In this WordPress security post series, I would introduce 6 security tips for WordPress websites, so that you can improve security on WordPress without advanced security knowledge. As website attacks are becoming common and diversified with different methods, WordPress security also varies from the basic ways to the very complicated ones. Before considering advanced methods, make sure you have followed basic WordPress security tips to protect your site from hackers and spammers.
WordPress is the most popular and user-friendly content management system (CMS) available online. But because of its popularity, WordPress is terribly vulnerable to attacks. Once hackers gain access to your site, it’s gonna cost you a lot of traffic, money, and time to recover. So, it’s high time you put security issue to top priority.
Gentle reminder: Before trying any tip, you should carefully back up your site. In case anything goes wrong, you still can recover your site.
#1 Don’t use “admin” as admin username
WordPress sets “admin” as the default username for the administrator account. And many, many people still continue to use admin as their admin username. This is dangerous since hackers know this default admin username, and now they just need to find out the password. A popular method is brute force attack which makes continuous attempts logging in to your site by username and password. Therefore, hackers are one step closer to gaining access to your site if you use “admin” username.
So instead of using “admin” for your administrator username, you’d better choose a more difficult and hard-to-guess one.
Read more about 3 simple ways to change your default WordPress admin username.
#2 Use strong password
Needless to say, an easy-to-guess password is as dangerous as admin username. Thus, together with complex username, a strong password is highly recommended to protect your WP site. What you need to do are:
- Change passwords frequently
- Create strong passwords, like Q%Ew876F}nx28tW, or 1#3+7z]I9B=;?Gx. You can make it up yourself or use these tools Strong Password Generator, Secure Password Generator.
- Store passwords and auto login using LastPass, OnePassword, or StickyPassword.
Read about strong password ideas to secure your website.
#3 Limit login attempts
As I mentioned above, with the brute force attack, hackers will attempt to log in to your site by continuously trying random usernames and passwords until your admin account is cracked.
The second tip to prevent this kind of attack is to limit the number of times a person from a given IP address can login within a specific period of times. There are plugins that help you do this, such as Login LockDown, iThemes Security or Sucuri Security.
Why and how to limit login attempts with Login LockDown.
#4 Pick quality host
According to WP White Security, 41% of WP sites were hacked due to security vulnerability on the host. Using the hosting service of a well-known provider will improve security on WordPress.
This is even more necessary when you used shared hosting service. That one website is hacked can seriously affect other websites in the same system.
Take a look at main web hosting security concerns you should consider when choosing a web host.
#5 Make sure your WordPress, themes, & plugins are up-to-date
Newer WP versions have bug fixes, probably new features, and most importantly, security updates that existed in previous versions. If you still run your site with the old version, hackers will take advantage of this to attack your site through security holes. So make sure you update WordPress to its latest version. If you’re worried that something might go wrong, make a database backup before installing the most recent WP version. On the other hand, this is done quite easily and quickly. When there’s a new update, you will see the notification in the dashboard at Dashboard > Update.
The same applies to themes and plugins installed on your site. Install the latest versions of these themes and plugins. Otherwise, you leave your site vulnerable with known security holes.
You might want to know why you need to update the latest version of WordPress.
#6 Set backup schedule
Always prepare for the worst scenario. Be sure to have a scheduled backup (I mean on a regular basis) for your entire site. In case something wrong happens, at least you have the backup files to recover your site.
There are many reliable plugins out there to help you with site backup, including VaultPress, BackupBuddy or UpdraftPlus.
Read more details about best WordPress backup plugins for your site.
All these 6 tips are important yet very easy to do. So spend time for these security tips for WordPress websites to protect your site from attacks.
Images designed by Freepik.
Well, I would rather suggest a plugin too. Use JETPACK, it blocks most of the spams. For small blogs and sites JetPack does most of the work, I know it slows down the site but if you want to try something for free. Go for it.
btw, backup do not make your site more secure.
Thanks for your nice article. Nowadays strong password is not enough to protect your WordPress site from beeing hacked. Because hackers are really clever. They are smart enough to hack our sites although you have used a strong password. I think two-step verification is really helpful.
well, i’d as a substitute endorse a plugin too. Use JETPACK, it blocks most of the spams. For small blogs and web sites JetPack does most of the work, I are aware of it slows down the website online but in case you need to strive something at no cost. go for it.