A detailed guide with actionable tips and steps to add an extra layer of security to your WordPress site in 2022.
It’s high time you had started paying attention to the security of your WordPress site, otherwise, your website could suffer a hack.
One of the best ways to secure your website is by making regular backups of your website files. Some hosting companies like Bluehost and HostGator provide this functionality as an extra for subscribers.
But you just can rely on this alone, you must have your regular backups made to cater for unexpected instances.
You can do this weekly, bi-weekly, or even monthly, what matters is that you have your web data saved up regularly as you grow your website.
In today’s guide, the idea is to share with your some very simple hacks to secure your WordPress website.
I’ll be discussing some of the steps, tools, and tricks to add an extra layer of security to your website.
They’re simple and easy to implement.
So why not take the time to add an extra layer of security to your WordPress website today?
1. Backup your website to Cloud
I recommend you have a regular backup for your website, but where’s the best place to keep your backup? It’s not locally on your PC! Because anything can go wrong even with that.
The place to backup your website is to cloud storage such as Google Drive, Dropbox, etc.
There are backup plugins that are dedicated to doing this, you have a backup buddy, Updraft plus among others. Both plugins serve this function just well and you’re good to go with any of them.
This is how they work.
You simply need to install the plugin to your WordPress website from the plugin area.
Visit plugin and click on add new, then search ‘backup’ from the WordPress plugin repository, once the plugin comes up, install and activate it and then proceed to backup your website.
You can first take a local backup and subsequently immediately upload to your cloud storage.
Your backups will be saved up under existing backups.
The feature that allows you to automatically backup your website to Cloud in most plugins is a paid feature. If you have the extra bucks, you can give them a go.
One interesting thing about this website backup tool is that it allows you to schedule a regular and automatic backup of your WordPress site and have the backup copies saved up automatically to cloud storage such as Google Drive and Dropbox or even to your email.
Other recommended plugins for backup are:
2. Use a Secure password
Use very complex keyword combinations for extra security of your website. Some users go ahead and use simple passwords such as 1234 or something very easy to guess as their website password. That’s not professional and can get your website hacked anytime soon.
It’s very important that you use very complex passwords that literally have no meaning, at least to any other person other than you.
Basically, it’s hard to guess by any human body. Combine uppercase, lowercase, symbols and Characters to come up with a very secure password.
You need not worry about being easy to remember as this next point will show you how not to forget any password again.
3. Use LastPass Password vault
LastPass is an online password manager that you can use to save up all of the login details you make use of from time to time.
To get started you need to signup on the LastPass website and can also install the chrome plugins on your browser, or Firefox extension.
There’s also the android version that you can install on your Mobile.
All passwords you used on any website you visit are saved upon request so the next time you need to access those websites, you don’t have to struggle remembering the correct password.
The same goes for your website(s). You can use the LastPass vault to save up your complex website login details.
4. Disable theme and plugin code editing from within WordPress.
Inside of your WordPress site, there is a code editor functionality that allows you to edit and make code changes to your theme and plugins.
I recommend disabling this functionality the moment your website went live, the reason is to prevent hackers from infecting backdoors in your website even if they manage to gain access to the WordPress dashboard.
These malicious code injections are so subtle and you may not even notice anything until your website is absolutely messed up.
To do this, you need to login to your Cpanel, locate the wp-config.php file, and add this line of code to disable theme and plugin code editor within the WordPress dashboard.
5. Install an SSL
SSL is needed to make a site secure, especially a website that deals in monetary transactions and the collection of user data. Google recognized the importance of SSL certificate on a website and stopped supporting websites without them earlier this year.
SSL is one of around 200 ranking factors used by Google to rank pages. No one feels secure visiting a website all to be warned that the website they are visiting not secure, hence the need to have all your webpages served in HTTPS.
You need not empty your pocket to get an SSL for your website, almost all hosting companies now offer free SSL to users through Let’s Encrypt which is 1oo% free except that you need to renew it every 90 days or so.
For a basic blog or information website, you can use let’s encrypt for free, you can activate it in your Cpanel before or after installing WordPress, it is better to install it before installing WordPress.
6. Install Cloudflare
An alternative to using Let’s Encrypt to Secure your Site is Cloudflare.
A viable alternative if for any reason you can’t get to use Let’s Encrypt free SSL would be to use the free SSL offered by Cloudflare.
The process of adding Cloudflare to your WordPress site is simple, first, you need to register on the Cloudflare website and add your website, you will be given new nameserver details to change your custom nameservers to.
Here is a detailed guide on how to open a Cloudflare account and set up your website. Cloudflare offers you more than just the green padlock you see in your browser address bar before the domain URL is served with HTTPS://, it also offers your website protection against DDOS brute-force attack and spam.
For instance, during the COVID-19 lockdown is Nigeria, it was alleged that government websites were being hacked, the first thing I noticed was that they were installing Cloudflare on almost all of the .gov websites.
That’s to tell you one of the cost-effective ways to ward off intrusion into your website by hackers is to leverage a robust Content Delivery Network (CDN) offered by Cloudflare, it also strengthens the internal security of your website, mitigates DDoS attacks, boosts speed and enhances the overall performance of your WordPress site.
7. Change WordPress login
The default login of WordPress is not secure.
The WordPress login address is your site slash WP-admin by leaving it as this, you can severely be targeted for a brute force attack.
You can prevent this problem by simply changing your admin login URL go to something more secretive and peculiar to you.
The plugin we recommend for this action is the Change WP-admin login plugin. To install the plugin, we added a link to the plugin page so you can be sure of what to install.
Once installed, activate it under the settings area by going under the permalinks menu, then scroll down, you will see where to change your WP-dmin URL to something else.
Henceforth, you should use the new URL to access your WordPress admin area.
8. Limit login attempts
WordPress allows users to try to log in as many times as they want, probably until they are able to guess right their password, and this is not so good for you when it comes to the matter of security for your site.
People who like to leave their website this way are making it vulnerable to brute-force attacks. You can cut down on the activities of hackers or sometimes frustrate their repeated trials by simply limiting the number of login attempts users can try on your login page before they are temporarily blocked.
For example, for one of my client’s website, the highest trial time is 2 times until you’re served a 72-hour temporary block, this will decrease the chance of brute force attacks.
There is a plug-in to get things set up easily, and that’s limit login attempts reloaded, simply find it in the WordPress Plugin repository and have it install and activated.
Under the settings menu in the dashboard, you can add a specific IP or username into the blacklist or whitelist.
9. Protect Wp-config.php File
The next tip we recommend to secure a WP site is to hide the .htaccess and WP config files. This can potentially prevent your site from hackers.
Before making any code changes in this regard, I recommend first take a backup of your site and proceed with caution, any flaw made can break your website or make it inaccessible.
Once you have backup, you can proceed by adding the below code to your .htacess file. Simply open up the file with a txt editor and add this line of code below at the end of the .htaccess file.
# protect wpconfig.php
order allow,deny
deny from all
10. Delete Unused Themes and plugins
First, you need to make sure that all plugins and themes on your WordPress site are constantly updated, in the recent core update of WordPress, you can set your plugins to automatically update which is a cool thing to secure your website.
Remove themes and plugins that you are not using, there’s no point keeping a plugin on your website when it’s not in use.
11. Regularly scan your website for malware
Next, you want to constantly keep an eye on your website by having it checked for any malware.
There are a lot of WordPress security plugins to help take care of your site security scans for malware and monitors your site 24/7 for goings on the site.
First, you have WordFence WordPress security plugin, is a freemium plugin that over the years have been offering several security activities such as web auditing, file monitoring, malware scanning, security notifications, and even website firewall for WordPress site users.
The plugin can detect code injections into themes and plugins and have them removed, ignored, or manually edited.
There are many other good security plugins that you can make use of, there is Sucuri security plugin for hardening, malware scanning and auditing of your website.
Another impressive security plugin is iThemes security, the plugin prides to offer more than 30 ways to secure the website of it’s users.
12. Avoid Null themes and plugins
WordPress premium themes look more professional and have more options than a free theme. They are coded by highly-skilled developers and are tested to work perfectly. You get regular support and updates.
But there are a few sites that provide null or cracked themes, they are very dangerous for your site because they usually contain hidden malicious codes that could destroy your website and database, or worst log your admin credentials and increase the chances of losing your WordPress Investment.
This is why we recommend that you save up a few bucks always avoid null themes, if you like a theme, buy it and save yourself the stress that comes with suffering a hack a result of using a manipulated theme with a backdoor.
I recommend ThemeForest because it has a variety of themes suitable for your business, visit the website and check the one suitable for your website or blog.
13. Keep WordPress core updated
Keeping your WordPress updated is very important, with every update developers make a few changes oftentimes, including updates to security features.
Staying updated with the latest version is one step secure against hackers. it is also important to update your plugins and themes for the same reasons by default WordPress automatically downloads minor updates from major updates however you will need to update it directly from your WordPress admin dashboard.
There you have it, 13 actionable tips to keep your WordPress site secure.
We can help you get started the perfect way. Be it Blogging, Youtube, Pinterest, you can share your online business ideas with us today. We will offer you the professional support you need for the perfect onboarding.
Email us at hello@ngsup.com