Having your WordPress website hacked and losing the protection of your personal data, the control of your content and the painstakingly-earned reputation, is something you never want to endure. Unfortunately, it can happen – tens of thousands of websites are hacked each day.
Worse still, WordPress is by far the world’s most popular CMS. That means hackers recognize that their mastery of WordPress vulnerabilities theoretically gives them the power to infiltrate hundreds of millions of potential targets. It’s important that you get the security on your WordPress website right so you don’t become easy pickings. Here’s how.
1. Disable Plugin and Theme Editor
WordPress has a useful feature that gives website owners great leeway in editing and customizing plugins and themes from right within the WordPress dashboard. While this feature comes in handy, it can also be an entry point for malicious persons. A single error during editing can destabilize your site and even lock you out.
Hackers can insert malware into themes and plugins that then give them backend access to your website or allows them to completely take over administration. Disabling the editor makes it much harder for anyone to modify your plugins and themes without FTP access.
2. Cap the Number of Allowed Failed Login Attempts
Hackers will exploit any opportunity that gives them access to your website. One of the first things they’ll explore is the possibility of a front-end entry. If they can log in as a valid user and especially one with administrative privileges, they’ll have the freedom to do what they want with little resistance. A common technique to realize this goal is the brute force attack.
This may be done manually (if the attacker has an idea of what your password might be) but most often relies on automated tools. A brute force attack software will try numerous combinations of usernames and passwords until it stumbles on one that works.
WordPress websites aren’t protected from brute force attacks by default. You have to install a plugin that locks an account after a certain number of unsuccessful logins and blocks IP addresses that are the origin of multiple failed logins.
3. Find the Right Host
As the administrator of your website, you have the power to harden its security. Nevertheless, your site doesn’t exist in a vacuum. It sits on a hosting platform — and this can be a big problem. You may implement the most robust security checks on the site itself but all that could come to naught if the underlying hosting platform isn’t secure.
If an attacker can access and take control of your host’s servers, all efforts at securing your site will be futile. Go for web hosts that are established, reliable and have a stellar reputation. The best hosting platforms will be keen on highlighting the rigorous security strategies they’ve implemented on their site.
For example, if their servers are on the Azure cloud, it would be good to know that they make use of Azure monitoring tools to keep an eye on unusual system activity.
4. Conceal the WordPress Version
By default, WordPress allows visitors to your site to see the WordPress version you are using. This is largely in WordPress’ own interest as it makes it easier for them to know the number of active WordPress websites worldwide. But this can be detrimental to your site’s security. Each version of WordPress has publicly known vulnerabilities.
In fact, the reason for new releases is to close the loopholes identified in older versions. If hackers know what specific WordPress version your site is running, they can search the Internet for the vulnerabilities associated with that version. They can then focus their attack efforts on these vulnerabilities. By hiding the WordPress version, you make it much harder for hackers to succeed.
These are certainly not the only things you should do to keep your WordPress site secure. But they’ll go a long way in reducing the likelihood of a successful hack.