WordPress is the most famous publishing platform powering over 35% of the whole web. It’s easy to use and fast growing and it’s earned its popularity thanks to ever-growing list of themes and plugins and the top-notch SEO practices.
However, with its popularity comes the less appealing aspect. WordPress is not only popular among blogger, but also among hackers so it’s a favorite target for intruders, malware and cyberattacks. According to a 2017 study on more than 34.000 websites, WordPress accounted for 83% of compromised publishing platforms and in 2019 this number reached over 90%.
That’s why it’s important to take the security of your WordPress website seriously and it doesn’t matter if you’re just starting with a personal blog or if you’re managing a company website. In this article, I will show you 5 ways to secure your WordPress website so you make it harder for potential attacker to steal your credentials or damage your content.
Disclosure: Please note that some of the links in this post are affiliate links for products I use and love. This means if you click on such a link and take action (like subscribe, or make a purchase), I may receive some coffee money at no extra cost to you. This helps me creating more content free of charge to you. And, as an Amazon Associate, I earn from qualifying purchases. Thanks for your support!
1. Reliable web hosting provider
You probably know that you can host your own WordPress installation or that you can just pay for the services available at WordPress.com. Your own installation offers more freedom and options to customize your website, WordPress.com offers a hassle-free experience perfect for writers who don’t want to waste time with configuration of their publishing platform.
If you decide to run your own WordPress installation, it’s important to choose a reliable web hosting provider. You should always focus your attention to security, speed and performance. Your hosting provider should always offer SSL/TLS certificate for your domain name and automatic offsite backups of your whole website.
Depending on your budget, you can opt for a regular shared web hosting plans offered by SiteGround, Bluehost or DreamHost. These providers are endorsed by the WordPress.org as the best shared hosting providers for many consecutive years. If money isn’t issue and you want the best service for your website, you might be interested in managed web hosting plans offered by Kinsta, WP Engine or Flywheel. If you haven’t decided for your web hosting provider yet, make sure to read 10 Best Web Hosting Plans for WordPress in 2020 to learn about the best options currently available.
2. Use security plugins
Sucuri and Wordfence are the best security WordPress plugins currently available. If you’re not hosting your WordPress website with a managed hosting provider, you should definitely check these two plugins as they can detect and block malicious attacks and alter your about issues that require your attention.
Managed hosting usually comes with its own solution, so even though it’s a bit more expensive, you don’t have to care about security as it’s managed for you as a part of your hosting plan.
3. Choose trustworthy theme
One of the most praised features of WordPress is the ability to customize your website with themes. There are literally thousands available all over the Internet, and Themeforest.com is one of the biggest marketplace for everything you might need.
Even though there are also free themes, it serves to be cautious when picking them as some might be poorly designed, or they may even hide some malicious code. That’s why you should always use themes from reputable sources. You should always avoid the so-called nulled or cracked themes. These are premium themes that were compromised by hackers and are illegally available for free with a huge risk of damaging your website with hidden malicious code.
I can personally recommend GeneratePress (here’s a step-by-step installation guide), Elementor (here’s a quick online tutorial), Astra and StudioPress themes. These are professional and regularly updated themes from well-established companies you can trust.
4. Update your WordPress regularly
The fundamental WordPress rule is to always keep your website up to date. Unfortunately, based on WordPress stats available at https://wordpress.org/about/stats/, only 41.7% of WordPress-based websites run the latest version.
When your website becomes outdated and falls behind on security and performance fixes, it’s more susceptible to bugs, crashes and attacks. Managed hosting providers like Kinsta, Flywheel and WP Engine usually take care of regular automatic updates for you, so you can focus on writing quality content instead.
5. Secure your dashboard login
It’s notoriously known fact that almost all WordPress websites have an administration dashboard accessible via /wp-admin address attached to the domain name like www.mydomain.com/wp-admin.
Also, most people use the default admin username, so the last thing the attacker needs to obtain is the password and people are very bad with using strong passwords. According to this article, the most hacked passwords are qwerty, 123456 and password. That’s beyond crazy.
To secure your dashboard login, you should do two things. First, you need to create a new admin user with hard-to-guess username and second, you should enable the Two-Step Authentication with Jetpack. In this article, I’ll walk you through the whole process step by step.