How to make a a secure website with WordPress 2020.
Starting your own WordPress site is pretty easy these days. Unfortunately, it doesn’t take long for hackers to attack your site.
The best way to secure your WordPress site is to understand all the vulnerabilities that come with starting a WordPress site. Then set up an appropriate security system to block hackers at each of these points.
In this article, you will learn how to better protect your domain, WordPress login, and the tools and plugins available to secure your WordPress site.
Create a Private Domain
It is very easy these days to find an affordable domain and buy it at a very low price. Most people never buy additional domains for their domain. However, you should always consider one addition – Privacy Shield.
GoDaddy offers three main levels of privacy protections, but they also match what most domain providers offer.
- Basic: Hides your name and contact information from the WHOIS directory. This is only available if your government allows you to hide domain contact information.
- Complete: Replace your information with an alternate email address and contact information to hide your real identity.
- Ultimate: Extra security that blocks malicious domain scans and includes monitoring the security of your real site.
Typically, to upgrade a domain to one of these security levels, it is sufficient to select the upgrade from the drop-down list on the domain list page.
Basic domain protection is pretty cheap (typically around $ 9.99 per year), while higher security isn’t much more expensive.
This is a great way to stop spammers from scraping your contact information from the WHOIS database, or other malicious individuals who want to access your contact information.
Hide wp-config.php and .htaccess Files
When you first install WordPress, you will need to provide the admin ID and password for your WordPress SQL database in the wp-config.php file.
This data is encrypted after installation, but you also want to prevent hackers from editing this file and hacking into your site. To do this, find and edit the .htaccess file in the root folder of your site and add the following code to the end of the file.
# protect wpconfig.php
deny for all
Htaccess itself, add the following to the end of the file as well.
# Protect .htaccess file
Save the file and exit the file editor.
You can also right-click each file and change permissions to completely remove write access for everyone.
While doing this with a wp-config.php file shouldn’t cause any problems, doing this with .htaccess can cause problems. Especially if you are using any WordPress security plugins that might need to edit the .htaccess file for you.
If you get any errors from WordPress, you can always update the permissions to allow write access to the .htaccess file again.
Change Your WordPress Login URL
Since the default login page for every WordPress site is yourdomain / wp-admin.php, hackers will use this URL to try to hack your site.
They will do this through what are called brute force attacks, where they submit variations of the typical usernames and passwords that many people commonly use. The hackers hope they get lucky and get the right combination.
You can stop these attacks completely by changing your WordPress login URL to something non-standard.
There are many WordPress plugins to help you with this. One of the most common is WPS Hide Login.
This plugin adds a section to the General tab under Settings in WordPress.
There you can enter any login URL and select “Save Changes” to activate it. The next time you want to log into your WordPress site, use this new URL.
If someone tries to access your old wp-admin url, they will be redirected to your site’s 404 page.
Note. If you are using the caching plugin, remember to add a new login URL to the list of sites, not for caching. Then, remember to clear your cache before logging into your WordPress site again.
Install a WordPress Security Plugin
There are many WordPress security plugins to choose from. Of all of these, Wordfence is the most downloaded for a good reason.
The free version of Wordfence includes a powerful scanning engine that looks for backdoor threats, malicious code in your plugins or your website, MySQL injection threats, and more. It also includes a firewall to block active threats such as DDOS attacks.
It will also allow you to stop brute-force attacks by limiting login attempts and blocking users who make too many incorrect login attempts.
There are quite a few settings available in the free version. More than enough to protect small to medium sized websites from most attacks.
There is also a useful dashboard page that you can view to track down recent threats and attacks that have been blocked.
Use the WordPress Password Generator and 2FA
The last thing you want is for hackers to easily guess your password. Unfortunately, too many people use very simple passwords that are easy to guess. Some examples include using the website name or your own username as part of the password, or not using any special characters.
If you’ve upgraded to the latest version of WordPress, you have access to powerful password protection tools to protect your WordPress site.
The first step to making your password more secure is to go to every user on your site, scroll down to the “Account Management” section, and click the “Create Password” button.
This will generate a long and very strong password that includes letters, numbers and special characters. Save this password in a safe place, preferably in a document on an external drive that you can disconnect from your computer while you are online.
Select Log Out Anywhere to close all active sessions.
Finally, if you have installed the Wordfence security plugin, you will see an Activate Two-Factor Authentication button. Select this option to enable two-factor authentication for your user accounts.
If you are not using Wordfence, you will need to install any of these popular 2FA plugins.
- Google Authenticator
- Two-Factor Authentication
- Rublon Two-Factor Authentication
- Duo Two-Factor Authentication
Other Important Security Considerations
There are a few other things you can do to fully secure your WordPress site.
Both WordPress plugins and the WordPress version itself must be constantly updated. Hackers often try to exploit vulnerabilities in older versions of the code on your site. If you don’t update both of these parameters, your site is at risk.
1. Regularly select plugins and installed plugins in your WordPress admin panel. Check all plugins for a new version status.
When you see the one that is out of date, choose to update now. You may also want to consider choosing Turn on automatic updates for your plugins.
However, some people are wary of this, as plugin updates can sometimes break your site or theme. Therefore, it’s always a good idea to test plugin updates on your local WordPress test site before enabling them on your live site.
2. When you enter your WordPress dashboard, you will see a notification that WordPress is out of date if you are using an older version.
Again, back up your site and upload it to a local test site on your computer to make sure the WordPress update doesn’t break your site before you update it on your live site.
3. Take advantage of the free security features of your web host. Most web hosts offer a variety of free security services for the sites you host there. They do this because it not only protects your site, but also keeps the entire server secure. This is especially important if you are using a shared hosting account where other customers have sites on the same server.
These often include free SSL security installations for your site, free backups, the ability to block malicious IP addresses, and even a free site scanner that will regularly scan your site for malicious code or vulnerabilities.
Starting a website is never as easy as installing WordPress and just posting content. It’s important to make your WordPress site as secure as possible. All of the tips above will help you do this effortlessly.