In this article we’ll be giving you 10 Great free ways to secure WordPress websites to keep hackers at bay and stop them in their tracks. Whether you are an ordinary blogger or have your business WordPress website, you should definitely do everything to make your website as secure as possible. Although WordPress is a very secure CMS and developers spend a lot of time developing security, hackers still never stop trying to attack websites. If your websites are not secure enough and fall into the hands of hackers then your business can seriously suffer. To prevent that from happening, in today’s article we will tell you about 10 great ways to secure your WordPress websites.
1. Hide the fact that you are using a WordPress CMS
This is one of the best and most effective ways to keep your WordPress websites secured. You are probably wondering how to complete this task. The solution is called Hide My WP, which the best plugin on the market for this purpose. This WordPress security plugin will hide the fact that you are using WordPress. This means that hackers will not be able to detect what theme or plugins you are using. Having the fact that your website is powered by WordPress makes it more difficult for any hacker to plan an approach to attack your website.
This plugin works by hiding common WordPress paths like /wp-admin. All WordPress instances are hidden so no one can know you’re using WP.
In addition to hiding the WP installation, this plugin has a smart IDS engine that will automatically block all SQL injection or XSS attacks.
There are many websites that use this plugin, and together they form the Trust Network which helps in proactive protection by detecting threats in the initial stage. If you want to try this plugin, you can get the free version from the WordPress repository. The commercial version is much more powerful and offers comprehensive protection, so you won’t need anything else besides this plugin, and your website will be completely safe.
2. Regularly update WordPress, plugins and themes
This process is very important. Although WordPress is relatively secure, hackers work around the clock to find flaws and use them to compromise your website. That’s why WordPress developers constantly release bug fixes and security patches. If you have not installed a security patch that is already known, but you are using an older version of WordPress, then there is a great chance that your website will have serious consequences if it is attacked.
In order to see what has been fixed in the latest WordPress release, on the official page you have a changelog in which everything is explained to the smallest detail.
Also, be sure to pay attention when buying WordPress themes and plugins. Buy only those that have regular updates and have excellent user experience and comments on social networks. Your WP may be secure, but if your theme has bugs an attack on your website will be 100% successful.
3. Choose your hosting company carefully
One of the most important items when it comes to the security of any website is the quality and reliability of the hosting company that hosts your website. Today there are many companies that offer seemingly excellent hosting plans for a pittance. However, when a problem occurs and your business is disrupted, only then you realize that you did not make the right choice.
Most of these companies have hosting packages that are intended for WordPress websites. Also, with every hosting account you will get free SSL, and their servers are secured against any type of attack. They do a daily backup of your website so you can get it back up and running in case anything goes wrong. There are several excellent hosting companies, and before you choose one of them be sure to look at user experiences and comments.
4. Use a strong username and password
This is also a very important and basic thing to do if you want to keep your website secure. Using a weak username and password that can be easily cracked by brutal force methods is a huge security issue. We recommend that you never use “admin” or “administrator” for any username with the “Administrator” role. Choose an admin username that is hard to guess or even imagine that it would be used. Also, use that admin account only to administer your website and users. Do not publish anything under that name, because then the administrator user name will be publicly visible.
Never use your name or the names of your relatives, friends or pets as a password. Even if your pet’s name is Wof#Dm47@rkm this is information that someone other than you knows and can use for an attack. It is best to use a random password that is a combination of letters, numbers and special characters, and then store it safely. There are many websites online for creating strong usernames and passwords if you run our of ideas.
One of the most famous tools for this purpose is the F-Secure strong password generator. There are many more similar tools online, and it’s up to you to decide which one to use.
5. Make regular backups of your website
Backup is one of the best and fastest ways to restore your website to a functional state after an unwanted problem occurs. Within the WordPress repository there are many plugins that will do this job perfectly, and most of them are free.
One of the best plugins for this purpose is UpdraftPlus.
You can make a backup of your website, and backup files will be stored on your hosting server. If you decide for the commercial version, then your backup files will be stored on the cloud without consuming your resources.
We have already mentioned that quality hosting companies make periodic backups of your website, but if you want to increase the level of security we definitely recommend that you make a backup of the complete WordPress installation yourself.
6. Make sure you are using the latest PHP version
Just as you should use the latest WordPress version, the same applies to PHP. Old and outdated versions of PHP have their drawbacks and are certainly no longer safe to use.
Manual upgrade of PHP to a newer version can be a tricky job if you are not an experienced user. However, most quality hosting companies do timely PHP upgrades on their servers and this should not be a problem.
If you have cPanel or similar software on your hosting account, then you can change the PHP version yourself in just a few clicks. Make sure your PHP version, theme, plugins are always up to date.
7. Use Two Factor Authentication (2FA)
This is one of the best ways to keep your website secure. Two factor authentication requires you to enter a password that you get from an authentication app on your smart phone for example before allowing you to log in to your WordPress site. It works in such a way that when you enter your password, you also receive a special code on your mobile phone, e-mail or any other device you own. Having (2FA) activated on your website means that even if you give your username and password to anyone, they won’t be able to login unless that password is entered.
There are many plugins that allow you to implement two factor authentication, and one of the best on the market is ShieldSecurity. In addition to offering two factor authentication, this excellent plugin detects bots, intrusions and hacks, and has excellent options to block bad bots and repair hacks. There is a free version inside the WordPress repository and we advise you to try it out. There is also an option to activate 2FA on the Wordfence security plugin if you already have it installed.
8. Set login attempt limit
If you use a login attempt limit you will prevent brute force attacks on your website. This protection method works by only allowing a user a certain number of attempts to log in to the website in a certain period of time. If someone fails to log in as many times as you set, access to the admin panel will be locked for the period of time that you have set.
One of the best plugins for this purpose is the Wordfence Security plugin. In addition to setting a login attempt limit, you can easily see which IP address is trying to log in to your site, and then you can ban that address with just one click.
9. Use WAF (Web Application Firewall)
Using a WAF is a great way to protect your website from threats lurking out there on the Internet. It is usually a cloud service that is positioned between your website and the rest of the internet. It is tasked with blocking malicious traffic such as DDoS attacks, login attempts from unknown and bad IP addresses, bad bot detection and many others.
One of the most famous and best services on the market is Cloudflare WAF. There is a free version where you can add your website to Cloudflare, and it offers DNS, CDN and DDoS protection. If you want some more advanced options you will have to subscribe to one of the membership packages.
10. Use SSL/TLS certificates
Using an SSL/TLS certificate will encrypt the traffic between your website and the user’s browser. Although once upon a time SSL certificates were used mainly by websites that handle sensitive information (such as credit card numbers), today it is becoming standard for every website to have an SSL certificate integrated.
Most quality hosting companies (like Bluehost) offer a free SSL certificate if you decide to use their services. If you have a WordPress webshop (usually powered by WooCommerce) then you will definitely need to have an SSL certificate because today absolutely all payment gateways require its possession and use. If your hosting provider does not offer a free SSL certificate, you can always buy one for a few dollars/year.
Every day tens of thousands of WordPress websites are attacked globally. That is why it is very important to constantly work on improving the security of your website. There are many ways to minimize threats from the Internet, and in this article we have described 10 great ways to secure your WordPress websites. If you use these tips we hope that your website will not be part of the statistics of attacked websites.
See another 8 Great Free Ways To Secure WordPress Websites