1 – Keep your WordPress website up to date.
The easiest way that a hacker can penetrate your site is through an outdated theme, plug-in or indeed WordPress itself. WordPress should always be kept up to date as each update comes with essential security patches and big fixes which keep hackers out!
2 – Keep your Tech Stack up to date.
WordPress is built on Php and this needs to be kept up to date at all times. Php can be updated on the server in which your WordPress website is hosted. The minimum version of Php that can be used with WordPress increases regularly, this is due to older versions becoming less stable and less secure as time goes on. As well as Php, WordPress websites also need to use a Database for storing information. WordPress databases should also be kept up to date with the latest stable release.
3 – Use a Web Application Firewall
A firewall monitors incoming traffic and can block specific traffic based on a defined set of security rules. To ensure tight WordPress security, As cyber crime continues to rise and as more people use the internet for their business, a finely tuned firewall is a must to keep your WordPress Security as tight as possible.
4 – Use strong passwords and smart usernames
Hacker bots can search a large number of websites every day. These bots look for WordPress websites and try to spam the most common usernames and passwords. These bots usually use keywords like “admin” or the url name E.G “DEITG” and from there will continue to guess passwords until a combination works. Use unique usernames for WordPress and long complicated passwords that are impossible to guess.
5 – Automatically lock out failed logins
To prevent this kind of attack you should ban users from using the site temporarily if they input the wrong password a certain amount of times. This step is crucial for your WordPress Security, if a hacker gets locked out then it is a good indication that the site is well protected and they may very well move on to their next victim!
6 – Hide your WordPress login area
Prevention is the best cure, and if you change the WordPress login area to a customized URL then your WordPress security will be tightened a lot. You can then share the new URL with other users that need to sign-in to the admin area of WordPress while escaping the majority of bots and putting off hackers.
7 – Change the Default Database Prefix
When WordPress starts to set up a database it starts each table in the database as “Wp_”. A hacker could easily inject code into your site and find information listed in these tables (E.G WP_Users which will get a list of all usernames). This is a long running tye of exploit called SQL injection and your WordPress Security should protect against these types of attacks by changing the default database prefix to something more unique.
8 – Disable XML-RPC
The file xmlrpc.php was used for many years to access your site remotely from your mobile if you weren’t near your computer. Today, the file is very rarely used and will be removed entirely soon. Since 2008, WordPress offered the ability to disable xmlrpc as it has not been needed. The issue with xmlrpc is that it can be used to enable a brute force attack on your WordPress website. Disabling this is the best way to protect your site and should be a list item in very developer’s WordPress Security check list!
9 – Disable Trackbacks and Pingbacks
Pingbacks and trackbacks are harmless notifications that one website references another website. However, they can be exploited easily by hackers and cause havoc on your website by spamming comments and queries severely slowing down your site. Disabling these will help keep your WordPress website as secure as possible while making sure it performs consistently quick all the time.
10 – Multifactor authentication
One of the safest WordPress Security hints we can share with you is to use Multi-factor authentication for the back-end of your WordPress website. This is, once you sign in, you will be notified on your mobile device and you must approve of this login. While this can be tedious for some, it is a powerful security feature that gives you real-time control of your WordPress website.
Disable your file editor – Even if a hacker does get into your website if you disable the file editor from the back-end of the site it will restrict the amount of damage that a hacker can do.
Update Security Keys – Regularly update the WordPress Security keys in wp-config.php.
Prevent Information Disclosure – Keep all information about your WordPress website, server and security private. Do not allow php.info be accessible to the public because if a hacker knows your tech stack they will know how they should try and attack your site.
Prevent Php Execution – Restrict Php execution to authorised sources only. This will prevent any hackers from executing devastating commands in your WordPress website.
Manage Login Duration – The default value of 14 days is set. This should be reduced to less than a week