19 Feb Essential Tips to Keep Your WordPress Site Secured
Let’s face it! No one likes to get his/her website or social profile hacked. But here are two different scenarios. Let me explain everything to you.
Getting a social profile hacked means loss of personal data and most importantly getting it in the wrong hands. Now, if you can recover the account, then only you or your closed ones will be affected.
But in another case when your website gets hacked, then you first lose authentic profile you created as an online blogger or marketer and it also affects your earnings too.
I guess the first scenario is pretty straight and clear to you, but the second one holds a lot underneath. Don’t worry, we will get at WordPress and I’ll share some tips to make it completely secure, but we need to understand the basics first and get on the same page.
After effects of Website Hacks
Let’s start with the email list first. Every blogger is into email list building and this creates a trust among readers and also bring more traffic and conversion. Now, once your website gets hacked, that unknown culprit can note down your list and can send malicious content or maybe the one which tries to sell them wrong item (which you would never have done). Very soon, the ISP provider will come to know that email attached to your domain is sending spammy emails and they will block you. In future, every time you send a new mail, it goes straight to the Spam folder, which no one dares to open.
Now, coming at the second scenario, where it affects the money your blog is making. Well, once you lose the authentic profile among your email subscribers, they will no longer believe in your words and will stop buying what you’ve been recommending and counting cash so far. Also, if the website goes down, then traffic goes down, which makes the earnings touch ground.
Finally, you may be working too hard to recover from these two major losses and a third one will occur simultaneously. The moment site got hacked, you start investing the crucial time on the wrong side. Yes, to find what went wrong, then trying all you can to fix it and minimize the damages. Now I guess, I don’t need to remind you how valuable time is for all of us.
In order to ensure safety and keep your website, efforts, earnings, and time on the enclosed right path, you need to understand one fact. This fact comes attached with every WordPress website, i.e., WordPress is an open-source platform.
Even if it wasn’t freely available, an expert hacker could have hacked it, but making it available as open-source, makes his/her job straight and simple. Still, the developers behind WordPress script put a lot of hard work to keep things strong so that it doesn’t look like a piece of cake for wrong hands.
Few of the steps you can take to hardening WordPress installation are extremely simple and looks obvious and they are full proof to protect your site from normal hackers or attacks. But, I’ll also be sharing few top-notch methods which you can apply and minimize the chances of getting hacked.
Note – No single website over the Internet is full proof hack protected. You need to understand this fact! But, if you harden the protection then you are at least asking that hacker somewhere to use the best of his/her method and efforts.
Essential methods to keep your WordPress site secured
Based on the toughness, I’m dividing the methods. So, let’s start with the obvious ones. You can also call them the essential ones.
#1 Keep WordPress updated
As I said above, the team behind WordPress script is already aware of the downside at security department and they are very keen to make their product stay safe. To ensure this, they are always working on improving their product and release technical and security updates regularly.
Now, it’s your duty to keep your website updated with every new release. You can skip a minor technical update but if it’s a security one, then it’s highly recommended to take action. FYI, before you take the decision, make sure that all the plugins you’re using are compatible with that newly released version.
#2 Use strong Admin password
Whoever has been introduced to WordPress basics and dashboard behind knows that one can access the back-end part easily by going through the /wp-admin login page. Now, you can’t change that fact but what you can do, is use a strong password which is tough to guess and even tougher for a software to predict through some algorithms (yes there are much available for making such predictions). You also need to delete the default Admin user and create a new one with unique name and a strong password set to accompany it.
When I say ‘strong’ I mean you need to make a password with a combination of small letters, big letters, number, and special characters. These days, WordPress itself suggests a strong password which is system generated but tough to remember for humans. So, either create your own strong password and remember or use the system offered one and keep it safe and try to memorize.
#3 Remove WordPress version
Moving next, every WordPress installation showcases the exact version being used. You can view the version of the script used on any website which hasn’t hidden it yet. Now, once a hacker is aware of the version of WordPress then it becomes too easy for him/her to begin the post work. On the other hand, if the version isn’t confirmed then he/she has to do a lot of digging to first find the version, then start attacking the vulnerabilities which came with it.
So, to delete the WordPress version, which doesn’t affect the functionality by any means, you need to either use a plugin named Remove Version or follow the instructions shared by Jeff Starr on his blog.
#4 Use better & reliable host
If you’ve chosen a host which no one ever heard of and is not offering quality service by meeting the industrial standards, then you have made a wrong choice from the beginning. Now, you need to first take a complete backup of your website, both front end and database, and then transfer it to a better and reliable host.
If your budget is too low then you can pick between Bluehost, iPage, ASmallOrange, etc., but if your budget allows moving further then you can pick either DreamHost, InMotion, SiteGround or any other known name of your choice. Keeping a good host at backend ensures top-notch security for the server where your website lives and also a dedicated guard to keep things away from going hee-haw. In short, never opt for a host you couldn’t find good reviews of.
#5 Always keep an updated backup
As mentioned in my last point, it is necessary to keep a backup of the updated version of the website. This way even if the hacker gains access to your website, you can remove each and everything from the server and refresh the website using the backup of last best version.
This isn’t a way of protecting the website but it surely helps in keeping the site alive after the disaster. Also, WordPress site goes with a lot of technical issues and in those cases, your website can go down. So, having a backup of last best version can help you stay on the better side.
Super Strong ways to keep WordPress protected
Moving next, following are the top-notch methods you can follow to keep WordPress site away from hacking attacks.
#1 Keep an eye on Plugins
Plugins are the easiest method to inject a malicious code into the website and the worst thing is that if it happens, then it will be done by your hands. To keep you away from doing any harm to your site, you need to check reviews and support pages of each and every plugin installed (or about to install in future).
One can’t do much without plugins and thus, they act like a big pro for the script but due to this side effect, they are also counted among cons. Yu can read pros and cons of WordPress in detail report posted by David Lockie. It was published two years ago, but points he mentioned still checks out.
#2 Limit the login attempts
There are plugins to help you achieve this and it’s kind of a pro way to protect your website. A mechanism, better known as Brute Force Attack, is available which runs through every possible password combination of a website and finally achieves the result. This works very easily and the user doesn’t even need to be looking at the screen while this method cracks your password, as it’s totally automatic.
So, how you can protect your website from Brute Force Attack? Well, the downside of this method is that it tries every possible login credential. You can use that downside for your benefit by limiting the login attempts. By default, WordPress allows infinite attempts to login into a site. But, using some plugins you can limit those numbers and bring them down to 5 or 10. Once a user crosses the limit, restrict that user from accessing the site for a whole day or maybe few hours. This way, Brute Force Attack will require longer efforts to do the cracking. You can check this Login LockDown plugin which looks good to me.
#3 Keep login page hidden
This is another method of disguising the hacker and help your website stay safe. If the hacker isn’t trying to hack the server and just looking to hack through the back door of WordPress, i.e., the login page, then you can make his job hard by moving the login page to someplace else.
This can be achieved by a simple plugin Lockdown WP Admin which even offers to put HTTP authentication on the login page. Moreover, the plugin never affects any other login or security related code of the core WordPress and still does it job precisely.
#4 Use themes which are running on validated code
Just like I told you of choosing a reliable server and also check plugins, you need to check out and use validated themes. Themes are the second way of injecting a malicious code into the core system and so, it’s highly recommended that you use only the authentic products and get them from reputable sources. In the case of a free theme, always use WordPress.org catalogue or you can get paid or free ones from MyThemeShop, StudioPress, ThemeForest, ElegantThemes and any other major player in town.
#5 Set File/Directory permissions
Well, if you look deep into the File Manager at Server side, you’ll find a File or Directory permission system. Those simple codes put a lock or keep the access open, as per the settings made. You need to understand these and put a custom lock to your files and directories. You can find a detailed coverage on the same over here.
Final tip – “Never access site on the unknown network.”
This one is a simple tip which can finally keep not only your website but also the personal data on your laptop or smartphone safe. Never connect to an unknown connection which isn’t using any sort of encryptions. In the case of using the public Wi-Fi, always keep the usage limited to necessity apps and never think of accessing your website.
Over to you
Finally, it’s all in your hand that which exact methods you follow to get the site as secured as possible. I understand that following all these steps is not a single day job and requires a lot of technical knowledge but you can easily find a dedicated guide to help yourself out or videos at YouTube. In coming future, we will try our best to come up with separate guides on the methods you think hard to follow. Let us know your thoughts and feedback in the comment section below.