11 Ways to Secure WordPress Website in 15 Minutes

May 12, 2017 Jason Daszkewicz Security, Wordpress
Secure WordPress Website in 15 Minutes

“Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.” — codex.wordpress.org

I am starting this post with these lines because I think this is the most accurate description of the security of a system. Getting a WordPress website that increases the reachability of your business is the key. However, security of a website is always paramount.

Although in spite of having a complex description, it has become insanely easy to implement. With such ease, any user can secure WordPress website. So, let’s reduce the risk and follow the checklist which will not take more than 15 minutes.

So, let’s get started,

#1: Make Sure of Backing up your WordPress Website

Backing up WordPress Website

Making backup is basically a contingency plan which will work if anything goes wrong. This plan will enable you to restore the good version of the website if needed. Backing up the website is crucial as there are cases when the website gets damaged or even compromised. With a backup of the website handy, you can overcome these situations with ease.

Generally, all the hosting providers facilitate the backup feature. Yet if you don’t have it, I recommend you should go for UpdraftPlus. However, there are many plugins available for backup and you can choose any of them. The main point here is to keep the backup of your website.

Contact us to get a WordPress website that will generate revenue!

#2: Delete the Old WordPress Directories

Delete Old WordPress Directories

In order to check how many directories you have on your WordPress website, you need to login to your website either by FTP or File Manager. If you’re uncertain about the directories, you can ask it from your hosting provider.

All the old directories should be deleted. When those are not being maintained by their developers, the hackers try to find vulnerabilities and through these directories, they try to find passage on your website. So, delete all the outdated directories and software to ensure no further risk due to these causes.

#3: Delete All the Non-Essential Plugin, Theme or Extension

Delete non-essential WordPress plugin

Now, go to the plugin option and look for the plugins which are useless to you. That is not it, you also have to check for the plugins which are not being maintained by their developers. I strongly recommend not to install any plugin with over 2 years of non-maintenance. The question is, how would you identify? I say just check it in WordPress.com and see for updates, if it shows plugin is not updated for over 2 years, I say delete it instantly.

If these plugins, themes or extensions are not be maintained by their developers, then for sure, the hacker can easily find its way to make the application vulnerable which can be used to intrude into your website.

Get WordPress plugin development services that allow customization & upgrade your WordPress!

#4: Complete Update of your WordPress Website→ Top to Bottom

Update WordPress Website

Now, you have to update everything of your WordPress website. And there is no margin of error in this particular step. In order to properly update the plugins and themes follow these simple steps.

  • Update all the plugins.
  • Don’t forget to update your WordPress theme.
  • Update all the core installations.

If you have any other application like Joomla, Drupal or other applications, update them as well including their extensions.

What if you have a custom WordPress Theme?

If the theme you’re using on your website is a custom WordPress theme, and if you’re not able to update it, you must hire a developer to do that for you. You just simply cannot leave it. Some say it an unfortunate reality, some say it a self-created problem or some says it a necessary step. So, just don’t install and forget.

You can actually configure for Automatic Updates to ensure the regular updates.

→ To Auto-update WordPress core files, copy paste these codes in the wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

→ For the plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

→ For Themes, use:

add_filter( 'auto_update_theme', '__return_true' );

#5: Secure your CPanel and WordPress Admin Accounts

Secure WordPress Admin Accounts

To secure WordPress website admin accounts, you just have to Sign in to your WordPress website, then Go to Users > All Users > Select “Administrator” at the top of the screen of all the user. Make sure that you know all the accounts. If you find any account which seems foreign to you, this means your website is hacked. In this case, you might want to contact a security expert.

Delete all the unnecessary admin accounts.

Your admin password must be strong and random. Do not use any specifics in your password.

Also Read: Beginner’s Guide to A/B Testing with WordPress!

#6: Install a WordPress Security Plugin

Install WordPress Security Plugin

When it comes to installing a WordPress security plugin, there is nothing brainy. For this step I am gonna give you a simple list of three WordPress security Plugin, Those three are,

#7: Start Using Two-Factor Authentication (2FA)

Two-Factor WordPress Authentication

By adding two-factor Authentication you will add an extra layer of security to your admin credentials. 2FA basically requires another factor of information that only you can provide such as code send to your phone number or mail ID.

This method has the potential to sabotage the brute force attack of a hacker because a hacker cannot access your account since, after the login credentials, an OTP is generated for your mobile phone or email address. So, through this 2FA method, you can secure WordPress website more efficiently.

You can use these WordPress plugins to facilitate this security option.

Hire WordPress developers for a secure and authentic looking website!

#8: Change the “Admin” Username

Change WordPress Admin Username

Always remember one thing, everyone knows your Username is “Admin”. So, change it. Simply go to user section in the WordPress Admin Panel. Then rename or delete the “admin” account or username.

There are also plugins available for that, however, to keep the site speedy, I suggest you follow the above step. With this, your username cannot be guessed by the hackers.

#9: Always Go for Limited Login Attempts

WordPress Limited Login Attempts

This is quite a disappointment, WordPress doesn’t have Login limits. This means anyone can try limitless to guess WordPress passwords. This also enables the hackers to use brute force which is simply a program which will continue login attempts with all the combination of numbers and alphabet possible.

Limiting the Login attempt will simply break this kind of operation and your WordPress website will be secured. This is recommended after the changing of username credentials.

For this, you can use any plugin. Some of them are –

Get our WordPress theme customization services for fast loading and secure WordPress solutions

#10: Enable SSL for Data Security

Add SSL and HTTPS in WordPress

The next crucial step for the website security is enabling SSL (Secure Sockets Layer). SSL enables you to encrypt all the information from and to your website. This secures the private data of all your viewers.

Identifying SSL is piece of cake. All you have to do is just in the prefix look for HTTPS, if it starts with HTTPS then it is an SSL secured web page and if it starts with HTTP, then it is not an SSL secured web page.

#11: Hide the version of your WordPress

Now, if you delay in the update of WordPress update, I recommend you to hide your WordPress version as it might work as breadcrumbs for telling hacker any useful information.

There are three areas where your WordPress version is hidden.

1. The Generator meta tag (Header)

meta name="generator" content="WordPress 4.0"

2. Query strings on script (& Styles)

subscriptions.css?ver=4.0

3. RSS Feed’s generator tag

http://wordpress.org/?v=4.0

In order to get rid of the version number, in all the three areas, in functions.php file, enter these codes,

/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );
/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return '';
}
add_filter('the_generator', 'wpmudev_remove_version');

Also, make sure that you remove the readme.html file from the install folder as this also expose your version number.
So, these are the 11 ways by which you can secure WordPress website in just 15 minutes. Let’s have a quick recap and make sure that you understand everything.

Also Read: 7 Effective Ways to Make Your WordPress Website Load Faster!

Step1 – Make sure of Backing up your WordPress Website.

Step2 – Delete the Old WordPress Directories.

Step3 – Delete all the non-essential plugin, theme or extension.

Step4 – Complete Update of your WordPress website→ Top to Bottom.

Step5 – Secure your CPanel and WordPress admin accounts.

Step6 – Install a WordPress security Plugin.

Step7 – Start Using Two-Factor Authentication (2FA).

Step8 – Change the “Admin” Username.

Step9 – Always go for limited login attempts.

Step10 – Enable SSL for Data Security.

Step11 – Hide the version of your WordPress.

So, these are the steps to secure WordPress website. If you stuck somewhere let me know through the comments I will help you up to my full potential. Till then have a good one.