One of the things that we neglect the most when we start with a blog are the essential security measures in WordPress. And it is that we have more “important” things to deal with, or so we believe.
What is more important that your blog is not attacked, you do not lose all your work due to an incompatibility or you can restore an older version in one click? Nothing.
How to secure wordpress website from hackers?
1. Update everything
Every update of WordPress, your template and your plugins fixes vulnerabilities and closes the door to intruders. Hence the importance of updating. In addition, your website will work better, it will be more beautiful and you will have more functionalities.
The only problem you can find when updating is that new versions of some plugins can cause incompatibilities with WordPress or with other plugins. To be covered against this possible problem, I recommend making a backup before updating , so you can always go back to a point where those incompatibilities did not exist.
2. Make regular and automatic backups
Backups are like when you’re in a video game, the enemy defeats you and you decide to load an older version of the game to rectify your strategy. The difference is that we are in real life, not in a game. So don’t take it as a joke. Your business is at stake, it’s worth the pun 😊
Any decent hosting provider does automatic backups, it is recommended to have your own. In addition, if you automate this task you will not have to be aware of making backups every so often.
3. Protect WordPress login
By default, WordPress assigns the username ‘admin’. That means the first user to be tested by hackers is ‘admin’. So do yourself a favor and put a different user. Also do not put the name of your website or your domain.
Another very important aspect is the password. Don’t put ‘123456’ or ‘qwerty’ or any character sequence so common that even your grandmother knows it.
The password must have a minimum of 8 characters, lowercase and uppercase, numbers, letters and a special character. And how do I get all of that?
Use an acronym. This is the technique that I use. That is, make a phrase that is easy for you to remember, take the first letter of each word, capitalize the first letter, add a number at the end and a special character.
Example of strong password: EbdAGmm17 #
Explanation of the password: Arturo García’s blog is very cool 2017 #
Of course, do not use this password because it is already posted on the Internet and is more public than the bus. Stick with the technique. It is very useful.
Another option to get strong passwords is to use online generators that create the keys for you.
Path – URL
Change the path to the WordPress admin panel. By default it is yourdomain.com/wp-admin and it is another way to make it easy for lovers of others.
Block access from other countries
If you are in Spain, what is the point of having your control panel accessible from Ukraine, China or Russia? None.
So it is advisable to block access to all countries other than yours. Rest assured, you are not going to block access to your blog but to the WordPress admin panel. For this, I recommend using the Admin Block Country plugin.
Limit login attempts
One of the ways to attack your website is to do it by brute force. This attack consists of testing thousands of users and passwords in your WordPress login. However, there is a very simple way to eliminate this threat. With Loginizer you can limit login attempts.
Put a small number, but that leaves you a certain margin of maneuver (for example, 3 or 5), since you may sometimes make a mistake when entering the password and if you reach the limit of attempts the plugin will block you.
4. Erase all tracks
One of the best ways to make it difficult for your website to be attacked is to hide all the possible information about the manager you use, the version, the plugins, the template and everything that smells like new.
First of all, delete all the content that comes by default: the post “Hello world”, the example page and the typical and absurd comment. Then remove all the plugins. In every installation there are two by default: Hello Dolly and Akismet. The first is not worth anything and the second for little.
Hello Dolly is a plugin created by WordPress founder Matt Mullenweg because he likes that Louis Armstrong song. All it does is display a random phrase of the letter in the control panel.
Akismet is an anitspam plugin, but it lets too many comments of that type, so it is recommended to delete it and install a more reliable one, such as WP-Spam Shield or Anti-spam .
Finally, WordPress brings in its installation a couple of files that the only thing they do is provide information to the hacker who wants to hack your website, so access your hosting and delete them without batting an eye. The files are readme.html and wp-config-sample.php ( IMPORTANT: not to be confused with wp-config.php).
5. Eliminate what you don’t use
All the elements that you don’t use overload the server, which is a handicap for the speed of your website. In addition, each plugin and each template you have installed is one more hole to cover, a potential vulnerability.
So remove everything you don’t use. You can remove themes and plugins from the WordPress desktop. The autosaved ones are not insecure but they take up space in the database and in the hosting, so they slow down your website. Fix this problem at once with the WP-Optimize plugin .
6. Do not use anything without an original license
Avoid free download pages of premium plugins and templates. If they are premium it is because they are paid, and if you do not pay it is because the one who offers them to you (in addition to committing a crime) gets something with it.
It may just be recognition by the thieving community as the Robin Hood of WordPress lovers. But in many cases, what it does is inject malicious code that collects information about your username and password or installs code extracts that can jeopardize the security of your website.
So don’t even think about downloading, much less install, anything from these pirated download pages. In case these risks do not seem enough to you, keep in mind that you will not have updates or support, so the danger grows exponentially.
7. Install an antivirus
Here you have two options: install a security suite or install only those small plugins that do what you need.
If you like the first option, iThemes Security or Wordfence are two good alternatives. The problem is that, since they have many functionalities, they consume a lot of server resources and can cause falls on your page. Also, Wordfence may cause some incompatibility with Elementor .
So I recommend that you don’t install them. It is enough to install a firewall that protects the delicate WordPress folders, those of administration. BBQ: Block Black Queries is the best option and does not require any configuration.
With this plugin, plus the ones we have installed to protect the login, it is more than enough, especially if you have a good hosting that takes security seriously.
8. Hire a secure hosting
And is that hosting is the home of your website. If you host your website in a shack, watch for the consequences: theft, attacks, insecurity …
So don’t risk it. Hire quality hosting to help you keep your website safe … And sleep easy. Your hosting provider must be one of the fundamental pillars of the security of your website.
9. Take advantage of HTTPS and SSL
The traditional Internet connection protocol is HTTP (Hypertext Transfer Protocol). HTTPS has recently emerged, adding a layer of security: the ‘S’ stands for “Secure”. This new protocol allows you to install an SSL certificate on your website . SSL is the acronym for Secure Sockets Layer, which stands for Secure Port Layer.
In this way, data travels end-to-end encrypted. This makes your website more secure, both for you and for your visitors.
10. Use common sense
They say it is the least common of the senses, but it shouldn’t be like that.
Act with caution in everything that has to do with your computer, your Internet connection and access to the control panel. Never connect to a public, open Wi-Fi network (no password). If you connect to a public network (such as the library network), configure it as a public or work network, never as a personal network.
If you access your WordPress control panel from a foreign computer (which is not yours) always do so with the incognito mode activated. In this way, the browser will not store any data related to your login (username, password and access URL).
It wouldn’t be necessary for me to tell you to install an antivirus on your computer, but just in case I do. Better if it is paid.
I guess you don’t want a new WannaCry to hijack your computer and all its information. For about 40 euros a year you can have good protection on various devices. Eset and Bitdefender are two of the best options.
And if you want to check if your website is infected, enter Sucuri and enter your domain.
Now, I am aware that you are going to read this post and you are going to think that I am an exaggerated and a security obsessed, but the day that something serious happens to your website (and if you do not protect your website properly, I assure you that day will come sooner or later), you will remember this post.
So I hope that after reading it, you take the appropriate security measures so that when you refer to this article it is only to say how much it helped you.
You may like also to read https://giantchatter.co.uk/