WordPress security should be a high priority for all WordPress sites. Even though it may be an afterthought.

WordPress security has always been a hot topic for discussion. A lot of customers we interact with are concerned about WordPress vulnerabilities. We’re here to tell you that WordPress, like all other platforms, is not invincible. However, if you keep plugins, themes, and WordPress core up to date, you’re already winning half the battle. We’ll discuss some important tips for hardening a WordPress website. In addition, we’ll provide WordPress security plugins to help along the way.

Host Your Website With A Great Web Host

We’ve dealt with plenty of different hosting vendors. We don’t like saying this out loud, but some are lousy, while others are really top notch. When we perform an audit or a customer is having issues with the website. We always like to review the host the customer is on. Almost half of all websites that are comprised are due to their web host. What do we mean? A staggering 41% of hacked websites are through a security vulnerability found on their hosting platform. The statistic is astonishing! There are numerous steps you can take in order to help harden your website. For starters, always check with a web host if the company supports the latest PHP version. Chances are the answer is yes. Perform some due diligence and ask questions. Verify with the hosting company if a WordPress Firewall is included. A Firewall provides a layer of security in front of your website. Highly recommend you shop around to see what host suits your needs and budget.

Stronger Login Credentials

Don’t make an website attackers life easy by having a simplified password. Use a password that is hard to guess. There have been plenty of times when a customer is using a password that is oversimplified. We won’t embarrass any of our customers because we love them too much. A good rule of thumb is having a password with 12 – 14 characters in length. Throw in some special characters such as exclamation points, question marks, and asterisks. Don’t get cute and use numbers for letters. Everyone has caught on to that game. Add some numbers to the mix as well. The more complex the password the better. Even a random password generator can be used. There are numerous sites that can randomly generate passwords for you to use. Use the password generator and store the passwords in a secure place.

Back in the old days of WordPress, the default username “admin” was used to create the administrator for the WordPress site. Fast forward to the present, the administrator has the ability to create any username. We still see WordPress websites using “admin” as the primary administrator account. Stop! The problem with using “admin” is hackers already know this fact. You’ve already provided the directions to the house. All these attackers need to figure out is the password for the website. Chances are the hacker will figure it out. The best way to keep the WordPress login secure is to change the username to something unique. The more unique, the better you are off.

Remember strong login credentials are a must have. A hard to guess password, coupled with a unique username make a hackers life more difficult. If you really want to remain secure, you should change passwords on a scheduled basis. Practice safe security with complex passwords and unique usernames.

Limit Login Attempts

We stay with the login theme with another helpful tip. There are scripts and plugins that can help limit login attempts. We’ll discuss the plugin in detail. An excellent reviewed plugin that provides limit login attempts is Login Security Solution. The plugin provides many different amenities. Everything from limiting login attempts into a WordPress site to blocking brute force attacks attempting to login.  In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. In our case, the attacker is attempting to guess the username and password to force themselves into the website’s back end. The Login Security Solution plugin has a setting that recognizes this type of attack. The software in the plugin shuts out the hacker without affecting real administrators. After multiple attempts of failure, the likelihood of the attacker moving on to an easier site increases. Another plugin that we’ll discuss in another blog post is WordFence. Quick overview, WordFence is a robust plugin that provides many WordPress security features. Including the limit login attempts. Install the Limit Login Attempts plugin. We know it will help in the long run.

Use Common Sense

When it comes to making sure the website is secured, use common sense. Don’t give out login credentials to strangers. Don’t ever add another administrator to your WordPress site. Do not give strangers FTP access. Be wary of people around you. Make sure no one is watching you enter your credentials into your website. If something doesn’t feel right, do not do it. Listen to your gut. Practice secure credential transfers with emailing the username and texting the password to the other party. This helps prevent your username and password being out on the internet. Using common sense can go a long way.

WordPress security is a concern website owners should be wary of. Having the website harden by a WordPress professional is something a businesses should consider. One WordPress security we didn’t discuss much was performing regular website backups. We actually have a blog post dedicated to WordPress backups. We highly recommend you read the post. Get caught up on the best practices for backing up. Find out what plugins we recommend for those backups. If you have any questions be sure to comment below and we’d be happy to answer!