10 tips to improve the security of your WordPress website
In this article we will explain how to increase the security of your WordPress site, with 10 simple tips that you can apply in minutes.
WordPress is a secure CMS, with constant updates that aim to fix both visual problems and possible security breaches. With these 10 tips we want to help you make your company’s website even more secure, since in today’s world it is a fundamental factor for any company that wants to offer its services or communicate through the Internet.
These tips are like small bricks that are placed on top of a wall, the more complete the security work is, the higher the wall will be and the more difficult it will be for possible attackers to get away with it.
10 tips to make your WordPress site more secure:
1. Frequent backups
2. Change Wp admin access
3. Complex login data
4. Limit the number of login attempts
5. Download the Security Plugin for recognized sites
6. Enable HTTPs certificate
7. Only use known plugins and themes
8. Keep everything up to date
9. Be careful with Spam
10. A server with guarantees
1. Frequent backups
In our opinion the most important point of the whole list. In itself it is not a factor that helps you to improve the security of your website, but it can help you in case of a serious incident. Many hosting providers offer you a backup and restore system, apart from this we recommend you to have a local backup file.
This is a point that is rarely used, but it is true that in case of important changes in your website or in case of a possible attack, it can serve as insurance to restore the website.
2. Change the admin access
Many of the successful attacks to wordpress pages, have as one of the important factors to have the default access to the login screen to access the administrator panel. By default WordPress places after your domain the path “/wp-admin”, for example in the case of the local max website it would be : “https://www.localmax.es/wp-admin”. Not changing it makes it easier for possible attackers to access your website, because if the passwords are not complicated either, they would be inside in the blink of an eye.
There are many security plugins that can help you to change in a simple way this access from “https://www.localmax.es/wp-admin” to for example “https://www.localmax.es/local-seo-experts-admin”, which makes this type of attacks much more difficult. At the point where we will deal with security plugins, we will recommend 3 that we particularly like.
3. Complex access data
By default comes the user “admin” in the access to your wordpress, if you do not change it you are giving half a job done to your attackers who only have to discover the password. So as a first step to make the login data more complex, is to customize your username. As a second step you have to configure the password, to make access more difficult. Only numerical passwords or only with letters, are very easy to be deciphered by the attackers, for that reason to be able to have a totally safe password the most advisable thing is to use numbers, letters, signs, etc. I am going to leave here below a tool with which you can know in a simple way the difficulty of your password.
4. Limit the number of login attempts.
The purpose of this is to block access for minutes or even hours, in the case of entering incorrect login data, a certain number of times. This will limit the attempts by attackers, making it very difficult for them to access your website in this way.
This can be easily configured with plugins such as Wordfence, Limit Login Attempts, Login LockDown, etc.
5.Download Security Plugin from known sites
A security plugin is a point that can help you a lot to improve the security of your website in a simple way, with which you can configure different variables, which will help you to have a safer website.
Among the most recognized plugins in relation to security in wordpress are:
- Wordfence Security
- All In One WP Security & Firewall
- Defender Pro
These plugins allow you to use many features in relation to security; login analysis, firewalls, protection against brute force attacks, malware analysis, among many others.
To emphasize a feature that we did not touch on before, we want to stress the importance of using a firewall. A firewall is an additional layer that offers protection ahead of our web, by detecting these attacks.
6. Enable HTTPs Certificate
This protocol allows secure communication between your server and the user, avoiding attacks that occur in intermediate services. This consists of an encryption of the information of both. SSL certificates are used to protect data transfers, credit card transactions, logins and other personal information of users visiting a website. In addition, Google is starting to take very much into account the pages that have this certificate.
7.Only use recognized plugins and themes
This lies in the importance of not having security holes in your site. Plugins or unrecognized themes, usually do not have frequent updates, which can be a gateway for attackers. So as a recommendation before installing a plugin check certain things:
User ratings
The age and frequency of updates
Analyze the developers and if they have other jobs.
8. Keep everything updated
A very important task when managing a wordpress site, is to keep everything updated. Both the WordPress core, as well as the themes and plugins. The importance of this lies in the fact that many of these updates are to improve compatibility with WordPress, or to solve certain security problems.
These WordPress core updates can be done either manually from your wordpress admin panel or automatically. In order to have it configured to update automatically, you must add the following code “define(‘WP_AUTO_UPDATE_CORE’,true);”, in the “wp-config.php” file.
But it is not only a matter of having the WordPress updated, it is also very important to have the themes and plugins, since according to data from wpscan.org 63% of vulnerabilities are due to these two blocks, mostly plugins.
Here are two lines of code that will make your themes and plugins are updated automatically, both must be included in the functions.php file of the theme or plugin.
-Theme: “add_filter(‘auto_update_theme’,’_return_true’);”
-Plugin: “add_filter(‘auto_update_plugin’,’_return_true’);
9.Beware of Spam
Spam is a way for attackers to look for vulnerabilities in your site, forcing you to enter malicious links sent through your web contact forms. If you are not careful with this, apart from being a possible danger to your website, it can also be very annoying. For it we recommend 3 steps to reduce your spam by means of contact forms practically to zero:
Use required fields, this will make it difficult for robots to send forms.
Use a captcha, this can be of many types. For example one that we like a lot is to include a small mathematical operation, to verify if it is not a robot who is filling out the form.
Use a Spam plugin such as Akismet. This plugin will filter and analyze the senders of these forms, to know if they can be spam.
10. A server with guarantees
The server where we have hosted our web, has its importance at the time of improving the security of the site. We recommend hostings that have an updated control panel, compatibility with wordpress and a technical support that helps you in case of problems with both the server and wordpress.
Finally we want to emphasize that there is nothing 100% secure, but we hope that you will apply these tips to make your website even more secure and secure from most attacks. These tips are simple tips, there are others with a greater complexity that can also help you improve the security of your wordpress touching more technical issues, which we will discuss in another text.