In the last post we talked about adding plugins to your WordPress site. One category was security plugins. However, before adding the plugin there are a number of things you can do to make your WordPress installation naturally safe.
Install the Latest Version of WordPress
WordPress itself is already fairly secure and the project has a security team that works to make it so. To take advantage of the latest features in WordPress it is important to always have the latest version of WordPress installed. Currently the latest version is 5.6.
Before your site goes live on the web, you will want to install an SSL certificate. These certificates come free or paid, and one the free ones, Let’s Encrypt, is adequate and practically equal to the paid ones. The SSL certificate is what puts the lock symbol on the URL bar and without it your Search Engine Optimization (SEO) can suffer and/or you could be blocked by Google.
Change the Admin URL and Name
When you login to your WordPress site the default login page is yourwebsite.com/wp-admin. WP-admin is a common point of entry for hackers and hence your will want to change the url. The WPS Hide Login plugin allows you to change the url to something that only you know when logging in to your site. For example, yourwebsite.com/anameonlyIknow. By making this change hackers will not have a chance to be able to guess your username or password. Speaking of the login page, change the username to something only you know and use a strong password. All of these changes will make a big difference to your site’s security.
Backup your Site Regularly
In the event your site is hacked or infected with malware, it is always good to have a backup of your site handy. This way if you are not able to “fix” or disinfect your site, you can restore a clean copy of the site.
One way that hackers can infect your site is by editing your files. For most WordPress sites, the default setting is too allow you edit files in plugins and themes. However, if you are not making changes to these files (common for most pedestrian users), you can block others from accessing them. To do this, just add the following code to the wp-config.php file– define(‘DISALLOW_FILE_EDIT, true); . Make sure you use all capital letters in the phrase and end it with the “;”, since this is PHP code.
Use a Secure Host
Some of your site’s security will come from your hosting company. This security is especially important if you are using shared hosting. Your hosting company can block some malware, viruses and attacks before they can even get to your site. Also this security will help keep a virus spreading from site on the same server.
Up-to-date and Reliable Plugins
In line with the latest WordPress version, you will want to keep your plugins up-to-date and only get plugins from reliable sources such as the WordPress repository. However, even if the plugin is in the repository, make sure that the plugin has been updated recently and is being maintained (do not use those that are older than one year or have not been updated to your WordPress version). It is also good to read security blogs such as that on Wordfence and WordPress to make sure that none of the plugins that you are using have been hacked. You also should delete those plugins and themes you are not using.
Updating plugins, themes, security, and monitoring are all a part of most maintenance packages for web design agencies.
Add to the Login
The standard way of logging in is to enter your username and your password. Additionally you can add two-factor authentication, a CAPTCHA, or an numeric phrase that has to be answered. These additions can help block brute force attacks from bots and computers. These features are found in some of the security plugins such as WP All in one Security and Firewall and others.
Where to go for more information
There are number of other blogs that include more information on steps you can take to make your site more secure. Links are provided below.
- Kinsta Blog