How to secure your WordPress website

Every day, hackers are scanning the web looking for easy targets. When they find a WordPress site that has questionable hosting, a weak password, an outdated version of WordPress, or is running a theme or plugin with security issues, so, they find it easy to hack these sites. 

In this article, we will find out some ways you can beef up security on your WordPress site. 

1. Choose secured hosting. 

A secure website starts with a secured web host. We’ll focus on two popular ways to host WordPress: shared hosting and Managed WordPress Hosting

If you don’t want to spend a lot or you want affordable hosting, then you might go for shared hosting

Like, we all know what shared hosting actually is – You’ll be in charge of site maintenance, and you’ll be sharing your web host with other potentially less security-conscious users. While hosts provide a reliable shared platform, you can’t control any unexpected security issues on the host’s end. Secured hosts do, however, have the staff and expertise to get things resolved quickly — something that can’t always be said about smaller, cheaper shared hosts. 

Managed WordPress Hosting, on the other hand, relieves you from much of the day-to-day site maintenance and upkeep. Servers are protected, backups are scheduled, plugins are pre-screened and security updates are performed automatically. You can sleep well at night knowing your hosting is in the hands of experienced WordPress technicians


2. Use a strong password. 

Older versions of WordPress create a login user named admin by default. People are notorious for choosing weak passwords, such as their pet’s name, or something which is too obvious. Hackers know both of these facts, and they repeatedly try to log into your site by guessing your username and password. 

With the above in mind, here’s how to improve your login security: 

1. Change your password and make it strong. Use a password manager like 1password or Lastpass so you don’t have to remember long, complex passwords. 

2. If your username is admin or administrator, it’s time to switch to a new one. It can be practically anything: your name, nickname or just something unique. Make sure you set the Role to Administrator

3. Log in as the new user, attribute your existing content to that user and finally, delete the admin user. 

3. Block malicious login attempts. 

To secure your site from brute-force attacks, use a plugin that blocks malicious logins. Jetpack Protect, found in the latest Jetpack plugin, records the IP address of login attempts. It uses this data, combined with data gathered from other Jetpack Protect users, to potentially block the log in. 

If you’re not interested in using Jetpack, the Limit Login Attempts plugin is another popular option. It hasn’t been updated in years and, as a rule, it’s always advisable from a security standpoint to use well-maintained plugins — so it shouldn’t be your first choice. But, with more than one million active installs, it’s still a widely used plugin to stop would-be attackers from launching a brute-force attack on your website. 

4. Keep on top of updates and backups. 

The latest versions of WordPress automatically perform small security updates on their own, but you still need to keep your themes and plugins up to date. 

Remember when you were setting up your blog and you test-drove all those new themes and cool plugins? Just because you aren’t using a plugin or theme, if it shows up in the WordPress update screen it means hackers can still take advantage of any security exploits— so update everything. 

When it comes to security, you can do everything right and bad things can still happen. 

That’s why having a site backup is so important. The UpdraftPlus plugin makes taking backups simple and even enables you to schedule backups and store them with various cloud providers. To get started quickly you can perform a manual backup by clicking the Backup Now button. 

5. Make smart theme and plugin choices. 

Unless you’re experienced, stick to downloading themes and plugins from the Theme and Plugin directories or from a reputable paid premium provider like Gravity FormsMemberMouse, or Elegant Themes

Themes and plugins downloaded from unknown websites can be infected with dangerous code. 

To double-check the safety of your currently installed themes, install and run the Theme Authenticity Checker plugin. 

I know it can be tempting to add more and more plugins to your site, but try to restrain yourself. New security exploits are discovered every day and each additional plugin or theme you install increases your exposure to future potential security problems. 

Bonus recommendation: Be proactive 

You might not even know your website has been compromised. Companies like Sucuri and Wordfence offer continuous malware scanning services that can alert you to problems almost immediately. 

This might not be necessary for your average run-of-the-mill blog, but for a valuable web property it’s something to consider.