Secure your WordPress website

 WordPress is the most-used platform for website management in the world. It powers almost 42% of the web (June 2021). While that is awesome, it also means that WordPress is the most targeted platform for hackers. When running a WordPress website, basic security is dealt with by the CMS, but there are things you can do yourselves to make your website more secure.

That starts with your login. The default username in WordPress is admin, so change that first. Otherwise, a hacker’s first guess for your username is too easy. The same goes for your password. Passwords like 123456 and welcome01 are just not enough. Use a password manager like 1Password or LastPass and pick a 20+ character password instead. WordPress also has several plugins for two-factor verification, so adding that to your website is easy as pie as well. Please do it.

Of course, there is more you can do; please read our article detailing WordPress security in a few easy steps. We’ll highlight some of the recommendations below.

5.1. Make regular backups

The next thing we’d like you to do is create regular backups. If your site gets hacked or something else goes wrong — for instance, when updating a plugin or theme —you must revert that change in a heartbeat. Regular backups make sure that this can be done.

In WordPress, there is a wide range of backup options to choose from. Several plugin developers have created excellent software solutions for you, so you don’t have the technical hassle of that backup.

5.2. Harden your setup

Hardening your setup starts with picking the right hosting company for your WordPress website. That’s just the start, as every host will do its best to help you out, but it’ll still be your responsibility to harden your setup. Also, tools like Cloudflare are good friends for any company/website.

An easy first step is to limit login attempts. By limiting the number of times, people can try to log in to your website — closing your login form after five false logins, for example — you are hardening your installation against brute force attacks and other malicious acts targeting that form.

The next thing you need to do is ensure that your WordPress install, including plugins and themes, is always up-to-date. Updates might fix security issues as well. Make sure to check for updates and keep your WordPress installation up-to-date regularly.

Another essential thing to realize is that you deal with security whenever you add a new user or writer to your WordPress install. There’s an article in the WordPress Codex regarding Roles and Capabilities you should read. It comes down to giving permissions only to those who need it when needed and only for the time they need it. There is no need to provide a guest blogger administrative rights to your website, right?

Authentication Keys and Salts work in conjunction to protect your cookies and passwords in transit between the browser and web server. Make sure to change these keys when installing a new WordPress instance.

Another easy fix we’d like to mention is ensuring your template files can’t be edited from the WordPress backend. You can do this in Appearance → Editor. When a hacker gets past your login form, this is the easiest way to add malicious code to your website. Hardening this involves changing your wp-config file.