Not all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked.
When choosing a web hosting provider, don’t simply go for the cheapest you can find. Do your research, and make sure you use a well-established company with a good track-record for strong security measures.
It’s always worth paying a bit extra for the peace of mind you get from knowing your site is in safe hands.
Primax Studio has secure hosting options for your WordPress Site. Don’t worry about your hosting, we have you covered!
2. Update All the Things
Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
The same applies to themes and plugins. Make sure you update to the latest versions as they are released. If you keep everything up-to-date your site is much less likely to get hacked.
3. Use Wordfence
Wordfence is the most downloaded WordPress securityplugin for WordPress websites
The Wordfence WordPress security plugin continuously prevents, patrols and protects your WordPress websites against today’s ultra-advanced cyber attacks, hacks and online security threats.
To see more about what the Wordfence WordPress security plugin includes, activate one of our five defense categories, and then select a related featured below for even more information. Free, Premium and Customer Favorite features are clearly indicated.
4. Back Up Your Site Daily
If something goes wrong with your site you need a backup to get you back in action. Primax Studio install BackWPUp on every WordPress site that we develop.
We recommend backing your Database up daily and your entire site weekly. We also recommend keeping off-site backups just in case your server company might experience a natural disaster.
5. Strengthen up those passwords
According to this infographic, around 8% of hacked WordPress websites are down to weak passwords.
If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.
For a password that’s easy to remember but very hard to crack, I recommend coming up with a good password recipe.
If you’re feeling lazy, you can also use a password manager like LastPass to remember all your passwords for you. If you use this method, make sure your master password is nice and strong.
Try LastPass’s password Generator. If you install the browser plugin you’ll be able to do this in real-time when setting up accounts.
Here’s a great article about how to set up a secure password on Cloudwards.
6. Never use “admin” as your WordPress username
Earlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.
If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.
If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.
7. Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e cymbalta high.g. if your username is joebloggs, your author archive page would be something likehttps://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database.
8. Limit login attempts
In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
Install Wordfence and this functionality is built into the plugin
There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.
9. Disable file editing via the dashboard
In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
10. Try to avoid free themes
We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in a experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
11. Use security plugins
As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
These are Primax Studio’s 2 Favorite security plugins:
- https://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc. Allows you to “harden” your site.
- https://wordpress.org/plugins/wordfence/ – full-featured security plugin.
These plugins might also help you:
- https://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
- https://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
- https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
- https://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
- https://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
To learn more about hardening your website’s security, please check out these two resources:
We also recommend Sucuri.net if you are unsure about this topic. Sucuri can help monitor your site, alert you of suspicious activity and even help clean up your site in the case of a malware attack.
This may all sound pretty intimidating, especially if you’re a beginner. I’d like to point out that it’s not intended to scare anyone, it’s just important to discuss the topic of security regularly, as we want to make sure you stay one step ahead of the hackers!
You don’t have to do everything on this list (although it certainly wouldn’t hurt). Even if you just remove the ‘admin’ username and start using stronger passwords, your site will be that little bit safer.
If your WordPress site has been hacked Primax Studio can help remove malware and bring your site back to life.