How to improve WordPress security?

We can and do say that WordPress is a secure software. However, the fact that it is the most used CMS in the world makes it also very appetizing for hackers who want to take over websites or online stores.

For this reason, WordPress security is something very important for professionals in the web sector.

But we also have to keep in mind that security problems such as not having an SSL can harm the SEO positioning of a page

Performing practices to improve WordPress security is one of the most important actions of a good web maintenance once it has been launched into production.

It is not only about correcting problems, but also about avoiding them and reducing the risks to the maximum. We have all heard of some business that has had their WordPress page hacked and, in the best case scenario, they have had to redo it.

What is WordPress security?

As we have mentioned, although WordPress has a very solid security system, it must be taken into account that it is used on 40% of all websites in the world. This makes it a clear target for cybercriminals when it comes to exploiting vulnerabilities.

In addition, the fact that there are so many thousands of themes and plugins from different developers makes it impossible for the best security standards to be maintained in all of them.

And you may be wondering what we mean by WordPress security. Well, we refer to all those additional practices to protect our web pages, in order to reduce risks and avoid vulnerabilities that weaken our platform.

What to do to improve security in WordPress?

Maybe you have doubts about what you need to do to improve the security of your website created with WordPress.

But that’s what we’re here for. To tear them out of wedges.

Let’s review some of the most important practices that can help us improve it.

#1 Update WordPress, themes and plugins regularly

It must be assumed that both WordPress and its themes and plugins are updated regularly. Either to incorporate new functionalities or to solve precisely security flaws.

For this reason, it is essential to keep your website updated.

If you get hacked for not having updated a plugin, the developer will tell you that he had already fixed the bug and that if you had updated it would not have happened to you. And we don’t want to get to that situation.

If you are one of those professionals who has many websites in charge and all their updates are a big headache for you, you should know that with Modular you can manage all your WordPress websites from the same site, being able to update all the plugins and themes in a single dashboard.

#2 Use strong and secure passwords

Most hacks occur through stolen passwords. Therefore, it is essential to use complex passwords that reduce the risk to a minimum.

It is usually advisable to use numbers, uppercase and lowercase letters and even some special character.

But be careful, not only for your WordPress account, but also for the server on which you have the web, for your email accounts, etc…

Perhaps due to the difficulty of remembering these types of passwords, it may not seem like the most suitable option for you. But it is paramount. And you can always use a password manager like LastPass, which will allow you to incorporate all the passwords into your account and thus avoid unnecessary forgetfulness.

#3 Buy a secure hosting

Hosting is one of the most important elements if you want to have optimal security on your WordPress website (in addition to good performance).

It is important that you analyze what each of them offers when choosing a supplier.

Here are some basic tips to keep in mind:

Shared servers are less secure (also cheap) than dedicated servers or VPS. We always recommend the latter.
A good technical support service from your hosting company gives you great peace of mind in case of problems.
The hosting company you hire should have security measures implemented at the software and hardware level.
Firewalls and intrusion detection systems on the server are also good security measures.
Always look for providers that offer you some kind of backups. There are never too many.

In Spain there are many of quality and that comply with these security measures. If they are also specialized or have specific plans for WordPress, much better.

#4 Schedule backups in WordPress

Backups are the main element to keep your website safe. If your page goes down or is hacked, the backup will be the way to recover the contents.

It should be borne in mind that it is important that they are periodic, since if you only perform one every a long time, you will only retrieve the information from the last time you performed it. When a WordPress website is constantly changing. Both with its contents and with the updates that we have talked about before.

There are multiple plugins that allow you to perform these backups, some for free and others for a fee. However, the most important thing is to know how many backups and how often they allow you to make.

Ideally, you should do one a week. One a day in case of ecommerce. And at least one a month for any type of website.

#5 Limit login attempts

A very common type of attack in WordPress is the brute force one to guess the logins. These are bots that constantly try to enter by trying different passwords until they find the right one.

Yes, although it seems a lie nowadays “password” and “1234” are still the most used passwords in the world.

To limit these login attempts you can use one of the following plugins: WP Limit Login Attempts or Limit Login Attempts.

#6 Use trusted WordPress themes

In many cases, you may come across cheaper themes than normal, this may be because they are unauthorized. It can be very attractive to find themes for 5-10$, but it is possible that it involves serious security problems or even incompatibilities with plugins, for example.

Many times these themes have been the product of a hack, so they sell it cheaper with what this may mean.

To avoid these problems, it is important to choose a theme from the WordPress repository or from well-known companies and professionals. That it is created by trusted developers and that it offers a support service if any problems arise.

#7 Install an SSL certificate

One of the most basic things that every website should have nowadays.

This certificate is a data transfer protocol that performs an encryption of the information exchanged between the website and the visitors. This prevents attacks that allow data and relevant information to be stolen.

In addition, it is important to know that not having this certificate will make Google penalize you in terms of SEO positioning. And that it shows a warning that your website is not secure (with the consequent loss of trust and credibility on the part of users).

Most hosting companies usually offer a free SSL from Let’s Encrypt that is perfectly valid for the vast majority of websites.

#8 Remove plugins and themes that you don’t use

Our mothers already said that. If you don’t need it, you throw it away or give it.

Keeping plugins or themes that you are not using installed on your WordPress site can be harmful, especially if they are not updated.

So, to save you trouble, why don’t you listen to the mothers and throw them away?

It’s as simple as analyzing whether you use them or not and consequently deleting them both in the themes and plugins sections.

#9 Change the prefix of the WordPress database table

All the tables in the WordPress database start with “wp_” when you perform a new installation of the software.

If you are installing WordPress from scratch, it is recommended that you change it (if you have the right knowledge) to another random letter combination.

If you don’t know how to do it, WordPress security plugins like All In One WP Security offer the functionality of changing the prefix once the website is created.

#10 Hide the WordPress version in the code

Another slightly technical detail.

Removing the WordPress version number from your website’s source code can help prevent online attacks before hackers are looking for specific versions where there are known vulnerabilities to exploit.

If its version is not the most current and you also indicate it in the code you are risking too much.

And unfortunately WordPress by default shows the version on all websites.

You can remove this code snippet by modifying the functions file.php of your theme. Or if you don’t want to get complicated with technical issues using a security plugin like All In One WP Security or WP Hardening.

#11 Change the access URL to the WordPress admin

All WordPress installations use the same URL by default to access the admin panel.

nombredetuweb.com/wp-admin

Therefore, it is not complicated for bots to find it to carry out brute-force attacks like the ones we have mentioned above by testing millions of passwords until they find the correct one.

Luckily there are many security plugins (some already mentioned) that allow you to change this access url for a custom one that only you know about.

Conclusion

As we have seen, if we want our website to be free of attacks, controlling WordPress security is essential. And for this we have many actions to carry out.

And be careful, the ones we have seen here are just some of the ones we consider the most basic and important. If you keep digging deeper into the topic you will find many more.

All this makes WordPress security also one of the most tedious tasks, but it’s really worth it if your website is one of your main sources of business or if you offer web design services and the last thing you want is for one of your clients to be hacked (with the loss of reputation that will mean for you and the time it will take to fix it).

At Modular we are aware of this problem and in our eagerness to automate all the processes and increase efficiency, in a very short time it will be possible to make backups of all WordPress websites from the same control panel. In addition to having an automatic security check that will notify you if you suffer from any of the most frequent problems you may have.

So we encourage you to register and try a new way to manage your websites and your customers.