10 Proven Ways to Strengthen WordPress Security

When it comes to building great websites, there’s no better platform than WordPress and the 55,000+ plugins you can use to enhance its functionality. But with 41% of all sites using it, it is a magnet for cybercriminals. With customers and search engines demanding better security and ever stricter regulations to comply with, it has never been more important to protect your site from attack. Here, we’ll look at ten proven ways to keep your WordPress website secure.

1Change your login page

If a hacker is going to try to log in to your website, they’ll first need to access the login page. You can make this far more challenging by changing its URL. By default, the admin login page is yourwebsite.com/wp-admin and this makes it easy for cybercriminals to find it. However, you can change the page’s URL to something different using the WPS Hide Login plugin, so that the ‘/wp-admin’ just displays a 404 error ‘Page Not Found’ message.  

2. Use strong usernames

While we are constantly reminded to use strong passwords, it’s important to remember that hackers also need your username to log in to your WordPress admin panel. These can be surprisingly easy for hackers to guess. They’ll try using ‘admin’ which is the default username and they’ll also search your website looking for possible names to use. These can be displayed in ‘Meet the Team’ pages or email addresses and some WordPress themes are configured to display usernames as post authors by default.

You can change the username to something far less easy to guess by using either phpMyAdmin in cPanel or by installing the Username Changer plugin.

3. Use two-factor authentication

While strong passwords are a must, the sophisticated brute force software used by hackers today means you cannot rely on these alone. What’s more, if your password is stolen, it doesn’t matter how complicated it is.

Two-factor authentication adds a robust layer of protection because, in addition to your username and password, you’ll also need a code that is sent to your mobile phone. So, unless a hacker has your mobile phone with them, they won’t be able to break in. And as the code only works for a short amount of time, their software won’t be quick enough to crack it. Yes, two-factor authentication can be a bit of a pain, but nowhere near as painful as having your site hacked.

If you need help with setting this up, read our knowledgebase article How to enable two-factor authentication (2FA).

4. Update themes and plugins on release

If there are vulnerabilities in your WordPress website, they are most likely to be found in themes and plugins. When these are identified, the developers will respond quickly with an update that removes the vulnerability. If you don’t update plugins and themes as soon as a new version is available, you leave your site open to attack. It’s crucial, therefore, that you set up notifications for updates and install these as soon as you can after release. Even better, set up auto-updates. Read more

Learn More About WebHosting UK