Keeping your WordPress site secure and protected from attackers requires that you have a strategy in place and that you follow specific steps, particularly when it comes to username and password creation and management.
Of course, there’s a whole host of other things that fall under the security and protection heading, so many that some can be missed completely. This time down the rabbit hole, we want to cover some of the lesser-known tips and tricks that can help to give your WordPress site additional layers of protection.
Your Database Username and Password
When installing WordPress, you’ll have documentation to follow that details changes that need to be made to the wp-config.php file. However, it’s easy to overlook how those changes will impact your website’s security until it is too late.
One of those is the database username and password that you choose. Use password creation best practices here – long, mixed alphanumeric characters and special characters, etc. – and then follow those same guidelines for every different username and password that you need to create.
When you open up wp-config.php, you’ll find a set of salt keys. Those are defaults. You need to change them. Even the documentation from WordPress urges you to do so. However, many people fail here.
You’ll need to go to the WordPress Salt Key Generator and get your custom keys, then replace them within the PHP file.
Concealment Is Important
All WordPress sites are built from the same components – themes, core versions, plugins, etc. A savvy attacker can use that fact to their advantage. However, they need to be able to find them to do so. By concealing version numbers, plugins, themes, and even author names, you can thwart their attacks.
Most of this can be accomplished by adding short bits of code into various PHP files. There are also plugins that can achieve some goals, such as hiding your themes and plugins.
Password Protect Your Login Page
While there are hackers who can waggle their fingers and almost magically break into your website, most of the time the portal of entry will be your login screen and weak passwords. Brute force attacks are what we’re talking about.
However, you can make it harder for them to even get to that screen by password protecting access to it. For instance, did you know that you can require a username and password to be provided before the login screen will even display? And then they still need to put in additional credentials to gain access to the website.
Sure, those are extra hoops to jump through for you and anyone else using the site, but it does add another layer of protection.
Limit Access to a Single IP Address
Ok, so this tip is only practical for some website owners, but it bears mentioning. If you have a static IP address and you’re already limiting the number of users on your site, you can further restrict access to users with a specific IP address.
And, you can prevent brute force attacks from occurring by limiting the number of times an IP address is allowed to access the login screen before it is blacklisted.
Enable Two-Factor Authentication
We’ve mentioned two-factor authentication a couple of times in our blog posts, but it bears further discussion because too few people take advantage of this capability. Yes, you’ll need to install at least one (but probably two) plugins to make this feasible, but the layer of protection that it provides is quite significant.
Two-factor authentication means that after you enter your username and password, the server sends a message to your mobile device (usually SMS) containing a passcode. You then enter the code and are allowed entry to the website.
Anyone without the code is locked out of the site. It’s as simple as that.
Scan Your Site Regularly
There is no substitute for being proactive about your website security. One way that you can stay on top of things is to scan your site regularly. You’ll find both core scanners on the market, as well as malware scanners. Both should be used, ideally.
They will go through your web site’s code, including plugins and databases, and weed out any malicious attacks. They also do a number of other important things, including allowing you to restore modified files, fixing broken updates, removing exploits, and more.
Check Your Host’s Security
In many cases, your website will be hacked directly. However, in some instances, the fault actually lies with your web host. In some instances, the issue is actually a vulnerability that has not been addressed by the hosting company.
How do you avoid that? Really, it comes down to choosing the right web host in the first place. Do your due diligence here. Look for reputable hosts with good reputations with their users.
True, no web host will have a 5-star reputation across the board, but you can definitely tell the fly-by-night hosts from those that are worth working with.
Perhaps the biggest issue is not to let low prices sway you toward hosts you’ve never heard of or with less than stellar reputations.
Update, Update, Update
Everyone preaches this one to the point that you would think that it would be second nature for website owners. Sadly, it’s not. Too many sites sit there with multiple pending updates.
Sure, updating can be a pain, but understand those updates contain significant improvements and patches for security vulnerabilities. If you are not handling your updates, make sure you speak with whoever is to ensure that your site is always up to date.
When it’s all said and done, it is not possible to guarantee your site will never be compromised. However, if you follow basic best practices, as well as the tips we’ve included above, you’ll be ahead of the pack.