WordPress is a leading Custom Management System (CSM) popularly used to create a blog or website. It is a free and open-source built on PHP & MySQL making it a suitable CMS to build and manage complex or simple websites.
WordPress runs 32% of the entire internet websites, that’s about 19.5 million websites. 500 new websites are built with WordPress daily when compared to other popular CMS such as Drupal, Joomla, Squarespace, and Shopify.
No doubt WordPress is the most popular CMS. Because of its popularity, WordPress websites are an easy target for hackers. In a recent survey by CodeInWp, WordPress is the most hacked into CMS of them all. Out of the 8,000 infected websites analyzed in a study, 74% were built on WordPress. 8% of WordPress websites get hacked because of a weak password while 52% of WordPress vulnerabilities caused by WordPress plugins, 39% are caused cross-site scripting (XSS) issues, 37% result from the WordPress core files and 11% of WordPress vulnerabilities are caused by WordPress themes.
Thus, WordPress security is a topic of huge importance for every WordPress website owner. In this article, we will share all the top WordPress security tips and tricks our security know and use to help you protect your website against hackers and malware.
Common WordPress Security Tips
Keep your WordPress updated
WordPress is an open-source CMS regularly updated by developers. By default, WordPress automatically push and installs minor updates. Nevertheless, for major releases, you need to manually initiate the update. Doing ensures that your WordPress core files are updated and free from known vulnerabilities. Aside from keeping WordPress core files updated, it is important to keep WordPress themes and plugins installed on your website updated. These plugins and themes are maintained by third-party developers which regularly release updates as well. These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core files, plugins, and theme are up to date.
Use strong passwords
Over the years, our security team has found out that using a weak password amidst another point of entry was the major reasons WordPress sites were compromised.
If you are new to WordPress, we understand that one problem you will encounter is choosing a strong password because they are hard to remember. In a recent post, we shared eight tips for keeping your password simple and secure. Click here to learn how.
Using a reliable web hosting
One of the advantages of using WordPress CMS is that it can be installed on any hosting environment. Using a reliable web hosting platform can save you from common WordPress vulnerabilities such as cross-site contamination where a hacker can use a neighboring site to attack your website.
When selecting a hosting plan, there are few things to look out for:
- Network monitoring for suspicious activity such as Brute force attacks.
- Anti-DDOS attacks tools
- Updated server software and hardware
- They have ready to deploy backup systems and accidents plans which allows them to protect your data.
Switch your WordPress site to SSL/HTTPS
A bulk of WordPress websites do not use SSL/HTTPS. SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal sensitive information such as password, username, email address, and credit card details.
Enabling SSL/HTTPS usually involve purchasing an HTTPS certificate from a Certificate Authority. They cost anywhere from free to over 70,000 Naira. Click here to purchase a certificate.
Kill spam and comment Malware
Spamming is another WordPress security problem faced by WordPress site administrators. Spammers are found of adding a comment with malicious content to a WordPress site. Other comments are embedded with links to websites that are filled with junk.
To help filter out comment spam, we recommend Akismet – this plugin filter out comment spam automatically and will reduce your workload. Once you have automatic spam filtering set up, you will, unfortunately, discover that some spam still gets through the filters and you need to manually filter it.
Avoid malicious themes and plugins
WordPress has over 50,000 free plugins and 25,000 free themes in the WordPress directory. In addition to that, there are over 11,000 premium themes available on ThemeForest. This leaves users at the mercy of using themes that are bug-free and secured because the majority of these themes and plugins are developed by third-party developers.
When choosing a theme/plugin for your WordPress site, avoid downloading them from untrusted sources. Unfortunately, there are many websites on the Web that distribute malicious themes/plugins. They are called “nulled” themes/plugins and they contain malicious code pre-installed. Only install themes and plugins from trusted sources.
Nevertheless, it’s important to take note of the source of your WordPress themes and plugins. When downloading a theme or plugin from the WordPress directory, take a few minutes to read other users comments or reviews. It is also important to use themes or plugins that are compatible with your WordPress installation or have been recently updated not later than 2 months ago.
Another DIY trick to keep your WordPress secure
- Always change the Default “admin” username: this is the old days trick used by a hacker to sniff out WordPress username. Since username makes up half of your login detail, a brute-force attack can be launched to crack the remaining half – password. You can change this by creating a new username and password then assign the same “administrator” role to it. Thereafter, you delete the old one.
- Install a security plugin: One of the most important steps our security team takes when installing a WordPress site is using a security plugin. One of which is WordFence and iTheme Security. These plugins are free to download from the WordPress directory. Premium version is also available for advance security such a Web Application Firewall.
- Change WordPress database table prefix: When installing WordPress website, WordPress uses wp_ by default as its database prefix. This makes it easy for hackers to guess your table name. Use the guide provided here to change your database table prefix. Note that this might break your WordPress website if it is not done properly.
- Disable Directory Indexing and Browsing: Directory browsing is a common way hackers can use to gain access to your website. With this enabled, it can be used by hackers to find out if you have any files with known vulnerabilities and exploited to access your website. it can also be used to access files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing. Contact your web hosting provider to confirm if it’s enabled or follow these steps to disable it.