WordPress (WP) is the most popular blogging platform. The latest updates have made it one of the most used tools for eCommerce shops, news, and business websites.
[bctt tweet=”Being an Open Source project, the #WordPress source code is publicly available and any #user can exploit its weaknesses to cause damages to #WP-powered #sites.”]
This brings about a serious security issue that must be handled at various ends to keep the project alive. One of the things used to close up loopholes and enforce security on the CMS are plugins. Unfortunately, this comes with a plethora of other issues.
I have been very curious about this. I wanted to know how WordPress bloggers handle the protection aspect of their WP site without the use of Plugins.
Table of Contents
WordPress Security Vox pop!
I went about talking with some WordPress experts and users on a couple of issues related to the platform. One of the things I found easy is setting up a WordPress site. If you have issues at this point, you may want to check out this WordPress Installation guide by Freddy Muriuki.
A lot of people find it quite easy to set up and manage WordPress sites. The interface is super user-friendly with absolutely no tech knowledge required to move forward, so you can even start your own dropshipping business, for example.
However, some beginners I spoke with remain puzzled by the simple mentioning of the word. Susan Valez, an avid WordPress user, and blogger wrote this comprehensive guide for WordPress beginners you may want to check out.
Security remains a big problem!
I have my own share of the story. But let’s drop it and read the minds of other WordPress users. I asked them how they protect their blogs without necessarily installing a plugin. Here is the exact question I put to them:
“How do you protect your WordPress blog without the use of a plugin?”
8 of the bloggers I spoke with are fervent WordPress users. They answered the question, sharing just what they do to secure their blogs without using any plugins.
Let’s hear them:
Ben Sibley (Founder of Compete Themes)
There are a few ways that WordPress bloggers can further secure their sites without installing new plugins.
While you may not be installing any new plugins, it’s important to keep your existing plugins up-to-date. It’s not uncommon for security exploits to be found in plugins and when this happens, the developers usually release a patch ASAP. Once the developer patches the plugin, it becomes public, and everyone can see exactly how to hack sites using the previous version. This is why it’s so important to update right away in case one of your plugins releases such an update.
Next, be careful who you allow to login to your site. If you have a membership site or allow visitors to login, review which user role is being used and what capabilities they have on your site. No one besides you should be able to install/activate themes and plugins.
It’s also important to use a secure password on your site and enforce this for everyone who registers. WordPress provides a score of how secure your password is when you create it, and I recommend you only use passwords that qualify as “Strong.”
Besides these tips, you can also use a firewall like Sucuri to prevent malicious attacks on your site. They often find plugin vulnerabilities before anyone else and proactively release a patch via the firewall, so you don’t have to update your site right away to stay protected.
Adam Connell (Founder of Blogging Wizard)
I use Sucuri to protect my WordPress blog. It’s a web application firewall that not only protects my website, but it also has a CDN (content delivery network) component which means that it also makes my website load faster.
One of the security features I like is that Sucuri only allows access to the WordPress login page for whitelisted IP addresses. This completely cuts out the problem of brute force hacks on the login page.
They also offer some other useful features:
- Malware scanning (including server-side scanning)
- Malware removal
- Uptime monitoring
- Blacklist monitoring
One important note if you are considering using them: it’s always worth getting your web host to whitelist Sucuri’s IP addresses.
Justin March (Freelance SEO in Bristol and Chief Buddy at Username Buddy (Generate Usernames for FREE))
Well, the full disclosure here I do use a security plugin. But here’s what I also do to protect my sites:
- Backup WP often and in different locations (that way whatever goes wrong can be put right again).
- Keep your install updated WP, Themes Plugins and delete the plugins you don’t use (You can get a plugin to do this for you).
- Implement 2-factor authentication everywhere, if a service you use doesn’t have it ask (and consider switching).
- Use a CDN like Cloudflare (which is free and offers WAF, DDoS, and SSL).
- Use a strong password; you don’t have to remember it, in fact, make it difficult to type (see tip below).
- Use a password manager like Dashlane.
- Use an unusual username, not your real name, admin or site name. My site Username Buddy can help you generate weird usernames that don’t relate to you.
- Investigate ways to harden WP, including limiting access to wp-admin by IP address, etc.
- Be mindful of your internet connection, ensure its secure, change the password, etc.
Got any questions please let me know?
David James (Digital marketing specialist)
These are the methods that we use to protect our blogs.
Have the website set up with a reliable web host. OVH and Hostgator seem to be ok.
Ensure that we use a secure theme. We usually use themes from StudioPress, as they are regularly updated, and they also offer support in case there are any security breaches.
We are wary of the plugins that we use on the site. And we advise others to be careful as well.
We ensure that everything is always updated to the latest version. E.g., Wordpress CMS, Themes, and Plugins.
If there are any IPs that keep on spamming/attacking the site, we can blacklist the IP.
I hope that this helps.
Donna Duncan (SEO / Content Marketing Consultant)
I host my website in a managed Wordpress hosting environment. It costs more than a run-of-the-mill hosting service provider but is well worth the investment.
A managed Wordpress hosting environment is robust, secure, scalable, and lightning fast. Support staff are available 24/7 and have answers to questions and help resolve problems. You don’t waste time trying to resolve them on your own. If you suspect you might have been hacked or exposed to some other vulnerability, you can get help quickly and easily.
Managed Wordpress hosting environments are fine-tuned to work with Wordpress. You don’t have to install and configure specialized complex and plugins to secure, cache and backup your content and data. That’s done for you as part of your monthly hosting fee.
You have a staging environment, meaning you can deploy and test changes and additions to your site without risk to your live environment.
Lastly, in a shared hosting environment, you can potentially be impacted by the bad behavior of your neighbors. In a Wordpress managed hosting environment, shared or not, you are virtually isolated; you are protected from outside influences that might otherwise put you at risk.
David Razak (How To Drive More Traffic To Your Blog With Pinterest)
Here are some suggestions for protecting your Wordpress blog without using the plugin:
Rename your login URL
By default, WordPress blog/site login page is accessed via wp-login.php or wp-admin added to the site’s main URL.
Most often, when hackers are trying to brute force a WordPress site, they find their way to the login page easy because they know the address. But you can fool them by changing your WordPress site URL. And it’s much easier than you think.
Example, you can simply change wp-login.php to something unique; e.g., new_login
WordPress database table prefix structure
If you are installing Wordpress, by default, the table prefix will be wp-. Anybody who has installed Wordpress before is definitely familiar with this. I recommend you change it to something unique. For example, wpyou-, hellyea-, etc. you can do this without using a plugin. It’s just that you’ll need to touch database once again.
Using the default prefix makes your site database open for SQL injection attacks. Popular attacks like this are changing wp- to something else. You know what an attack like this can cost you right?
Disallow file editing
Anybody who has access to your Wordpress dashboard can edit your files (including your themes and plugins). You can prevent it by adding the following to the end of your wp-config.php file.
The above directive will instruct Wordpress to disallow editing of files.
Change your passwords regularly
Don’t keep one password going forever. You are doing more harm to yourself if you are doing that. Try to set a routine for changing your passwords. (Hint: add special characters and numbers when creating your passwords).
Use a unique login username
Use your email or something else as your login username instead of the well-known Wordpress default username.
As a skilled Wordpress user, I can do a lot on Wordpress without the help of a plugin. However, plugins are still important because they make our work easier and often prevent us from laying hands on codes or directly interacting with our database.
Janice Wald (Janice Wald, Blogger at Mostly Blogging)
Protections I take:
- I have a disclaimer in my sidebar that tells people they can’t plagiarize my content.
- I use passwords and change them as needed. I choose passwords that would be hard to guess. I’ll even use codes that only I would understand if needed.
- Guest authors have asked if they can have access to my dashboard for a price. I refuse.
- I put my blog name on my graphics. I do that on Instagram as well often.
- I use a plagiarism checker to ensure no guest author is trying to publish other people’s content on my blog. I don’t want to get sued.
This article details problems people have had who plagiarized unwittingly and how you can protect yourself against unwitting plagiarism, all without using a plugin.
Those are some of the precautions I take.
David Leonhardt (President, THGM Writers)
The main protection for my blogs, and I mean all of them, is an extra layer of login. Before one even gets to the standard wp-admin page to log in, a pop-up requires a username and password.
I had this installed just two years ago. One of my blogs was under attack. I don’t recall the specifics, but there was a flood of logins that rivaled the great armies that fought in Lord of the Rings. Yes, it was a swarm. And they were spamming me big time. So this locked down the sites and stopped most of the issues.
Now the biggest threat is that I will forget my username and password, and be locked out of my own blog.
That’s it from some WordPress users.
So let’s hear from you as well. Drop a comment and let us know how you protect your blog without using a plugin.