Step by Step WordPress security guide

A Step by Step Guide to WordPress Site Security 2019: Do you ever wonder how to secure a WordPress site from hackers? Well, this is a question which troubles most webmasters.

We must, however, acknowledge that there’s no site which is 100% secure from online attacks. Attack methods are modified each second with the rates of attacks increasing each day.

A recent study showed that online attacks are launched after every 39 seconds. On a separate report, since 2013, over 3.8 billion records are lost daily due to data breaches.

Shockingly, still, the large-scale Distributed Denial of Service (DDoS) attacks steadily increases by 500 percent. This 2018 report showed that the median distributed DDoS attacks increased to over 26GPs, reflecting a 500 percent increase.

Is WordPress Site Security So Important?

Most small business owners fail to secure their WordPress websites due to the belief that they’re too small to be targeted. Most people also falter here due to lack of awareness on the importance of web security.

Now, your site acts as your ambassador; your brand image. In most cases, your clients will first interact with the site before even contacting you.

Therefore, when your site is not safe, you risk losing critical business deals. Also, note that cyber-attacks come in different forms.

From infecting sites with malware then spreading it to your users or stealing critical visitors’ information like credit card details, emails, and addresses or hijacking and crashing the site, there are a lot of risks that come with poor site security.

Moreover, Google also blacklists insecure sites. It blacklists over 50, 000 websites each week due to phishing threats and over 20, 000 sites due to malware threats.

This means that there’s no shortcut. You must harden your WordPress website security to ensure business continuity and protect your brand.

How Can I Secure My WordPress Site In 2019?

If you’re keen to secure your WordPress website, here is one fact and myth you should know about.

Fact: WordPress is an open-source script. This makes it vulnerable to most online attacks including man in the middle attacks etc.

Myth: WordPress lacks built-in web security. This is not the case as WP is way more secure than most web builders out there.

Nevertheless, you still must make it secure to avoid cyber-attacks like brute force attacks, phishing attacks, man-in-the-middle attacks, and hacking, etc. After reading this piece, you will know;

  1. How to update your WordPress website.
  2. How to modify user permissions and passwords.
  3. How to migrate your site to SSL/HTTPs socket layer.

How Do I Keep My WordPress Site Updated?

It’s essential to keep your WordPress website updated to prevent malware attacks etc. Most WordPress updates come up with new features, which will also help you fix bugs on the site to increase the site’s security.

WordPress releases major updates around three times every year though there are also minor updates which occur by default. You must install the major updates manually. Before updating the site, be sure to back up your database and the website. Here’s how to update the site in two easy steps:

Step 1: Log in to your site’s dashboard.

On top of your admin dashboard, you’ll see a notification of latest update for the site. You will also see your site’s current version.

If you log in via the ‘admin‘ dashboard, you’ll see an ‘updates’ tab. Under this tab, you’ll find a list of all the latest updates required for the site.

Step 2: Click ‘Updates‘.

WordPress updates

When you click here, it’s prudent that you select the option for ‘running single updates at a time and the site’s frontend. This is important because it will be easy for you to diagnose faults in case one of the plugins causes a problem.

WordPress new update

Either way, you can also use a few plug-ins to update your site automatically. Most webmasters prefer it because it offers real-time site updates and backups.

How to Modify WordPress User Permissions, Passwords and Actions

It’s important to note that hackers rely on stolen credentials to hack WordPress websites. Your best bet against hacking attempts is to use strong passwords and usernames which are hard to guess.

You should apply this to your admin area, WordPress hosting accounts, PTP accounts, and databases, etc. If you have lots of contributors and authors, you’ll need to define their roles and capabilities.

Here’s a breakdown of permissions and actions you can manage on the site.

Disabling WordPress File Editing

Perpetrators can maliciously edit the built-in code editor for your plugins, themes, and files. You must turn it off to lock out the perpetrators. Here’s how to do it.

  • Open your .htaccess files then add this line of code wp-config.php. Save the changes.

How to Disable PHP File Execution

You should disable the PHP file executions in areas where it isn’t important. It will help you mitigate attacks due to file injections via programming languages like PHP and JavaScript.

Here’s how to do it:

Step 1: Add four lines of code for disabling PHP file execution to your web server’s .htaccess files. It will look like this;

<Files *.php>

Order allow, deny

Deny from all

</Files>

How to Limit Your Site’s Login Attempts

Limiting the site’s login attempts will help you avoid brute force attacks when hackers attempt to crack passwords to gain unauthorized access to your site. Here’s a quick way to limit the WordPress site’s login attempts.

Step 1: Download and install then activate Login LockDown plugin.

Step 2: Set it up via the ‘Settings’ section.

Turning Off the Site’s Directory Indexing

Disabling your site’s directory indexing will make it difficult for hackers to find vulnerable files on your website. This is how to disable a site’s directory indexing.

Step 1: Connect to your site via the cPanel file manager or FTP.

Step 2: Locate your site’s .htaccess file in its root directory.

Step 3: Add this file; Options -Indexes in your .htaccess file options.

Step 4: Save and upload the .htaccess file to your site.

How to Switch Your Site to HTTPs/SSL Socket Layer

To harden your WordPress website security, it’s recommendable that you switch it to HTTPs instead of the traditional HTTP. The HTTPs protocol works by encrypting communication on the site and securing your primary webserver to the visitors.

The Transport Layer Security (TLS) secures the information shared via the HTTPs protocol to give your site three layers of security, i.e.;

  1. Data encryption. This ensures the data shared on the website are safe from the prying eyes of the hackers.
  2. Data Integrity. Data integrity helps ensure that the data shared on your site cannot be modified without notification.
  3. Authentication. This helps ensure the communication on your website cannot be interrupted to avoid man-in-the-middle attacks, something which is crucial in helping you build reputation and brand dominance.

This is how to switch to https from HTTP:

  1. You should first have to buy SSL certificate. Most hosting companies offer free SSL certificates, but you may need to purchase a dedicated one to up your security game. Once you buy SSL certificate, you need to configure it then you will have certificate in zip file that you should Install it on both your www versions and non-www versions. This will help you maintain your Google rank.
  2. Then update site URL via Settings >> General there you can update site URL address field.
  3. In case if the website is existing then set up SSL by redirecting it to HTTPS from HTTP. You need to add below code in .htaccess file:
    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  4. You have now set up SSL and HTTPS on your WordPress site.

Bottom Line

Website security isn’t a one-time task. The golden rule is observing the basics, using dedicated, and relevant SSL certificates, and regularly updating the site.