If you are running a WordPress website, you know how important it is to keep your site secure and protected from attacks. WordPress is one of the most popular content management systems in the world, which unfortunately makes it a prime target for hackers.
In this article, we will show you how to secure a WordPress website, step-by-step, to keep it protected from potential threats.
From updating your plugins to implementing two-factor authentication, we’ll cover all the essential security measures you need to keep your site safe. So, let’s get started!
Install only trusted plugins
Most WordPress websites get hacked or infected by malware due to shady plugins (but this isn’t the only way). If you are adding plugins, use the Add Plugins feature in WordPress.
Also, make sure they have been updated recently and that they have good reviews.
You should never upload and install plugins you downloaded from questionable websites.
Get quality hosting
These providers specialize in WordPress and have a lot of security features such as WordPress hardening, bot protection, and servers that are configured to run WordPress effectively and safely.
Remove the “admin” account
Once you install WordPress on your hosting plan, it might create an “admin” account. This is bad practice, and that admin account should be removed as soon as you create a new website.
If there is an admin username, create a new Administrative level user account and remove the default admin username from your Users dashboard. You should also always use strong and secure passwords, WordPress has a feature to create them by default.
Install and configure a WordPress security plugin
Installing and configuring a WordPress security plugin is one of the most important steps you can take to secure your website. A good security plugin will provide multiple layers of protection, including firewalls, malware scans, and brute force attack prevention. It can also help you monitor your website for potential security breaches and alert you if any are detected.
When choosing a plugin, make sure to research and compare features, read reviews, and consider the plugin’s active installs and overall reputation within the WordPress community. Once you’ve chosen a plugin, be sure to properly configure all of its settings, including enabling two-factor authentication and setting up email notifications for security alerts.
By taking the time to install and configure a security plugin, you can significantly increase the overall security of your WordPress website.
Change the default /wp-admin URL to something else
The jury is still out regarding how much this helps, but we personally think that it doesn’t hurt. The backend wp-admin URL is a common way for hackers to try to gain access to your website. Since all WordPress websites have the same login URL, it’s easy to try to access the website using the default admin username and different password combinations.
You can change the default wp-admin and wp-login.php URLs using WP Cerber or a dedicated plugin like WP Hide Login.
Enable 2-factor authentication (2FA) for admin logins
There are several plugins that do this, but I recommend the premium version of WP Cerber. Some hosting providers might also offer this security option.
Install an SSL to remove the unsecured message in the user’s browser
Most good hosting providers offer free SSLs. This won’t help a tremendous deal with hacking but it’s a must for all websites in 2024 when it comes to user experience and SEO.
Add a free Cloudflare CDN if your host doesn’t offer CDN out of the box
CDN stands for content delivery network. It’s a way to serve website files based on the closest location to where your visitor resides. For example, if your visitor is in Asia, but your website servers are in North America, your website will be slow to load in Asia. A CDN uses servers that are closer to the visitor speeding up this process.
A CDN provider also improves the security of the website. CDN services have lots of servers, which means they can handle a ton of traffic, even if there’s a sudden flood of visitors from a DDoS attack. This way, they can keep the website up and running, even when hackers are trying to take it down.
This will help against DDOS attacks and give you a small performance boost. For more CDN benefits, check out this article by Cloudflare.
Update your WordPress regularly
Keep your WordPress core, plugins, and themes up to date. This is another common way that hackers and bad actors can exploit your website. Your WordPress core, plugins, and themes should be updated at least once a month, or more often if critical security updates are released.
Also, keep PHP, and database versions up to date for better performance and security.
Add reCaptcha to forms
Add reCaptcha or honeypot to your forms, logins, and checkout pages. This can help with bot protection, it can limit spam, and it can also help with credit card swiping and credit card testing on eCommerce websites.
Be careful as this can impact the performance of your website. Add reCaptcha only to pages that need it.
How to secure a WordPress website – Recap
To recap, here are our top recommendations on how to secure a WordPress website:
- Install only trusted plugins
- Use good quality hosting
- Remove the admin account
- Install and configure a WordPress security plugin
- Change the default login links
- Enable two-factor authentication
- Install an SSL
- Use a content delivery network (CDN)
- Update your WordPress website regularly
- Add a reCaptcha to forms
About Clio Websites
Clio Websites is a full-service website design and marketing company in Calgary. We have vast experience in responsive website design, website maintenance, WordPress development and support, and SEO. Clio offers free consultations and free website evaluations and we receive glowing reviews from our clients.
We are always available and happy to answer any questions you may have so don’t hesitate to get in touch with us.