Claim 40% Discount Limited time offer – Up to 40% Discount

How to secure your wordpress website

Each WordPress site creator must be concerned about the security of his site, Google blacklist (blacklist) more than 10,000 sites every day, because these sites have been infected with malware.

Unfortunately, it doesn’t just happen to others. The sooner you are aware of it the better it will be for you.

Even if the WordPress kernel is very secure thanks to a hundred developers, the fact remains that it remains vulnerable, as it is very targeted by hackers because about 25% of websites are made with WordPress.

As a webmaster, there are many things you can do to increase the security of your WordPress site.

This is why I decided to write this article in the hope that it would be as simple and as clear as possible.

You’ll see that there are many steps you can take to prevent your site from being infected or destroyed by a hacker.

While these measures will not completely eliminate the risks, they will reduce them considerably.

In case your website is already infected by malwares, then we recommend that you follow these steps, this will guide you on removing malwares from your site.

So let’s get started.

Need help keeping your website 100% secure? Book your call with WP Buffs now and get a 10-20% discount!

1: Update WordPress and its themes and plugins.

WordPress is regularly updated, the themes and quality plugins too. This is crucial for the security and stability of your site.

1: Update WordPress and its themes and plugins.
Designed by Freepik

2: Strengthen your passwords to secure WordPress

The most common attack is password theft due to a relatively weak password.

You can considerably complicate the task for a hacker by strengthening your WordPress password, but also those when connecting to your FTP account, your database, your host, your emails, etc.

Many of you don’t like using too complex a password for fear of forgetting it. In this case, I advise you to use a “password manager”.

A password manager will store all your passwords in a secure cloud and allow you to manage them with a single password.

There are many, but I recommend LastPass, it is easy to use and free.

3: Install a backup plugin

3: Install a backup plugin
Designed by Freepik

Backing up your site is a good way to repair any damage that a hacker could have done to your site.

In the event of an attack, a backup plugin will allow you to restore your site to a state prior to the attack.

There are many backup plugins for WordPress, but not all of them are created equal. It must be easy to use, allow you to backup your entire site, make regular automatic backups and of course be able to save your backups outside of your host’s servers (hard drive, cloud, etc.).

Here are three that meet all of the above criteria. All three have a free and paid version.

4: Install a security plugin

After seeing the backups, the next step is to install a security plugin that constantly monitors your site and tracks any suspicious activity that may be going on there.

  • Anti-malware scan
  • File corruption detection
  • Blocking users
  • Etc

Recommended plugin:

5: Choose a quality theme

A quality WordPress theme is a secure theme that has no known vulnerabilities, which is regularly updated, which meets the appropriate coding standards and which is compatible with your version of WordPress but also with other elements of your site, such as plugins.

Having a theme that meets all of these criteria will not only help you avoid bugs, compatibility errors, and a whole bunch of similar issues, but it will also limit attack possibilities, as your WordPress site will have fewer security vulnerabilities to exploit. So avoid at all costs any nulled themes.

Below are some themes that I often use and recommend with your eyes closed:

  • The theme: Oceanwp (free).
  • The themes: ThemeIsle (free and paid).
  • The theme: Divi (paying).
  • The theme: extra (paying).
  • The theme: Generate press (free and paid).
  • The theme: Astra (free and paid).

6: Change the WordPress username

If during the installation of recent versions of WordPress it is possible to choose a name other than the famous “admin” it was not the case before. However, it is always best for an administrator not to leave a known user name. Of course, in this case, you should not post an article or respond to comments with your administrator’s nickname.

There are different methods to change your username in WordPress:

  • The manual method.
  • Use a plugin

Read this article to see the 2 methods in detail (tutorials).

7: Add two identification factors (Two Factor Authentication)

This option forces a user to identify themselves through two different methods. The classic method with username and password and a second method, which is to receive a code on a device other than the computer you usually use.

If you are using Wordfence, iThemes Security or UpdraftPlus, they all provide this security feature.

8: Automatic logout of inactive users in WordPress?

It is common for a user to get away from their screen for a while staying connected to WordPress, which can pose a security risk. Someone can hijack their session, change their passwords or change their account.

The solution consists of installing a plugin that will take care of disconnecting an inactive user after a determined period of time.

To do this I recommend the plugin “Inactive Logout” it is free, very simple to configure and does its job well.

Once installed, go to “Settings” in the WordPress dashboard and click on “Inactive logout” to configure the plugin

There you just have to stipulate the idle time before the disconnection takes place and a message to display when this happens, click on “save changes” to finish.

9: Add a security question to connect to WordPress

Adding a security question to the WordPress login screen will greatly reduce the likelihood that an unauthorized person will be able to access your account.

You can add one or more security questions by installing the plug-in: WP Security Question

10: Change the connection URL

By default, the URL for connecting to WordPress is always the same: (I put .com but it can be .net or another extension).

To complicate the task of a possible hacker who wants to launch a “Brute Force” attack on your site, you can change the connection URL.

See this plugin: WPS Hide Login.

11: WordPress scanner for viruses or malware and possible security vulnerabilities and other vulnerabilities

If you have not installed a security plugin on your WordPress and you notice a sudden drop in traffic or degradation of your ranking in search engines, it is urgent to make a complete analysis of your site.

In this case two options:

Either you decide to install a security plugin and start a scan immediately or you start an online scan on one of the sites below. They are all free and very easy to use.

Just enter your site address and start the scan.

12: Disinfect your site

If you have installed a security plugin, it is unlikely that you have been infected. But many of you still don’t think about it.

First of all, it should be understood that it is much easier to prevent an infection of your WordPress site than to disinfect it.

Cleaning up a WordPress site can be time consuming and you will often need to hire a professional, especially if you have not made a full backup of your site.

Hackers install backdoors on infected sites and if they are not treated properly, your website will probably be hacked again.

Leave a Reply

Hi there, all comments are reviewed & your email address will not be published. Let's have an awesome conversation.