Like all CMS, these tools that allow you to create a site without coding, it is essential to secure WordPress to protect your website and its content.
In 2020, the giant proudly announces on its site that “37% of the web uses WordPress”.
It’s colossal and impressive, but it also makes him an even more enticing target for all attacks. Hackers are well aware of the CMS structure common to these 37% of sites and will exploit each of its flaws.
By taking the right precautions you will secure your WordPress site and easily avoid:
- spam posts in comments
- interventions of fake accounts, managed by robots
- malicious code injections that allow access to your data or even spy on user activities
- attempts to access the back office, behind the scenes of your site, and therefore to its total control
Here are our recommendations in 10 points to strengthen the security of your WordPress site:
- Protect your computer
- Choose the right web host
- Change your WordPress ID
- Use a complex password
- Enable two-factor authentication
- Customize the URL of your login page
- Hide the WordPress version of your site
- Remove unnecessary themes and plugins
- Check regularly for updates
- Make frequent backups
1 Protect your computer
It sounds obvious, but if a hacker infiltrates the computer you are connecting to your site from, it will be much easier for them to hack it. So remember to secure your computer.
Install a good anti-virus, configure your firewall and never connect to a public internet network without using a VPN to encrypt your data.
Choose the right web host
The security of your WordPress site also depends on the reliability of your web host. If your web host doesn’t cover your back, not all of your efforts will be enough to secure your site. Over 40% of hacks are the result of overly vulnerable WordPress hosting.
In practice ?
Take care to choose your host by checking the essential points: server security software, SSL support, backup and restore, malware analysis, firewall … And consult the opinions of Internet users!
Change your WordPress ID.
When installing WordPress, your default username is “admin”. If you keep it, it’s a gift you give to all hackers. They will have guessed your username on the first attempt and can devote themselves entirely to finding your password.
You cannot change your account ID. You must first create a new account in the “users” section of your dashboard. You can then log in to this new account and delete the old one.
4 Use a complex password
Obviously, your password must also be complex to secure your WordPress site. During an attack, servers try to access your WordPress account, trying hundreds or even thousands of combinations per minute. If your password is made up of one or more existing words or dates for example, it will be much faster and easier to guess.
To secure WordPress, your password must be at least 10 characters long. He needs numbers, letters, special characters, upper and lower case letters, and he must not compose any real words.
How to do ?
Well there are password managers, like Dashlane, to make your job easier. They generate complex passwords for all of your accounts, but you only remember one. That of the manager. It then allows you to access all your online accounts with saved passwords.
5 Enable two-factor authentication
Do like the grown-ups!
On Apple sites, your bank or even Amazon, we are regularly asked for a second identifying factor. You must enter a code received by SMS or email in addition to your password.
Activate the same option for the connection to your WordPress administrator area! It would be really unlikely that your password would be hacked while having access to your phone.
In other words:
Activate the option directly through your host if they offer it or install a WordPress plugin such as Two-Factor or Google Authenticator.
The Wordfence Security extension also offers this functionality among many others, you will hear about it in this article. 😉
6 Customize the URL of your login page.
Avoid the classic “wp-admin” or “wp-login” configured by default. For the same reason as your username, they are too well known to hackers for you to give them this gift.
Use the iThemes Security extension for example and choose your own login URL.
7 Hide the WordPress version of your site
WordPress flaws are discovered by users and then corrected by WordPress as updates are made. But each version of WordPress has its own flaws.
Which version of WordPress you are using is very easy to find information.
With this data, a good hacker will know exactly the weaknesses of your site and where to strike. This is the reason why, you should hide it.
Use the Hide My WordPress plugin
In the header.php file, delete the line:
8 Remove unnecessary themes and plugins
Each plugin is an opening to your site, even more so if it is forgotten and not updated regularly.
More simply ?
If you download a plugin that is not ultimately useful to you, remember to delete it and do not sort it regularly.
9 Check regularly for updates
This is one of the most important precautions and one that we keep telling you about in our WordPress training. To secure your website is to regularly perform WordPress updates. As I said a little above, the bugs are revealed little by little by the users and corrected by the updates. Do not wait too long to complete them after they are released so as not to remain vulnerable after the latest vulnerabilities are highlighted.
Are you worried?
Keep calm and follow our complete guide to WordPress updates.
10 Make frequent backups
Last but not least. To limit the damage in the event of a malicious attack despite all precautions, regularly back up your database. Put reminders in your calendar if you need to, but don’t miss them.
For simplicity :
Because this is a mandatory precaution here too, the procedure is complete in the WordPress update guide.
Our article is coming to an end and you can take a break. After taking all of these precautions, your site is safe. But don’t forget! Several of these steps should be repeated regularly to keep your site healthy!
And you, what precautions had you already taken? How easy is it for you to maintain the security of your WordPress site?