Last Updated: August 28, 2019
Why do so many people think that WordPress is insecure? This is one of the top important questions and ongoing discussions in the WordPress space. And while lots of developers overestimate or underestimate WordPress security, many users couldn’t care less.
People simply don’t have time or wish to dig into all this security stuff and prefer (at least something!) to go with a security plugin only. Are you among them?
Of course, press-the-button-the-site-is-secured tactic is pretty hassle-free. But this is just an extra layer for all other important security measures available. And probably that carelessness is one of the reasons for those regular insecurity talks.
However, neither software is 100% secure. And lots of things on your WordPress website depend on your own actions.
It’s never too late to secure your WordPress site better. Once you are here, there are some quick WordPress security tips you can try today:
Switch to HTTPS (use SSL)
This is already an obvious thing and you’ve probably seen this tip multiple times. There is a reason – it’s really serious. Basically, if your site domain name includes HTTPS, all your data, purchases, logins are sent encrypted across the network.
This helps protect your all your important website info against exploitation and, at the same time, improves your Google ranking. A pleasant bonus, isn’t it? Contact your hosting company to get more details on this.
Make sure you use a reliable hosting provider
There is a lot of info on how to choose a hosting provider and lost of representatives, too. To make things short and clear, we’ll look at the hosting from the security perspective only. Overall, here are a few things to consider:
- Dedicated hosting is better than shared for your WordPress website security;
- A good hosting provider comes with current software options (Apache, PHP, MySQL);
- The hosting provider ensures secure and constant data backups;
- Available and helping support team ready to address security issues quickly.
Upgrade to PHP 7
If you want your WordPress website to be more secure “by default”, consider upgrading it to PHP 7. This version is much faster and secure, so after upgrading, more likely you’ll have to make less efforts in order to protect your site.
The good news is that you can do that in a manner of clicks if your hosting provider allows it (if so, your host is awesome!). For example, Siteground provides this option, with Bluehost it’s also quite a simple process (btw, for all new Bluehost WordPress customers, they are adding in PHP 7 by default).
The bad news is that you should be sure that your plugins and themes are compatible with PHP 7 as well. And even those good plugins like PHP Compatibility Checker cannot give you 100% correct results. As plugin creators claim:
“Please note that linting code is not perfect…“
You may also need a complete guide on how to check your WordPress site’s PHP version and upgrade it safely or find a developer to help you with this.
Use a reliable WordPress security plugin
How could we make this list without security plugins?
It’s important to understand to that there is no perfect WordPress security plugin, each provides limited security measures. And the plugin is just one of the security layers.
There is a bunch of WordPress security plugins out there. However, some are limited in functionality or have bad reviews.
One of the best ones is a free All in One WP Security and Firewall. This is an all-around security WordPress plugin has a great reputation among non-tech users and developers. The plugin is tested to the latest WordPress core version, is regularly updated, comes with positive ratings and is really feature-rich.
What does it offer, actually? Best recommended WordPress practices and techniques for users registration, login and accounts security, login monitoring and statistics, database security, file system security, easy backups, blacklist functionality, firewall protection, and more.
One of the most popular top security plugins is Security Ninja. It protects your WordPress website against getting hacked. The plugin needs less than a minute to perform 50+ security tests and display immediate results with a detailed explanation of the problems. This top-rated product saves you a lot of time and makes your website really safe.
One more useful WordPress security tool is WP Security Audit Log that will monitor everything that is happening on your site. This plugin is especially useful if you run a multi-user website.
Improve website login security
Approx 90% of brute hacking attacks begin with the login page. This is one of the top priority things you should protect. Here are some best WordPress practices to make your login pages secure:
- Again, the easiest way is to use plugins like Login LockDown, which is particularly good at improving your login pages security through limiting login attempts;
- Create really strong passwords and change them regularly (you may use password generators for this purpose or go through the ultimate guide on how to set a strong password with the password managers suggestions, password strength indicator and a ton of other useful information.)
- Set a custom, unpredictable login URL (usual /wp-login or /wp-admin are more frequently attacked and more easily hacked). The plugins like iThemes Security or WPS Hide Login can help you with this. Remember that changing the URL alone won’t fully protect your site; this is just a component. It’s still important to have strong credentials, unique admin username, and WordPress SSL installed.
Constantly back up your site
Back up your site on a regular basis – it’s much safer to have copies of your site files at hand if anything happens.
To make the process easier, you can use UpdraftPlus – a great reliable plugin to always keep your crucial website data.
Use only quality plugins
Being a key powerhouse of WordPress, plugins are at the same time a source of problems, including security ones. But only bad quality plugins. One of the recent impressive news in the WordPress industry was that one about the Fake WordPress SEO plugin that infected 4000 websites.
So make sure every plugin you install is reliable: check whether it’s tested with the latest WordPress core versions, has positive reviews, is trusted by many users, regularly updated and supported.
Too many spam is not a good sign for your website security – it attracts malicious behavior and decreases your website reputation.
To fight with spam attacks, you can simply go with a trusted anti-spamming plugins like Akismet or go manually through the process of adjusting default article settings wisely (for example, close comments for articles older than … days, paginate comments pages, enable email notifications, manually moderate comments with links, etc.)
See? There are lots of affordable and easy ways to bring your WordPress website to a higher security level. Think about it before something bad happens. By the way, is there anything else we should add to this list?