It's not pleasant to see a hacked website. A WordPress website hack can cause damage to your business in the short and long term, especially if it happens repeatedly. A website hack can result in data being deleted from the site and a decline in search engine rankings, either because of missing pages or because Google detects malicious code on the site. It is estimated that approximately 30,000 websites are hacked every day. Furthermore, approximately 43% of attacks on websites target small businesses, and data shows that only about 14% of these websites are adequately protected. Why should you be part of the statistics?
There are quite a few solutions for securing your WordPress website, and many of them can be implemented by yourself. It is true that you can quickly restore a WordPress website if you have an up-to-date backup (and it is very important to have one), but it is better to prevent the hassle, headache, and wasted time in advance.
How do you secure a WordPress site?
Strong passwords
Many attacks on WordPress sites involve password guessing tools. Create strong passwords and make sure that all users of the site have strong passwords. Such a password should contain at least 12-16 different characters, including upper and lower case letters, numbers, and special characters. You can also use WordPress itself, which has a password generator on the user creation page.
Install a security plugin
There are several very good security plugins for WordPress, and even their free versions provide good basic protection for your site. Recommended security plugins for WordPress:
It is important to check the performance of the site after installing and activating the security plugin. If the plugin causes problems or slows down the site, it is worth trying another plugin. Don't forget to back up the site before installing the security plugin.
Keep the system up to date
WordPress is updated frequently, and in most cases these are security updates that fix various vulnerabilities and issues in the content management system. Some updates are performed automatically, but major upgrades will have to be done manually, as it is important to check the website afterwards to make sure everything is working.
Many small business owners neglect their websites and forget to update them. An outdated system exposes your website to hacking, so it is important to visit the management interface frequently and update accordingly.
You can also enable automatic updates on your WordPress site and simply let the system update itself as needed.
Keep an eye on plugins and templates
WordPress plugins and templates also need to be updated. In fact, plugins and templates are a weak point that hackers love to exploit. Old and outdated plugins, for example, can definitely pose a security risk to your site. If the plugin developers have stopped updating it, you should consider deleting it or replacing it with a new plugin.
With templates, the situation can be even more frustrating, as their development is often abandoned, and changing the design of the entire website for security reasons is not something small businesses tend to do. However, a very old WordPress template definitely poses a security risk to your site, and it is worth replacing it or hiring a professional to update the template code.
Hide the WordPress login screen
A very common attack vector on WordPress sites is the login screen. When WordPress is installed, this screen is located at a specific, predetermined URL, making it a very easy target for scanning and attack. Instead of having the login screen at an address ending in wp-admin, you can place it at a different address, such as enterhere.php or any other extension you choose.
Changing the login screen address can be done by editing the WordPress code or using a plugin such as WPS Hide Login.
Disabling xmlrpc.php requests
WordPress comes with an XML-RPC protocol that allows external software to publish posts, save copies, advanced editing options, and more. These options pose a security risk to your site because they open the door to receiving external information without interruption.
Starting with WordPress version 3.5, this function is enabled by default, and there is no way to disable it through the WordPress admin interface. However, you can edit files through your website hosting admin interface to disable it. We have written a guide for you: Disabling xmlrpc.php requests through your hosting server.
Make sure your hosting service is using the latest version of php
Similar to working with older versions of WordPress, working with older versions of php is also unsafe. The php version is set on your website hosting server, and many hosting services allow you to set the php version yourself using cPanel. Be sure to work with the latest version of php.
Choose secure web hosting
Before you purchase hosting for your website, check whether the web hosting service places sufficient emphasis on website security and backups. Look for specific information on the hosting company's website, or ask customer service what security measures are taken on the servers.
Secure web hosting will significantly reduce the chances of your website being hacked and save you a lot of hassle and time.
Move your website to a virtual server
A virtual server is an excellent solution for immediately and significantly strengthening the security of your WordPress website. On a shared server, you share space with many neighbors, some of whom may pose a security risk—regardless of the security measures you take yourself.
When you host your WordPress site on a virtual server, you give it a higher-quality, more stable, faster, and stronger infrastructure, and of course, significantly more security. The part of the server you occupy is entirely yours (which is why it is called "private"), so you are not at risk from careless behavior or attacks on websites that do not belong to you.