Web Development: How to Secure Your WordPress Site?

How to Secure Your WordPress Site?

Keeping your website secure is something every website owner worries about. And for good reason: if your site is hacked or goes down, you could lose business.

WordPress used to have a reputation for being insecure. But these days, it's no longer true. Some of the world’s largest brands, including major news corporations and government departments, use WordPress for their websites. They wouldn’t use it if it’s not secure.

But WordPress is open source software, which means anyone can access the code. And that means hackers can try to identify vulnerabilities and exploit them. Luckily the WordPress community is on top of this, and security updates are released regularly to fix any vulnerabilities. So as long as your site’s up to date, you have less to worry about.

In this post, I’ll show you some ways to make your site more secure. I’ll include best practices for security and show you how to make your site less vulnerable to hackers.

Let’s start with some best practices.

WordPress Security Best Practices

Before you start installing security plugins or tinkering with your wp-config.php file to make your site more secure, there are some simple best practices you can follow to enhance security in your WordPress site.

These are:

use strong passwords
keep your site up to date
only buy plugins and themes from reputable sources
use secure hosting
disable the theme editor
take regular backups
use SFTP to upload files to your site
add SSL to your site
install a security plugin
use a security service

Let's take a look at what each of these means.

1. Use Strong Passwords

Using strong passwords is the simplest and one of the most effective lines of defense against hackers. You should always use passwords that include a combination of letters, numbers and special characters, and make sure other users on your site do so too.

You can check your passwords on the How Secure is my password? site to find out how long it would take an automated system to crack your password. The password I use for my site would take 16 billion years to crack, so I don’t think there’s much chance of anyone guessing it.

You can also force other users of your site to use strong passwords using a plugin like Force Strong Passwords. Alternatively if you have Jetpack installed, you can force strong passwords using that plugin.

2. Keep Your Site up to Date

Another simple but very effective way to keep your site safe is to ensure it’s up to date.

Some WordPress updates are to introduce new features. Others are to fix bugs. But plenty of them will add security patches, and you want to make sure your site has those.

Make sure you update your site whenever the dashboard tells you to, and diarize to check it regularly. This applies to themes and passwords as well as to WordPress itself.

Alternatively, you can install a plugin that will manage and automate updates for you. The Easy Updates Manager plugin lets you choose which themes and plugins to keep updated and will run a regular check for you and run updates.

If you do automate updates, make sure you take regular backups of your site in case an update causes problems.

WordPress

How to Update WordPress – Manually or Automatically

Adi Purdila

3. Only Buy Plugins and Themes from Reputable Sources

When you’re choosing themes and plugins, it’s important to only install ones that you are confident will be free of bugs or malicious code.

With free plugins, it’s a good idea to only install plugins and themes you find in the theme and plugin directories (which you access via your WordPress admin). These themes go through quality checks so you can be confident they’ll be well coded and free of any malicious content.

If you choose to buy premium themes and plugins, make sure you buy them from reputable vendors like CodeCanyon and ThemeForest. Ask other WordPress users and look in forums for recommendations.

If you’re ever tempted to download a free plugin from anywhere other than the theme or plugin directory, stop to check the source carefully first. If the provider is offering the plugin for free and hasn’t submitted it to the official directory, ask yourself why they might be doing that. There’s a chance they could be doing it because they want to introduce vulnerabilities to your site or at the very least insert spammy content or links.

The Best WordPress Themes and Plugins on Envato Market

Explore thousands of the best WordPress themes ever created on ThemeForest and leading WordPress plugins on CodeCanyon. Purchase these high-quality WordPress themes and plugins and improve your website experience for you and your visitors.

4. Use Secure Hosting

When choosing your hosting provider, take the time to find a reputable provider who will provide guarantees about security and uptime. A dedicated WordPress hosting provider like Siteground will be able to help you with any security issues you might have, and will take steps to keep their servers secure.

The hosting plan you go for will also have an impact on security. The cheapest hosting plans are cheap because they have hundreds or thousands of clients and websites on a server. The more people using that server, the more opportunities there are for introducing security problems.

So before you go with that ultra-cheap hosting provider, ask yourself if it might cost you more in the long run.

Special Discount for WordPress Hosting

For secure hosting, take a look at SiteGround. It comes with an easy installer, free support, and automatic updates. We're happy to be able to offer a huge discount of 70% off self-managed WordPress hosting, thanks to our partnership with SiteGround.

Managed WordPress Hosting From SiteGround

5. Disable the Theme Editor

The theme editor, or visual editor, is a screen in your WordPress admin you can use to edit the code in your theme.

It might look like a really handy way to tweak your code, but it has some serious risks attached to it. When you edit code using the theme editor, the old version is not backed up. You have no way of rolling back your changes if you do something that breaks your site or introduces vulnerabilities,

If you want to edit the code in your theme (or create a child theme to modify your theme, which is better precise), then you should use a code editor and SFTP.

You can disable the theme editor by adding two lines of code to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );
define( ‘DISALLOW_FILE_MODS’, true );

That way you and other users of your site won’t be tempted to use it to make quick tweaks that could cause you big problems.

Note: only modify your wp-config.php file if you’re confident doing this sort of thing.

6. Take Regular Backups

It’s good practice to keep your site backed up regularly. This way, if your site is hacked or it breaks after an update, you have a recent version you can restore.

Install a backup plugin and set it to automatically back up your site as least as often as you update the site. So if you’re adding to your site every day, back it up every day. That way, if you do have to restore the most recent backup, you won’t lose much content.

The same goes for automatic updates: if your updates plugin is running updates every day, you should also back your site up every day.

7. Use SFTP to Upload Files to Your Site

If you’re editing and uploading files to your WordPress site (eg. theme and plugin files), then it’s important to do this in the most secure way you can.

Using SFTP instead of FTP means that that the files will be encrypted before you upload them. So no one can access them while you’re transferring them to your site or downloading them to your computer.

This is particularly important if you do this kind of work on a public network, such as coffee shop Wi-Fi. Ideally, you should avoid using public Wi-Fi to manage the files in your WordPress site, but in reality we’ve all had times when we’ve needed to upload a file urgently and can’t wait till we get back to a more secure connection.

A good hosting provider will provide SFTP as part of their service—ask them to tell you how to access it and set up keys for use when transferring files to your site.

8. Add SSL to Your Site

Adding SSL to your WordPress site means that the https:// at the beginning of the domain name will be replaced by https://.

Adding SSL to your site is free with Let’s Encrypt and will give you two benefits:

It’ll enhance your search engine rankings. Google gives greater weight to sites that have been made secure with SSL. So it makes sense to add it to your site.
It will make your site more secure. Adding SSL means that data sent between your server and the user’s browser is encrypted. This is essential for any sites where users are asked to input personal data, even an email address. And for e-commerce it’s even more important. In fact, if you install WooCommerce on a site without SSL, the plugin will repeatedly warn you that the site isn’t as secure as it should be.

You can install a free SSL certificate with Let’s Encrypt, either via your hosting provider’s dashboard or by using a plugin. See our guide to SSL to find out how to do it.

WordPress

How to Install an SSL Certificate to Secure WordPress

Rachel McCollin

9. Install a Security Plugin

If you want to have ultimate control over security in your site and monitor it for any problems, then it’s a good idea to install a security plugin.

Security plugins will monitor your site for downtime or security breaches and email you if there are any problems. They’ll also let you configure security settings to harden your site and make it even tougher for hackers to get in.

There’s a range of free security plugins available via the plugin directory, but if you want extra protection, it can be a good investment to install a premium plugin. This way you get access to advanced features like enhanced firewall protection, IP and country blocking, and help getting your site back online off it’s hacked.

You can learn more about security plugins a lesson from my free course on Essential WordPress Plugins: Why You Need a WordPress Security Plugin and Some of the Options

FREE

WordPress

Essential WordPress Plugins

Rachel McCollin

10. Use a Security Service

You can also sign up to a security service like Sucuri that will monitor your site and help you fix it if it’s hacked or goes down. This can seem expensive—but if your site is breached, the time you will save and the potential business you might lose will make it worth your while.

Cloudflare is another service that was initially designed to help boost website performance, but also has a security service that will monitor your site, help you keep it secure, and fix it for you if it’s hacked. This is a good option if you also want to take advantage of Cloudflare’s content delivery network, which will help your site run faster.

Summary

Keeping your WordPress site secure is an essential part of website management. If your site was to be hacked or break after an update, you could lose hours or maybe days fixing it. And if you have to pay someone to fix it for you, that can be expensive.

If you follow the tips above, you’ll be able to protect your site from the majority of security risks and rest easy in the knowledge that your site is running smoothly and not being hacked. How far you decide to go and how much you can spend on security will depend on your site and your budget, but you should certainly use secure passwords and keep your site updated as a bare minimum.