As WordPress is a self-hosted CMS, the onus of its security is up to the user or the hosting company. If the user doesn’t take precautions to protect his/her website and if the site is hacked, the user may have to hire a WordPress security expert or a company that fixes hacked sites. The site will also be marked as hacked by Google. To make sure that its user doesn’t visit the hacked site, Google will display the “this site may be hacked” message beside your site’s name in its search result pages.
How to secure WordPress sites? The answer to this question is in the below paragraphs:
WordPress security tips to secure WordPress sites
- Check and block
- Use a security plugin
- Use the latest version of a theme or a plugin
- Don’t use something that you have not paid for
- Disable XML-RPC
- Back up the server files and database regularly
- Use hosting that offers malware scanning and removal service
- Check WordPress site health often
- Use firewall (if possible)
- Use Cloudflare
WordPress security tips to secure WordPress sites
Check and block
Log files make you aware of the users that are trying to get access to your WordPress dashboard. It is easy to identify the failed login attempts. You just have to find out the IP address that has requested the WordPress login/wp-admin page repeatedly. Once you find the IP, you can block it with IP Tables or Firewalld. If you don’t want to check log files often, you can use the Fail2Ban tool. Fail2Ban can monitor the server log files and block IPs that are repeatedly requesting an important page/file of your site such as the login page, XMLRPC PHP file. If you don’t have root access, you can use a WordPress security plugin that will do this job for you. You can also reduce unauthorized login attempts on your WordPress site by using a captcha plugin. The plugin asks you to generate Google ReCaptcha site/security keys and enter them in its settings interface. Once you enter the valid keys and click the submit button, the person who tries to log in to our site will have to solve Google’s sophisticated Captcha challenge to enable the “login” button.
Use a security plugin
WordPress security plugins can identify modified core WordPress files and fix them by replacing the modified file with the original one. They can also scan your site for security issues, block IP addresses, filter malicious requests, add a two-factor authentication system to your site, etc. The WordPress rating system and download statistics help users in identifying the best security plugin among the lot. Go through the plugin’s rating and review and install the plugin of your choice. Installation isn’t enough. You must configure the plugin so that it can protect your site.
Use the latest version of a theme or a plugin
Security experts find loopholes in the WordPress themes and plugins and share their discovery with the developers. The developers fix the issue by introducing a new update. The WordPress CMS allows you to see the changelog of the plugin. Before updating the plugin, you can see the changelog to see if the update was introduced to fix a security issue. If the update has been introduced to address a critical security issue, you must update the plugin/theme.
Don’t use something that you have not paid for
You might come across a site that allows you to download premium WordPress themes and plugins for free. You should never download files from such sites unless the website is running a giveaway campaign or is owned by a trustworthy company or a person. This is because the theme/plugin may have malicious code.
Unless you’re using a plugin that works only when XML RPC is active, you can disable the XML RPC feature of the WordPress CMS. You can do so by configuring the Apache/Nginx server to throw 503/404/403 error when a user/bot tries to access the XML RPC PHP file or install and use a plugin that will disable it.
Back up the server files and database regularly
Although the above tips will keep your site safe, you should always be ready for the worst. If some files on the server have been modified by a plugin or a malicious code of a theme, a backup will be a lifesaver for you. The backup will restore the original file and will fix the issue that has affected your site. If you’re using a shared hosting company, you’ll be able to back up your entire site from the CPanel. Cloud hosting companies allow uses to create snapshots of the entire OS. You can also backup your site/files manually with the Mysqldump command-line utility.
Use hosting that offers malware scanning and removal service
Some hosting companies fix malware issues on their client’s website for free or they offer malware removal service as a paid add-on. When your site is affected by malware, you can ask the company’s staff to remove the malware for you. Siteground and WPX Hosting are two companies that I’m aware of that offer malware removal services to users.
Check WordPress site health often
The WordPress CMS has a section called “Site Health” that makes you aware of useful tips such as removing inactive themes/plugins, updating an outdated version of WordPress, etc. It also displays the reason for the same. If you visit the “Site Health” section often and follow the suggestions displayed there, your site will be secure. To access the “Site Health” interface, log in to the WP dashboard and hover your mouse cursor on the “Tools” menu. Now, click the “Site Health” option.
Use firewall (if possible)
You can configure firewalls to block access to all ports excluding the port 44, 80, and the SSH. The firewall will run in the background and will do its job 24 x 7. To install and use a firewall, you may require root/sudo access to the server. Shared hosting companies won’t allow users to log in as root. Unmanaged/managed hosting companies may allow you to do so.
Cloudflare has a sophisticated and proven anti-DDOS system. It can also prevent malicious IPs from accessing your website pages by making the users solve captcha problems. Cloudflare offers free and premium services. CF’s free services include SSL, CDN, DNS hosting, Analytics, etc. To enjoy advanced security and performance features, you can buy the premium plan of Cloudflare.
Final thoughts: Although WordPress is a great content management system, it doesn’t have a firewall, IP blocker, 2FA enabler, backup tool, etc built-in. This is the reason why you must use some third-party services, tools and install plugins to protect your WordPress site. If you want to secure your site, make sure that you follow the tips I’ve shared above.