In the list of website essentials, security must be at the top of the list because all the work designing pages, uploading products, creating content and not forgetting access to customer data can be at risk if we do not protect the website from cyber attacks.
39.3% of the 10 million most visited websites in the world use the WordPress platform and, if we only look at websites that use a content management system, the market share of WordPress rises to 64%, according to W3techs.
The higher the popularity, the more likely it is to be hacked, testing the WordPress security vulnerability of those sites with one goal in mind: accessing data. With the right decisions and resources, we can shield WordPress from these threats, while resolving possible bad practices that, as administrators, we are carrying out due to ignorance.
Table of Contents
The 3 security keys to protect your WordPress site
Calm down. Breathe. We already told you that you don’t need to be a WordPress security specialist to create a solid and protected web environment.
You just need to follow these simple guidelines to know what aspects affect the security of a WordPress and what measures to take to create a shield of defense between your website and external assaults.
1 – Choose a reliable web host and proceed with the installation of WordPress
Before getting excited about creating the website of your dreams, it’s time to make a crucial decision: choosing the hosting where you will host the digital project you are going to carry out.
A good web hosting must meet these characteristics:
- To have firewall and denial of attacks for simultaneous requests.
- Offer isolated accounts, so that possible security problems in other websites do not end up affecting yours, as well as favoring speed and performance.
- Avoid wp_ database prefixes.
- Get different passwords for users, database and FTP.
2 – Enable the basic WordPress configuration items
You have already installed WordPress, that’s it!
Now it’s time to prepare this web environment to ensure security by putting the focus on essential configuration aspects.
You must follow these steps:
- Go to Users ⇒ All users and check that they have the appropriate profile depending on the tasks they will develop in that project. Verify that there is only one administrator with full privileges – the webmaster – and then editors, subscribers, contributors and authors with different permissions. If all users who have access to your website are administrators, problems will not take long to appear and they will be more serious than you think.
- Change the passwords. Enter the user profile, check that the selected profile is correct and generate a new password. The password created by WordPress is highly secure because of the variety of characters and their length. 1234 or asdf are the favorite passwords of idiots; now you know.
- Avoid spam in the comments with the installation of this plugin to improve security in WordPress: Honeypot Anti-Spam, which creates an invisible field so that the bots that leave comments never reach the blog.
- From Settings ⇒ Comments activate the box “The comment must be approved manually”; in this way, we will avoid the automatic entry of user contributions with unwanted links.
- Keep WordPress always updated to the latest version, as well as installed plugins. From the WordPress Updates option you can check if it is necessary to apply resets. Remember that before updating the core version, make a backup of WordPress, check that everything is OK and verify its operation.
3 – Improve WordPress security with security plugins
We go one level higher with the installation and activation of these 3 WordPress security plugins.
- Limit Login Attempts Reloaded
Limit the number of attempts of a user to access a website for each IP address. In the lock settings, you can use these settings:
3 attempts allowed
120 minutes per lockout
3 blockings increase the blocking time by 72 hours
7 days until reset retries
- WPS Hide Login
Protect the website by changing the login URL and prevent hackers from accessing the wp-login.php file.
When creating a new login URL, avoid using words like login, entry, access…
- Email Notification on Login
This WordPress security plugin sends an email to the address of your choice informing the user who has accessed the site, with IP data and permissions.
It facilitates the monitoring of suspicious activities of the user accounts of the installation of that project in WordPress.
With these best practices and ongoing CMS maintenance, you will work with a more secure WordPress project.