Bloggers and small-to-medium-sized companies will find WordPress to be a true blessing. WordPress has saved millions of people time and money over the last two decades thanks to its easy-to-use functionalities, appealing themes, and effective plugins. But what else can something (unwittingly) attract when it is used and trusted by millions of people? Heck yea– Hackers!

“All right! So, now I have to employ a software developer for thousands of dollars to protect my data or purchase costly protection programmes to secure my website?”

If that’s what’s on your mind, we’ve got some good news for you! You can defend your website from hackers by taking some tested concrete (yet) easy-to-follow measures on your own. The best part is that all of these security measures are either free or low-cost!

Here are eight simple protection strategies you can use to secure your WordPress website.

  1. Login Security
  2. Passwords and accessibility
  3. URLs and Paths
  4. SSL certificate
  5. Updates
  6. Monitoring
  7. Firewall
  8. Hotlinking Blockage

1. Login Security

If the username of your key management account in your admin panel is “admin,” you’ve just made a hacker’s job 50% easier! Now all the hacker has to do is figure out the secret, and he’ll be good to go! Using your email address or another unique username rather than a generic username like admin is a much better choice. If several authors/employees have access to your website/blog, the same login rule should be extended to anyone who creates an account on your site.

Hackers usually have a “guess job folder,” which includes millions of commonly used usernames and passwords that have been pre-guessed. They have automated systems that keep trying different usernames and passwords before they find the right combination. A brute force attack is what this is called. You must enable the lockdown function to protect your site from malicious scripts. It immediately blocks the user’s IP address after a certain amount of failed login attempts. A lockout function is available in a number of plugins, including Loginizer, The iThemes Protection, Limit Login Attempts Reloaded, WPS Limit Login, and others.

Two-factor authentication is provided by another form of login protection plugin. This enables you to use a secondary authentication mechanism in addition to your standard password. A secret code, a secret query, or phone/email verification with a one-time password may be used as another form (OTP). Two-factor authentication plugins include Two-Factor, WordPress 2-Step Verification, Unloq Two Factor Authentication, Google Authenticator, and others.

2. Accessibility and Passwords

It isn’t news that your password should be unique and contain uppercase, lowercase, numbers, and special characters. However, some people still respond to this advice with “blah blah,” “eh,” and “whatever”! Even if you choose a safe password for your account, if you run a multi-author blog with several people accessing your admin screen, you’ll need to take extra precautions with passwords. You can’t guarantee that everybody takes password formation as seriously as they should. You’ll need a plugin like Force Strong Passwords to do this, which requires all of your users to create strong passwords. You can also use password managers like Password pointer, Profile creator, and Disable post passwords, as well as tools like Secure Password Generator.

“But do I really need to worry about something as petty as passwords? Isn’t it common sense to create a secure password?”

According to SplashData’s survey, the top 10 most used passwords in 2018 are as follows.

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou

The argument is that assuming that other users would be as concerned about the protection of YOUR website/blog as you are may be a fatal mistake.

For the wp-admin directory, you can also add additional password protection. This two-password authentication scheme means that there are two different passwords: one for the login page and another for the admin section. The first password can be set using.htaccess or cPanel, and the second password is the one you use to log into WordPress.

When several authors/employees have access to your blog, you can restrict their roles and permissions. Only you should have complete control over your admin panel, with others having access to only the features that are needed for them to do their jobs. Any portions of the admin panel can be password protected if you don’t want other users to have access to them. We’re not suggesting you shouldn’t trust the intentions of your co-authors or employees. However, when a large number of people visit your website, the chances of negligence rise, and negligence is a major contributor to website vulnerability.

3. Paths and URLs

Is it dangerous if a robber discovers your house keys, which you lost in a mall by accident? Only if he knows your home address is it dangerous! Is that correct? Similarly, brute force attacks can only be carried out if a hacker has the exact URL of your WordPress admin login page. Wp-login.php or wp-admin, written after a site’s key URL, are the default URLs for accessing the WordPress dashboard.

Rename your URL to something special like yourname new login or ilovedogs-login.php, for example. Only people who know the exact URL can access your admin login page using this little trick. Unauthorized users are unable to access your login tab. The same law applies to the WordPress database, which uses the wp- table prefix by default. You can modify it to something else, such as yournamewp-, thiswp-, mynewwp-, and so on.

Using iThemes Security or WP-DBManager, you can easily perform this trick.

Since the wp-config.php file includes sensitive information about the entire WordPress site, it must be kept safe from hackers. It is saved in the root directory by default. If you simply switch wp-config.php to a different location (any folder above the root directory), hackers would have a harder time finding it.

4. SSL Certificate

A secure socket layer (SSL) certificate encrypts data sent between your website and its users, making it more secure. After SSL encrypts sensitive data such as passwords, SSNs, bank account numbers, dates of birth, and so on, no middleman (read hacker) can decrypt it. Hackers could intercept your WordPress password and take complete control of your website if you don’t have an SSL certificate. Sectigo SSL certificates come with a warranty number that acts as protection. In the unlikely event that encryption fails, the certificate authority will compensate the hacking victim for the penalty up to the warranty limit. As a result, the website owner’s liability is transferred to the SSL certificate authority. This is how the website owner can sleep soundly at night in an otherwise dangerous technological environment. Sectigo SSL certificates start at $8 per year and come with a $50,000 warranty.

Extra benefit: Google’s algorithm prioritises SSL-enabled websites and rates them higher than websites without SSL certificates. As a result, SSL certificates are an integral part of your website’s SEO!
Caution: Google Chrome penalises websites without an SSL certificate by displaying a ‘not safe’ sign before the domain name in the address bar. Such a security alert acts as a traffic-killer for a website. An SSL certificate displays https:// (rather than http://) and a site lock sign before the domain name. These indicators are sufficient to gain the visitors’ interest.

5. Updates

Hackers are constantly looking for flaws in existing applications in order to exploit them. That’s why WordPress keeps upgrading its platform and releasing newer, more stable updates by adding new features and addressing bugs/security patches in previous versions. That is why you must keep all WordPress applications, including plugins and themes, up to date.

If you use a controlled WordPress hosting service, all of the WordPress components will be updated automatically. Controlled WordPress hosting providers include Kinsta, Bluehost, WPengine, FastComet SiteGround, Flywheel, and others. Since these hosts have such a wide range of prices and features, it’s important to compare all of them before deciding on one.

6. Monitoring

Audit logs: It’s important to keep track of the activities of various contributors on your website (co-authors, multiple moderators, commenters, etc.). Audit logs give you accurate details on what other users are doing on your platform. You can be sure they aren’t doing something they aren’t supposed to be doing. Changing themes or plugins, for example. It displays failed login attempts, allowing you to detect any brute force attack at an early stage.

Security scans/vulnerability scans: WordPress security scans function similarly to anti-virus scans on your computer. It scans your entire website for suspicious scripts, viruses, malware, and other threats, and removes them immediately. There are a number of security scanners available for WordPress, and CodeGuard has one as well.

7. Firewall

A firewall defends websites and computers from viruses, malware, and hacker attacks, among other things. While most computers and websites have some kind of firewall, you’ll need an advanced website application firewall (WAF) to effectively prevent hackers from accessing your site. It’s successful. By inspecting each request/visitor to your website and blocking malicious requests (eg hacking attempts). It’s simple to set up a firewall for your WordPress account. Some of the well-known firewalls for WordPress include Sucuri, Wordfence, Itheme Safe, and others.

8. Image Hotlinks

Image hotlinking is when you use the URL of an image from another website (without their permission) to display it on your own. You may not realise it until it’s too late if anyone connects to your website’s picture URL from his or her blog. Hotlinks consume bandwidth on your website, slowing down the pace and output of your sites. They also put additional strain on your server.

There are two widely used methods for preventing image hotlinks.

Plugins: All in One WP Security and Firewall, Configurable Hotlink Protection, Cache Image, and others prevent your website from displaying image hotlinks.

Code: Go to your cPanel File manager public html.htaccess (right click and select ‘View/Edit’)

Scroll down and in the bottom of the page, copy-paste the following codes.
/* Prevent image hotlinking in WordPress */

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomainname.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [F]
*yourdomainname.com= write your website’s domain name

If you want websites other than Google to access your images, you can include them with extra line of coding. For example, to allow linkedin, you can add following code.

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?linkedin.com [NC]

Final thoughts

The measures outlined above will address the majority of security issues that your WordPress website can encounter. Website protection, on the other hand, is a complex subject. Nobody can guarantee complete protection, particularly when election results, government websites, and top-secret projects are all being hacked! Having said that, unless you’re writing a blog about how to build nuclear missiles (just kidding), you shouldn’t be concerned about high-end hacking attacks. The most important thing you can do is block regular and/or automated attacks, which you can do with the 8 tips in this post.

Tagged in: