
To disable PHP file execution;
- Copy the code below
<Files *.php> deny from all </Files>
- paste it into the notepad editor
- Save this file as .htaccess
- Use your FTP client to upload this file to /wp-content/uploads/ folders on your site
Security in WordPress websites is one aspect of your website management that you must keep pace with.
Incorporate these WordPress security best practices and you can rest assured that your WordPress website safety is guaranteed.
While you may not add all of these features at once, incorporating as many of them as possible is recommended if you hope to keep your website safe.