WordPress is a true blessing for bloggers and small-to-medium scale businesses. With its easy to use functionalities, attractive themes and efficient plugins, WordPress has saved time and money for millions of people around the globe over the last two decades. But when there is something that is used and trusted by millions of users, what else can it (unwillingly) attract? Heck yea– Hackers!

“Okay! So, now I need to spend thousand of dollars to hire a software developer to protect my data or buy expensive security programs to secure my website?”

If that is what’s crawling into your mind, we have good news for you! There are some proven concrete (yet) easy-to-follow steps that you can take by yourself to protect your website from hackers. Best of all, these are all free or inexpensive security methods!

Here are 8 areas where you can implement easy security techniques to protect your WordPress website.

1. Login Security
2. Passwords and accessibility
3. URLs and Paths
4. SSL certificate
5. Updates
6. Monitoring
7. Firewall
8. Hotlinking Blockage

1) Login Security

If your admin panel’s main administration account’s username is “admin”, you’ve made a hacker’s job easier by exactly 50%! Now the hacker only needs to find out the password and he is good to go! Using your email address or other unique username is a much safer option than using a generic username like admin. If your website/blog is accessible by multiple authors/employees, the same login rule should be applied for all the people who are creating an account on your website.

Hackers generally have a “guess work database” which contains millions of pre-guessed frequently used usernames and passwords. They have automated programs which keep applying these usernames and passwords until the correct combination is found. This is known as a brute force attack. To protect your site from such malicious scripts, you need to activate lockdown feature. After certain number of failed login attempts, it automatically blocks the IP address of the user. There are many plugins such as Loginizer, The iThemes Security, Limit Login Attempts Reloaded, WPS Limit Login etc. that offer a lockdown feature.

There is another type of login security plugin that offers two-factor authentication. This allows you to use an additional security method along with your regular password. This another method could be a secret code, secret question or phone/email verification with one-time password (OTP). Some popular plugins for two-factor authentication are Two-Factor, WordPress 2-Step Verification, Unloq Two Factor Authentication, Google Authenticator etc.

2) Passwords and Accessibility

It’s not a new thing to say that your password should be unique, have uppercase, lowercase, numbers and special characters. However, there are still people whose reactions to this advice are “blah blah”, “eh” and “whatever”! Even if you’re choosing a secure password for your account, you still need to take some additional steps for passwords when you run a multi-author blog, where multiple people access your admin panel. You can’t vouch for everyone being as serious about password creation as they should be. For that you need to use plugin like Force Strong Passwords that forces all your users to make strong passwords. You can also use tools like Secure Password Generator and password managers like Password pointer, Profile builder, Disable post passwords etc.

“But do I really need to worry about something as petty as passwords? Isn’t it common sense to create a secure password?”

According to SplashData’s survey, the top 10 most used passwords in 2018 are as follows.

1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou

The point is, believing that other users will be as serious about YOUR website/blog’s security as you are might be a fatal mistake.

You can also add additional password-protection for the wp-admin directory. This two password protection method means there are two separate passwords: one secures the login page, and the other secures the admin area. The first password can be set via .htaccess or cPanel, and the second password is your WordPress login.

When your blog is accessible by multiple authors/employees, you should limit their functions and permissions. Only you should have 100% control of your admin panel and others should only have access to the functionalities that are needed for them to do their job. You can password protect some parts of admin panel which you do not intend other users to have access for. We are not saying not to trust your co-authors’ or employees’ intentions. But when there is a large number of people accessing your website, chances of negligence also increase, and negligence plays major role in website vulnerability.

3) URLs and Paths

Is it dangerous if a thief finds your home keys which you had accidently dropped in a mall? Well, it is dangerous only if he knows your home address! Right? In the same way, brute force attacks are possible only when a hacker knows the exact URL of your WordPress admin login page. The default URL used to log into WordPress dashboard is either wp-login.php or wp-admin written after a site’s main URL.

Rename your URL with some unique path names like yourname_new_login or ilovedogs-login.php etc. With this little trick, only people with the exact URL can access your admin login page. Unauthorized users cannot even reach to your login page. The same rule applies for WordPress database which has the default wp- table prefix. You can change it to something different like yournamewp- or thiswp- or mynewwp- etc.

You can easily perform this trick by using iThemes Security or WP-DBManager.

The wp-config.php file contains some crucial data about you entire WordPress site and hence, it must be protected from hackers. By default, it is stored in root directory. If you just move wp-config.php to some other location (any folder above root directory), it will become difficult for hackers to locate it.

4) SSL Certificate

A secure socket layer (SSL) certificate encrypts the data transferred between your site and your users to keep it secure. No middle-man (read hacker) can decrypt any sensitive data such as passwords, SSN, bank details, date of birth, etc. once it is encrypted by SSL. Without an SSL certificate, hackers could intercept your WordPress password and gain full control of your website. SSL certificates from Sectigo come with warranty amount which serves like insurance. In the unlikely case of an encryption failure, the certificate authority would reimburse the penalty up to the warranty amount to the hacking victim. So, the responsibility is shifted from the website owner to the SSL certificate authority. This is how the website owner can sleep peacefully in this otherwise insecure tech world. Sectigo SSL certificates are available from as low as $8/year with a $50,000 warranty.

• Extra perk: Google’s algorithm gives priority to websites with SSL certificates and ranks such websites higher than ones without SSL certificates. So, SSL certificates also work as an important component of your website’s SEO!
• Caution: Google Chrome punishes websites without an SSL certificate by explicitly showing a ‘not secure’ sign in the address bar before the domain name. Such security warning works as an ultimate website traffic-killer. A website with an SSL certificate shows https:// (instead of http://) and a site lock sign before the domain name. These signs are sufficient to gain trust of your visitors.

5) Updates

Hackers are always in search of vulnerabilities in any current software in order to hack it. That’s why WordPress keeps updating its software and comes up with better, more secure versions by improving functionalities and fixing bugs/security patches in the earlier versions. That is the reason you need to keep updating all WordPress software including plugins and themes.

You can see all the pending updates on your WordPress dashboard under ‘Updates’.

If you use a managed WordPress hosting plan it can automatically update all the WordPress components. Kinsta, Bluehost, WPengine, FastComet SiteGround, Flywheel etc. are well known names for managed WordPress hosting. The price and feature variations are vast among these hosts, so compare all the plans carefully before buying one.

6) Monitoring

• Audit logs: When your website has multiple contributors (co-authors, multiple admins, commenters, etc.) it is important for you to keep an eye on their activities. Audit logs provide you detailed information on other people’s activities on your website. You can make sure that they are not doing anything they are not authorized to. For example: changing themes or plugins. It shows you failed login attempts so that you can sniff out any brute force attack in its very initial stage.

Plugins for audit logs: WP Security Audit Log, Simple History, User Activity Log, Simple Login Log, WP Log Viewer.

• Security scan/vulnerability scan: WordPress security scans work exactly like your computer’s anti-virus scan. It scans your entire website and if there is any suspicious script, viruses, malware etc., it immediately removes it. There are several security scanners available for WordPress, and CodeGuard also has a scanner built in.

7) Firewall

A firewall protects websites and computers from viruses, malware, hacker attacks, etc. While most computers and websites have a firewall of some sort, you want an advanced website application firewall (WAF) to effectively block hackers from your site. It works By checking every request/visitor to your website, and blocking requests that are malicious (eg hacking attempts). Installing a firewall for your WordPress site is quick and easy. Sucuri, wordfence, itheme security, etc. are some of the well-known firewalls available for WordPress.

8) Image Hotlinks

Image hotlinking means using URL of an image from some other website (without permission) to show it on your webpage. If someone links your website’s image URL from his/her site, you might not even know it until its too late. Hotlinks use your website’s bandwidth and reduce speed and performance of your webpages. They also give extra burden to your server.
There are two popular ways to prevent image hotlinks.

• Plugin: All in One WP Security and Firewall, Configurable Hotlink Protection, Cache Image etc. plugins block image hotlinks on your website.

• Code: Go to your cPanel File manager public_html.htaccess (right click and select ‘View/Edit’)

Scroll down and in the bottom of the page, copy-paste the following codes.
/* Prevent image hotlinking in WordPress */

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomainname.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [F]
*yourdomainname.com= write your website’s domain name

If you want websites other than Google to access your images, you can include them with extra line of coding. For example, to allow linkedin, you can add following code.

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?linkedin.com [NC]

Conclusion

The above steps will fix the majority of security issues your WordPress website faces. However, website security is a deep complicated subject. No one can guarantee 100% security, especially when entire election results, government websites and top-secret projects are getting hacked! Having said that, you don’t need to worry about those high-end hacking attacks unless you are writing a blog on how to make nuclear weapons (just kidding)! Your main need is to block standard and/or automated attacks, which you can do effectively with the 8 tips listed in this article.

To stay on the safer side, you still need to take regular back-ups of your website. You can do it manually or use an automated backup tool like CodeGuard.