WordPress Security: 26 Steps To Protect Your Website[2019]

WordPress security plays a HUGE role in your website performance.

As you finished website optimization, it gets more popular and automatically attracts attention from hackers.

You will be attacked! Sooner or later.

The real question is: Are you prepared?

This guide outlines ALL the necessary steps you need to make in order to maximize your blog’s safety.

Let’s get started!

This guide was made specifically for non-techie guys(like me).

WordPress Security: Basics

WORDPRESS SECURITY BASIC TIPS AND STRATEGIES

Pure statistics:

Cybercrime damages will cost the world $6 trillion annually by 2021.

Website security was, is, and will be one of the main concerns all webmasters have to encounter.

The threat is huge and inevitable. You’d better prepare. And you’d better do it right now!

Below are some of the finest techniques that will help you protect your web property and keep it away from “dirty hands”.

Let’s start with the most essential steps EVERYONE should follow.

1Secure Your Computer

It all starts from the very beginning. Do yourself a great favor from right on and get a decent antivirus and malware scanner.

These tools will make sure that your computer operates correctly without any security issues.

Do the entire computer scanning upon installation and repeat the process regularly.

Tools to consider:

  • 360 Total Security
  • Norton
  • Kaspersky
  • Bitdefender

2Password Protect Your Laptop

Thousands of laptops are getting stolen each year in the U.S. Information is getting leaked too easily.

Create a difficult password no one but you knows. Use it in laptop activation window.

You never know who wants to check your computer (especially if you have it in the office).

3Use Password Manager

Here is the thing; you MUST use tons of different, unique, and complex passwords when working with your website.

Yet, it may seem troublesome to remember all of them.

There are two ways to consider:

  1. Write them all down on the piece of paper and NEVER show it to ANYONE.
  2. Use a reliable password manager and thrive!

I personally recommend using LastPass as an all-in-one tool.

It’s one of the most secure and cheapest (24$/year) solutions for password management.

wordpress security password manager

4Access your site from a secure location

Wi-fi network through which you access your website matters too. Public internet spots are easily hacked.

It’s been suggested that you use only trustworthy wi-fi spots, ideally, only your owns.

5Reputable Hosting Provider

As you finished working on your PC security and organized an extensive unique password system, it’s time to indulge your blog with a reputable hack-proof hosting provider that will also make your website speed-optimized.

Among all of the options on the market I would suggest you use the ones below:

– Siteground for small to medium blogs

– And WP Engine for more sophisticated players

Siteground is probably the BEST options for beginner bloggers and websites of 1-5 years of age.

WP Engine would be a great choice for websites with high traffic and high amount of potential attacks.

I host my blogs on SiteGround and recommend it to all of my readers without any hesitation.

Some of the reasons why millions of bloggers and I choose it:

  1. In 2018, SiteGround achieved the incredible 98% Client
    Satisfaction rate!
  2. It optimizes the performance of WordPress sites so much that you can see speed gains between 20% and 500% depending on the type of site you run!
  3. In 2018, SiteGround was extremely successful in keeping clients sites well secured.

Sign up to SiteGround right now and forget about the insecure and poor-performing website!

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

In order to help you out with the registration, I have described the whole process step-by-step.

Check out: How to Start a Blog in 2019 

6Get Your Website Encrypted

Here is the sad truth, any computer in between you and the server can monitor your credit card information, usernames and even passwords(!), unless the pathway is encrypted with an SSL certificate.

It is also one of the most important Google ranking signals!

Cloudflare SSL will encrypt the web traffic to prevent data theft and another tampering.

The best part is that it’s absolutely free of charge.

Note: It will change your site’s URL from http://www.example.com to https:// www. example.com. Make sure you implement an SSL encryption BEFORE adjusting WordPress security settings and downloading any security plugins. It will save you a lot of time, as you will have to use the new URL address quite often.

cloudflare cde wordpress website encryption

7Change Your Admin Area URL

Normally, your Admin area URL would look like this:

– example.com/wp-login/
or
– example.com/wp-admin/

Why would you change it?

Because it gives you yet an extra layer of defense against Brute Force Attacks!

It also helps you hide the fact, that you are actually using WordPress, so the potential attackers would have to figure out other ways.

And finally, it makes your login screen more appealing.

Now, how to change Admin Area URL?

There are a couple of nice plugins on the market that will help you with this task. You may try WPS Hide Login or Custom Login URL.

website protection by changing admin url

They are both easy to use, all you need to do is type in the new URL and remember it, or bookmark in your browser.

Note: These two plugins were tested on hundreds of websites and work just fine. Yet I strongly recommend doing a website back-up using the reliable WP back-up plugins, prior to the URL change.

8Create an “Admin” User Name

You should NEVER have a default user name “admin” in your WordPress website.

This is the first user that attackers would try to get access to.

How to create a new admin user name in WordPress?

Step 1: Head over to the Dashboard and click Users-All users:

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Step 2: Click on Add new:WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Step 3: Create your own unique name and make yourself an administrator and click on Add New User

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Step 4: Make the “admin” user a simple subscriber with no rights to change the website content and settings.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

9Come Up With a Strong Password

This step might sound too obvious, yet many new bloggers tend to omit it.

You MUST create a super-duper password that will add a solid layer of security to your website.

WordPress allows you two great options:

– It generates a strong password by itself:

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

– It allows you to create your own

Pro Tip: You may allow WP to generate a unique password for you AND add up some extra digits, signs or letters to make it even more secure!

You can even use an online tool called Strong Password Generator, it will create a very hard to hack combination.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

10Disable Pingbacks and Trackbacks

These rather useless features of WordPress are not helping your website becoming more secure by any means.

The only prominent thing they do is increasing the workload.

You may turn them off in less than 1 min.

Simply go to Admin Panel-Settings-Discussions and uncheck “Allow link notification from other blogs(pingbacks and trackbacks) on new articles”.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

11Themes and Plugins

When your blog starts attracting new readers you should think about purchasing a premium WordPress theme.

Unreliable WP themes and plugins may cause HUGE problems for bloggers.

They are poorly coded and possess tons of flaws.

Those flaws are the doorways that can give access to potential threats. Some of the torrent FREE themes and plugins are already infected with malware.

One of the best things you can do for your website safety is to get the themes and plugins from dependable resources such as MyThemeShop.

Their products are beautiful, fast, and SECURE!

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

12Keep Your Website Updated

Having themes and plugins from trustworthy sources is one thing, updating them regularly is another!

New versions of WP products will always help you maintain website security.

Things you should constantly update:

  • WP version
  • WP theme
  • WP plugins

More Updates = More Security!

Note: Though is has little to do with WordPress security matter you should never forget updating your old blog posts. Finest copywriting techniques can help a lot.

13Enable Web Application Firewall (WAF)

WAF will place itself between your site and the rest of the internet.

Every request from now on will go through its system before it reaches your site.

Web Application Firewall companies can perform two amazing tricks:

  1. They can detect bad traffic.
  2. They can reject bad traffic, so it never reaches your server.

All decent WAFs are paid.

Which WAF plugin should you choose?

Later in this guide, I am gonna introduce you a MASSIVE security plugin called Sucuri.

Almost all of its features are absolutely free. One of the paid ones is WAF!

It is powerful, dependable and legit!

Sucuri’s WAF is constantly updated to notice common and emerging attacks.

This degree of protection makes it super complicated to harm your site.
WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

14Uncheck Membership Option

Membership option for Anyone can register should be unchecked in General Settings.

You do it for the single purpose of controlling WHO can register on your website.

In case it is checked, you open a doorway for spammers.

Here is how to disallow anyone to register on your website:

Dashboard- General- Settings-Membership(uncheck)

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

15Scan The Site Regularly

Even if everything may seem safe and sound, you totally should do website checkups.

That is a good habit that all thoughtful bloggers have mastered a long time ago.

Now the question is:

How to do WordPress security checkup?

There are some services on the market that offer you scheduled website checking.

The only problem is that they may be quite pricey!

So if you are short on a budget one of the best ways would be using WordPress security plugins.

Let’s check them out!

WordPress Security: Plugins

WORPDRESS SECURITY PLUGINS FOR YOUR WEBSITE

In the previous section, you’ve learned how to create a custom Admin Area URL and create an “admin” username.

Why not put some more extra layers of security to this vital part?

Let me introduce some of the best plugins out there, that will make your admin area bullet-proof.

16Login LockDown plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Sometimes it happens that hackers try to get in your site by guessing your admin password.

One of the weakest spots WordPress has is that it allows entering passwords as many times as the user wants.

Hackers may use special scripts which automatically enter different combinations until the site is cracked.

The best solution would be using a special plugin. The one that is blocking users with too many failed login attempts (5 or more).

In Login LockDown plugin you may choose:

  • Number of failed attempts
  • Retry time period
  • Lockout length
  • Lockout invalid usernames

17WP Security Question plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BThis plugin will provide an extra level of security for your admin login page.

The principle is simple.

You create pick up a question from the list or create your own one:

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Next, you scroll down the settings page and check the “Ask security question on login screen” option.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Then you head over to Users-All users, click on your username and scroll down to the bottom of the page.

There you will find the field for the answer typing:

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Every time someone will try to access your site through the login page, they will have to find an answer to the question as well.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

18Google Authenticator plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

This quite powerful plugin for WordPress gives you two-factor authentication using the Google Authenticator app for iPhone, Android, and Blackberry.

You will receive a new password on your phone.

The plugin will require typing in the unique digital code in your admin login area each time you want to access the website.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

19WP fail2ban plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BThis strong, yet simple plugin is one of the most effective security measures you can implement to fight with brute-force password-guessing attacks.

The biggest difference of this plugin from Login LockDown is that you can let implement the immediate banning if the program will spot the brute-force attack.

20Updraft Plus WordPress Backup plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BInstalling a dependable back-up plugin on your WordPress site is probably one of the best single decisions you can make in order to maintain its security and performance.

Anytime you are doing some changes in the WordPress settings or activate new plugins that you never worked with, I strongly recommend you do backups.

This way you will easily be able to restore the whole information and get your website back to work

Pro Tip: Schedule the regular backups, every day/week/month.

21Theme Authenticity Checker (TAC) plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BTAC will assure that the theme you are using on your blog is safe and not infected with a potential thread.

Normally, there is no need in this plugin, if you got your theme from a reputable source.

On the other hand, if you are not ready to invest in a good premium theme and found a nice free one “somewhere”, you need to do a proper check.

If the plugin finds an encrypted code, you may consider contact the theme author or switch to a safer one.

22Inactive Logout plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BThis helpful plugin will make your account secure from snoopers and “friends” to protect your data by assuring auto log out a system within a certain time.

If any users use the same machine as you to access your account it will automatically log you(and them) out.

Lot’s of reputable banks and online businesses use this method to prevent unnecessary users from wandering around.

23Sucuri Security plugin

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

An AMAZING and super powerful plugin for your WordPress security. It is especially helpful for non-technical guys like me.

The interface is simple, and all settings are done in a couple of clicks!

Download the plugin and activate it. After it’s activated, you need to go to the Sucuri menu – Dashboard.

You will see the request to Generate a free API key.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BFill in the required fields, then click on 1, 2, and 3.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

When the key is generated, go to Hardening tab in Sucuri Settings.

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

The plugin will offer you Hardening feature for all weak spots of your website.

Click on the “Apply Hardening” button for all of the options

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

  • Remove WordPress Version
  • Block PHP Files in Uploads Directory
  • Block PHP Files in WP-CONTENT Directory
  • Block PHP Files in WP-INCLUDES Directory
  • Information Leakage
  • Default Admin Account
  • Plugin and Theme Editor

The Scanner feature will allow you to scan your website for potential threads.

All of these options if applied will help to keep your blog much more secure.

Note: You can revert hardening options anytime you want.

In this section, I’ve shown you some of the finest security plugins on the market.

Next section will get you even further on the way of your WordPress security optimization.

WordPress Security: Bonus Tools

WORDPRESS SECURITY BONUS TOOLS AND WEBSITES

In this section, I am gonna reveal some of the most efficient online tools that will help you check your website security issues and maintain its safety.

Even if you have implemented all the strategies above, you may still want to do an extra scanning that will help you find out the blog’s vulnerabilities (if there are any).

Let’s check some of the finest online security scanners:

24WPSCANS

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3BThis scanner is one of the most comprehensive WordPress vulnerability scanners online.

Some of the main features are:

– Deep scan technology
– Instant scans
– Automatic scans
– All-in-one dashboard
– Push notifications
– Advanced reports

Simply put your website URL into the tab, click on “START SCAN” button, and get your scan results!

25Sucuri SiteCheck

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

Apart from an awesome security plugin, Sucuri offers the clients a free online website malware and security scanner.

The one thing you need to do is to enter your website’s URL and click on  Scan Website button.

Sucuri SiteCheck will scan the website for website errors, blacklisting status, known malware, and out-of-date software.

26Virus Total

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

A handy online tool that allows you to analyze suspicious URLs and files then facilitates the quick detection of worms, viruses, trojans, and all sorts of malware.

Type in your website’s URL, click on Scan it, and get an instant result:

WordPress Security: 26 Steps To Protect Your Website[2019] gif,GIF89a%01%00%01%00%80%00%00%00%00%00%FF%FF%FF%21%F9%04%01%00%00%00%00%2C%00%00%00%00%01%00%01%00%00%02%01D%00%3B

How to Fix a Hacked Website?

WORDPRESS SECURITY FIXING HACKED WEBSITE

If you happened to be one of those people who start praying only when they hear the storm thunder, then basically you have two options:

  1. Fix the broken site yourself(Requires big knowledge and high skills)
  2. Let the professionals do the job.

The first option would be suitable for those who feel comfortable with WordPress Security issues and code.

The second one would be a great choice for those who would rather allow masters to do their job and make sure there are no backdoors left in your site.

Recovering the website may cost you thousands of dollars if you hire a solo professional.

Sucuri(which I’ve already mentioned a couple of times) guarantee they will clean the whole website and make sure you are safe and sound for FREE!*

*You should be one of their paid customers.

Don’t forget that it’s better to be proactive than reactive!

Use this guide to bring your website security on a whole new level!

How Should You Approach This Guide?

HOW TO APPROACH THE GUIDE

Maintaining WordPress Website Security may seem an intimidating task.

To help you speed up the process I have created a detailed checklist.

Click on the image below to download it.

It will walk you through the entire process of the WordPress security optimization step-by-step.

You will find there all the techniques I covered here + 2 bonus tips not mentioned in this guide.

[DOWNLOADING IMAGE]

I hope you found some helpful information in this guide!

Leave your thoughts and questions in the comment section below.

Also, add me on LinkedIn or follow me on Quora, I share some useful info there 😉

Cheers!

 

Leave a Reply