The growing popularity of WordPress has also created more interest among hackers. Statistics show that out of the 80 million websites powered by WordPress, a large portion (70%+) are vulnerable to attacks.
You are wrong if you think your website is not part of the 70%. Again, you are wrong if you think nobody cares about your small business website or blog. Attacks can happen because your site is vulnerable to attacks and not because a hacker decided to ‘break into’ your business.
When your website is hacked, many bad things can happen besides damaging its reputation. You can lose customers, traffic, money, confidential information, and, not to mention the time, stress, and effort it will take to clean your website and get it back to a normal state.
Those who have experienced this at least once know exactly what I mean. It’s those times when you wish you had taken preventive measures instead of trying later to recover from the damage, especially when your income and business depend on your website.
To tell you the truth, I didn’t bother about security. Like most people, I thought this would never happen to my websites. But it did, and it was a terrible experience.
A few of my clients had faced similar issues, and they lost money and business, but at least we all now learned our lesson. Regarding security issues, “Prevention is the best cure”.
If you have a WordPress website but have not taken any measures to improve security, now is the time. Don’t delay it any longer; prioritize this above SEO or anything else you might be doing.
It won’t take long, but it can save you time, money, and frustration in the future.
10 Ways to Protect Your WordPress Website
1. Install Sucuri
I know that this may sound overly promotional to some, but those following my articles know that I don’t recommend something (especially if it’s a third-party service) unless it is very important and useful, and Sucuri is one of them.
In a few words, Sucuri is a company that offers security services to websites (not only WordPress). They help you 'clean' and recover your website in case it is affected by malware, and at the same time, they offer several tools for securing and hardening your website so that you don't get into trouble in the first place.
I have used Sucuri many times for both my websites and clients. One of the things I like is that if your website is compromised and affected by malware, you have to register an account with them, submit a malware request, and they take care of the rest in a reasonable amount of time.
Instead of wondering what happened and searching the Internet for ways to clean your website and recover your business, leave this to Sucuri and follow the prevention measures explained below to avoid dealing with the same situation again.
2. Use strong passwords
One thing you need to check right now is your WordPress passwords, especially the password you use for the administrator.
Don’t use simple, letter-only passwords; instead, create strong passwords that include letters, numbers, and symbols.
Here are a few examples of simple and strong passwords:
| Simple | Strong |
| SimplePassword | $1mpLePas$$w0rd! |
| WordPress123 | W0rD!!Pr3$$123 |
| Janiebrown | JAN1E$Br0wN |
You can change the password of any user by selecting USERS / ALL USERS from the left menu. Select EDIT from the list of users and scroll down to the password field.
3. Change the default admin user names
The first thing hackers will try is to find the administrator's username, so usernames like admin, administrator, and host are too obvious. You need to change them to something more difficult to identify.
Also, review your user roles and ensure only one administrator is on the site. Other users (guest authors, writers) can be set as 'Contributors'. Delete any other users that are not valid or set their role to 'None'.
4. Protect your wp-login, wp-config, .htaccess and wp-admin folder
This is perhaps the most important step of all measures you can take to secure your WordPress website.
You have already taken a huge step in the right direction by protecting and restricting access to your wp-config, .htaccess, wp-login, and wp-admin folders.
It does not require any technical knowledge. You only need access to FTP and follow the steps below:
Step 1: Log in to your website with FTP and locate the .htaccess file in the root folder (usually public_html or www). If you have installed WordPress in a directory, you will find the .htaccess file there.
Step 2: Download the file on your computer
Step 3: Use any text editor (notepad, brackets, etc) to open the file
Step 4: Add the following lines at the top of the file:
Important: You should add your Public IP in the orange shaded area above; otherwise, you cannot log in to your own website!
Step 5: Save your changes
Step 6: Upload the file to your server and replace the existing one.
The role of the above lines is to restrict access to ALL IPs trying to access your .htaccess file, wp-config.php, or your login page. If your Public IP changes frequently, you must edit this file and type the correct IP in the orange-shaded area above. You cannot log in to your WordPress dashboard if you type the wrong IP. You can add more than one IP (one per line preceding the words ' allow from').
I know this is too much for some, but it's the best and most efficient way to prevent everyone (besides allowed IPs) from accessing your website. This does not affect your website's or SEO's functionality but reinforces security.
The next step is to protect unauthorized access to your wp-admin folder. You can do this by following the steps below:
Step 1: Log in to your website with FTP and locate the .htaccess file inside the wp-admin folder. If there is no .htaccess file, create one (using any text editor), add the lines below, and update it to your wp-admin folder.
Step 2: Download the file on your computer
Step 3: Use any text editor (notepad, brackets, etc) to open the file
Step 4: Add the following lines at the top of the file:
Important: You should add your Public IP in the orange shaded area above; otherwise, you cannot log in to your own website!
Step 5: Save your changes
Step 6: Upload the file to your server and replace the existing one.
5. Protect xmlrpc.php (optional but recommended)
Besides protecting the above files, a common way to hack into WordPress websites is through XML-RPC. Xmlrpc.php is a file used to communicate remotely with WordPress.
Hackers can use XML-RPC (enabled by default in WordPress 3.8) to execute DDoS (Distributed Denial of Service Attacks), which can cause server problems and bring a website down.
You need to keep XMLRPC enabled if you use services like JetPack, the official mobile WordPress app, pingbacks, and trackbacks.
To make sure that no programs can access and execute the file, add this to your .htaccess (like you did in point 4 above)
6. Update WordPress and Plugins to the latest versions
Most of the time, hackers can gain unauthorized access to your website through plugins. Free and paid plugins have vulnerabilities, and it’s always a best practice to upgrade them to their latest versions.
Software companies (especially those that offer paid plugins) have started to take security matters more seriously. They try to close any security holes to protect their customers and, of course, their reputation.
Besides upgrading, review the list of installed plugins. If some have not been updated for several months, consider deactivating them, replacing them with other updated plugins more frequently, or deleting them.
7. Check your ‘comments’ and forms settings
When you have comments open on your posts, check your ‘Discussion’ settings and ensure all comments are manually approved. This may require more administrative work, but it’s the best way to ensure no spam comments are entered.
Also, check that you have Akismet activated and that you use a Captcha on all your contact forms.
8. Check your server settings
Besides your WordPress installation, hackers can also break into your system through your web server.
You can easily use a strong password for the administrator account and FTP and also enable email notifications to be notified every time someone logs in to the server. You may need to check with your hosting provider on how to do this since it is different for each type of hosting server.
9. Move to a reliable VPS host
Any serious blogger or business should use a VPS for their website. If you are still on shared hosting, it’s time to reconsider and move to your own VPS. The cost is not that much per month, but the benefits, especially regarding security, are priceless.
Many hosting companies are offering VPS for WordPress. Take some time to find a reliable VPS host with good and fast support. When you have security troubles, you will need your hosting company's support, and they need to respond to your requests quickly and effectively.
10. Take Full Backups of your Website
While this may not be a security measure, the first thing you will need after an attack is a clean website backup to restore it to its previous good state.
To eliminate any unpleasant surprises:
Make sure that you take a backup of both your WordPress files and Database (at least once per week)
That you keep the backup files in a safe location (other than your website’s server)
Now that you know how to use the backup to restore your website, this is a critical step. You need to allocate some time to test and document the procedure to know exactly what to do when you need it and are stressed.
The bottom line: When it comes to security, prevention is always better than cure
You need to take measures to protect your WordPress website from hackers. You don’t necessarily have to pay for a monthly service if you currently cannot afford it, but you need to review and configure the other settings suggested above correctly.
Don’t underestimate the damage hackers can cause to your website or business. Once you face this situation, you will understand how important it is to take as many measures as you can before it happens.
If you have any questions or if something is unclear, let me know in the comments below.
