“How to secure WordPress website from hackers?”
As a blogger (now, freelance writer), the above is one of the most common questions asked by new bloggers and website owners.
My answer to them often goes into the deep conversation as I am a huge believer that securing WordPress website from hackers requires more than just one step. As a matter of fact, there are many steps you need to take to secure WordPress website from hackers.
Two years back, I wrote an article on WordPress security, and it was a huge success. Not only that post became one of my most popular blog posts, but it was also featured on Harvard University’s blog!
But two years ago is a long, long time ago. The game has changed, and we are already moving closer to 2017.
So this blog post will be the most updated version for any blogger who asks “How to secure WordPress website from hackers?”
Important disclaimer you need to understand (about WordPress security): There is NO website immune to hacking, a.k.a. Impossible to be hacked. There are no stopping hackers from trying to hack your website, but you can certainly make it tough for them to accomplish their goals.
With proper security practices, you should be able to maintain your WordPress website safely and free from hackers.
1. Choosing the right web host can help prevent hacking
Web hosting is often the first line of defense when it comes to securing WordPress websites from hackers.
A good web host will run checks for malicious codes or intrusion on a daily basis to ensure your WordPress website is safe. However, most shared web hosting doesn’t do that. Instead, they run very general checks once a week and some, once a month!
Not all bloggers are savvy in WordPress and bloggers will count on the web hosting provider for advice especially regarding plugins and themes. Again, shared web hosting providers do not have much restriction on such which triples the chances of your WordPress websites being hacked.
A quick solution (but expensive): Forget about shared hosting and opt for fully managed WordPress hosting instead. For example, I use WP Engine for all my WordPress websites because I’ll get:
- Daily backups
- Daily scans for virus and malicious codes
- Bulletproof security features
And if I’m unlucky of being hacked, WP Engine will repair my WordPress website free of charge!
Slower solution (but more cost saving): Install minimum plugins and plugins which are premium would be a safer bet. Instead of using fully managed WordPress hosting, you can opt for semi-dedicated ones such as GoGeek from SiteGround. At a fraction of the price from managed WordPress hosting, you’ll get better support (especially in security) and server performance as well.
2. Choose your WordPress themes wisely
Do you know that WordPress themes can affect your website security? There is no way you can secure a WordPress website from hackers if you are using nulled or cracked WordPress themes.
Now, don’t give me the reason as you are too poor for buying a good theme. Invest into buying premium WordPress themes and this will save you even more money in future!
A premium WordPress theme comes with many features such as inbuilt SEO features, clean codes and loads faster too. Therefore, you are not getting a premium theme entirely for security reasons only.
Here are some of the most popular premium WordPress themes on the market now:
I also wrote a complete comparison between Thrive Themes vs Studiopress (if you need help deciding).
3. Control the types of plugins you’re installing on WordPress
There are many WordPress plugins you can find the repository as well as from third party websites. And this is a huge problem especially when it comes to securing WordPress website from hackers.
Not all plugins are coded correctly which could either leave loop holes or some developers would string of malicious codes in it. Either way, your WordPress website will be exposed to hacking if the matter is not resolved immediately.
If you are planning to secure WordPress website from hacker, here are some of the best practices for bloggers:
- Use only the latest updated plugins
- Avoid using plugins which are no longer support the developers
- Download the plugins directly from the source, not from friends or P2P sites
- Always keep your plugins updated to the latest version
- Purchase premium plugins are those are usually supported by the developers
4. Prevent hacking by cleaning up your WordPress backend
Did you know that one of the best ways to secure WordPress website from hackers is to keep your WordPress back end tidy?
Ask yourself a question. When was the last time you clean up your WordPress back end? Probably a long time ago, right?
There are a lot of things you can do when cleaning your WordPress back end. For example:
- Remove unwanted plugins
- Remove is not supported plugins
- Uninstall any plugins not in used (instead of leaving it deactivated)
- Check string of codes you have added in the past in the <header> and <body> section
In short, the more often you do cleanup on your WordPress, the better chance you can avoid being hacked.
5. Always be careful when hiring a WordPress developer
Having a virtual assistance or WordPress developer to help you with your blog is a good thing. However, not everyone of them is equal.
Sure, there will be those who are good and honorable, but there will also be some which are crooked. When it comes to hiring a WordPress developer, make sure you provide access to files they need and not the entire directory.
It is always recommended to backup your WordPress website first (keeping the backup copy with you) before allow them to do the changes or modification.
If you are using fully managed WordPress hosting that has staging facilities, get the WordPress developer to work on your staging site instead of the live one. You can get the support team to scan the staging site to ensure that no malicious codes are in it being making it live.
When it comes to hiring a virtual assistance or WordPress developer, always remember that cheaper isn’t always the good thing.Whenever you feel that the offer is too good to be true, you should skip it and look for others.Click To Tweet
Trust me; this is one of the best methods when it comes to “how to secure WordPress website from hackers.”
6. Always backup your WordPress website
When was the last time you did a website backup? Most shared hosting provider only provides weekly or monthly backup as a default. Unless you have a higher plan such as SiteGround GoGeek or WP Engine which offers daily backup, you are bound to have a problem if your WordPress website is compromised.
You can initiate a manual backup for your WordPress website directly from your cPanel by clicking on this option:
Some web hosting companies also offer you the options to save the file for a specific time duration such as 7, 14 or 31 days respectively.
How to secure your WordPress website from hackers: For additional security precaution, you may opt to download the backup and keep it on your computer. This will ensure that in the case of hacking or any breach, your backup copy is still in good condition.
7. Strong password for your WordPress will deter hacking
The WordPress team understands about the risk of hacking and until date, as many as 30,000 WordPress websites are compromised on a daily basis.
Therefore, WordPress users are required to use strong passwords for their back end access.
The best practices to secure WordPress website is by strong combination of passwords such as:
- Avoid using birth dates
- Avoid using real name
- Use at least one capital alphabet
- Use at least one numeric character
- Use at least one symbol
When it comes to securing WordPress website from hackers, it is always better to be safe than sorry.
8. Keep WordPress core updated
WordPress developers can relate to this. Do you know how often website owners do not update their WordPress? Seldom, right?
Keeping WordPress core (and plugins) updated is the very least you could do to secure WordPress websites.
Furthermore, it doesn’t cost you a dime for the updates.
How to prevent WordPress website from being hack? It is highly recommended to perform a backup in advance as there is a slight chance of upgrade glitch which could affect your WordPress website.
9. Always use WordPress security plugins
I know many bloggers who say that they are not affordable for a managed WordPress hosting service. Don’t worry; I get it.
However, it doesn’t mean that you have to learn your WordPress website bare naked and not protected! You should use security plugin to secure your WordPress website.
There are many WordPress security plugin that you can choose from such as:
If you are wondering, there isn’t any best WordPress security plugin from the list above as each provides pretty similar features.
Important tip to secure WordPress websites: When setting up a WordPress security plugin, always go for a safe setting first before going full blown. This is to ensure that you do not accidentally lock yourself out from the backend due to the tight security setting.
10. Activate CloudFlare for additional protection from hackers
CloudFlare is more than just a content delivery network (CDN). It provides security and above all, additional protection such as DDoS and brute force attacks.
Cloudflare will block known IP’s which are abusive and could cause harm to your WordPress website.
You can activate CloudFlare via cPanel or directly from the CloudFlare official website.
11. Using two-factor authentication
Two-factor authentication is a great and powerful way to secure your WordPress website from hackers.
If you are looking to use two-factor authentication on WordPress, you can download Clef and sync it with your smartphone.
You’re required to scan a code on your smartphone every time before login and Clef and check for authenticity before you can login.
12. Use SFTP instead of FTP
File Transfer Protocol (FTP) is a common tool used by bloggers and WordPress developers to send files to and from the WordPress database.
Instead of using FTP, you should use SFTP (SSH File Transfer Protocol or Secure File Transfer Protocol) to ensure that your information is secured during the file transfer.
Most shared web hosting provider provide both FTP and SFTP. All you need is to request for one if you are unable to find it in your cPanel account.
13. Keep your computer or devices up to date
When bloggers ask me about “How to secure WordPress website from hacker?”, I usually tell them that security practices would start with them.
In this case, we are often connected to our WordPress backend using our smartphones, tablets, laptops or desktops. Either way, these devices must be free from virus and malicious codes. The security of your WordPress website can easily be compromised if you are not careful.
For example, a laptop that is infected with keylogger would easily give the hackers access to your WordPress website because they have your credentials.
14. Open your eyes and notify any differences
If you have installed a security plugin such as Wordfence, there will be a summary report which you can generate that shows the number of failed logins over a period.
In the case where you noticed a huge spike in such attempts to log in to your WordPress back end, you need to start taking precautions such as:
- Limiting access to WordPress backend
- Enable Brute Force feature on WordPress Jetpack plugin
- Change the security level on CloudFlare from medium to high
At the end of the day, you need to keep an eye on the ‘health’ of your WordPress blog. No one is a better lookout than you, yourself.
How to secure WordPress website from hackers – Summary
There are many things you can take to secure your WordPress website, and they come in both simple and more complicated tasks.
With the number of WordPress websites being hacked on a daily basis, it is important to be vigilant and take the best precautions you can find to secure your WordPress website.
Have you taken sufficient security precautions for your WordPress website?