WordPress Security, 19 Tips to Make Your WordPress Website More Secure

What comes to mind when you hear the word “Website Security” or WordPress Security?

Maybe some of you will think about hacking websites, malware, or viruses that threaten your website. Yes, everything you think is true.

WordPress security is another important aspect apart from the speed and SEO aspects of the website. You are certainly obliged to secure it from various threats, both damage caused by malware, brute force attacks to irresponsible hackers.

WordPress Website Security

Based on research conducted by a security service site securi.net, in Q1 2016 there were already more than 11,000+ infected websites and 75% of that number were using the WordPress platform. The more popular and the higher the number of WordPress users, it certainly provokes internet criminals. Infection to your WordPress website can be through anywhere, such as out-of-date plugins, themes, brute force, hosting, unused files/scripts, to low-security passwords.

19 Tips for Securing Your WordPress Website

In this review, we will provide tips for securing a WordPress website, especially if you are just starting out. You can do it yourself at home, starting from simple things like updating plugins to anticipate plugin vulnerabilities, themes, and even randomizing your passwords to avoid brute force attacks.

Here are 19 easy ways you can secure your WordPress website.

1. Make sure your WordPress version is up to date.
2. Update your WordPress plugin (using the latest version)
3. Remove Unused Plugins
4. Make sure the theme you are using is updated
5. Use themes, plugins, and scripts from the official WordPress website
6. Choosing a Reliable Hosting Service Provider
7. Creating a Custom Login Link
8. Change the default username “Admin”
9. Using a more complicated password
10. Enabling Login Limit
11. Disable PHP Execution
12. Changing the Default Table Prefix
13. Activating Password log in Directory
14.Disable File Editing
15. Disable PHP Error Reporting
16. Enabling Automatic Logout for “Idle User”
17. Enabling the Firewall
18. Install a Security Plugin on Your WordPress
19. Install Anti Virus on Your Website and Devices

1. Make sure your WordPress Version is up-to-date

An update to the latest WordPress version is required to fix the bug in the previous version. You can do this directly via the WordPress dashboard page when there is a new version. Make sure you always update the version to reduce existing WordPress security risks.

2. Update your WordPress plugin (using the latest version)

Plugin developers are always trying to cover bugs and hackers are always looking for loopholes. Always update your plugin to the latest version to avoid hacker attacks.

3. Remove Unused Plugins

Don’t just deactivate unnecessary plugins. Remove plugins to close the loopholes for hackers to hack your website. Apart from that, deleting unused plugins can make your WordPress work easier.

4. Make sure the theme you are using is updated

Not only plugins, but hackers will also certainly exploit the same loopholes. Please check the availability of the latest version of your theme via the Appearance> Theme menu on your WordPress dashboard. Don’t forget to delete WordPress themes that you no longer use.

5. Use Themes, Plugins, and Scripts from the Official Website

Make sure you download themes, scripts, and even plugins from the official developer’s website. You need to be wary of websites that provide it for free and, of course, don’t use pirated products. If you want a free theme or plugin, you can get it through the official WordPress website.

Through an unclear source of resources, you certainly don’t know what scripts have been inserted by criminals or other dangers. You can make WordPress.org, WordPress.com, and even ThemeForest reliable sources to get your website tools.

6. Choosing a Reliable Hosting Service Provider

The web hosting service provider for WordPress certainly has an important role in the security of your website. Choose a hosting service that provides additional security services such as free SSL or Anti Spam and even the BitNinja security features that Niagahoster servers have to protect your website from botnet attacks, hackers, and malware.

7. Creating a Custom Login Link

/wp-login.php is the login link that is automatically used after we install and login to WordPress. Obviously, hackers know about this and make it easier for them to break into your account. Especially if you use the same password on various other service accounts. To prevent this, we can change the login link to WordPress using the Custom Login URL plugin. Later you can also change the logout link, lost password, and others.

8. Change the Default Username “Admin”

After you install WordPress, the default username that you will get is admin. This certainly makes brute force attacks easier, brute force is one of the methods hackers use to hack accounts by trying all possible combinations. If your current username is still using “admin”, please change it to something else. Here are the methods you can use to change the username “Admin”

You can change it by creating a new username and then deleting the old username.
1. Login Admin> User> Add new user
2. Logout
3. Login using the new user and delete the old username from the user menu

Using the Username Changer plugin, you can get it directly through wordpress.org

After you install the plugin, immediately change your username via User> Username Changer

Via PHP My Admin.

This method of changing the username via the database is more difficult. You can do this via PHP MyAdmin.
cPanel> PHP MyAdmin> wp_users

9. Using a more complicated password

To get complex password combinations, use a combination of passwords and numbers. Do not use passwords such as consecutive numbers (1, 2, 3, 4, 5), date of birth, your name or other easily guessed passwords. Similar to usernames, passwords that are easy to guess make brute force attacks easier.

10. Enabling Login Limit

If you do not activate the log-in limit, users can try to log in repeatedly using their username and password. This certainly creates risks and gives hackers the opportunity to hack your WordPress website with various usernames and passwords. You can solve it by activating the log-in limit to the WordPress admin. The plugin that you can use is Login LockDown

How it works, you can limit users when trying to log in with the wrong username and password, if several times it fails the IP will be blocked and you can also set how long the IP will be blocked.

11. Disable your WordPress PHP Execution

Don’t give hackers a chance to touch your WordPress website. One effective way to do this is to disable unnecessary php files such as wp-content/uploads/. The method is as below;

<Files * .php>
deny from all
</Files>

Copy and paste the above text into notepad and save it as .htaccess then upload the file to the /wp-content/uploads/folder using FTP. Disabling PHP execution with .htaccess will not guarantee that your website is not hacked, but this is one of the tips and efforts to secure your WordPress website.

12. Changing the Default Table Prefix

Databases are an important part of the WordPress website. To prevent spammers and hackers from breaking into WordPress security through the database, you can make changes to the prefix table. In general, after you install WordPress your default table prefix is ​​wp_, they will already know this and of course, can easily sneak through SQL scripts if you don’t make changes.

Here are the steps to change it and you can do it easily:

Enter your cPanel hosting and go directly to File Manager
Find the wp-config.php file and change the wp_ prefix table to for example wp_a12345_ a
You can change it by adding numbers or letters and underscore (_)
Change your default WordPress database file containing the wp_ element
Do it via PHPMyAdmin, on your cPanel> SQL

13. Activating Passwod Login Directory

Beware of DDOS attacks, minimize this risk by activating the login directory password. Even though at the beginning when you will access cPanel and enter the wp-admin directory, there is already a password. You can add a layer of security to WordPress by providing a login username and password.

Login to your cPanel> Click Password Protect Directory> Select wp-admin directory and add permissions by entering the username and password as shown above.

14. Disable File Editing

Basically, WordPress has flexibility in the file editor so that users can develop and use it as needed, can change PHP files, and can do theme or plugin editing files through the admin editor. Worse, if hackers / irresponsible parties get into your admin area, they can do anything. To prevent this, you do disable file editing via cPanel. In the wp-config.php file add

define ('DISALLOW_FILE_EDIT', true);

15. Disable PHP Error Reporting

If you use the WordPress website, of course, you have seen error messages like the following image or other errors.

If this happens on a website that is already online and you don’t fix it right away then hackers see the error gaps, of course, it will endanger WordPress security, the WordPress syntax error message often displays your WordPress username. Of course, error messages provide information on the weaknesses of your website that hackers can take advantage of. You can do this via PHP’s wp-config.

ini_set ('log_errors', 'On');
ini_set ('display_errors', 'Off');
ini_set ('error_reporting', E_ALL);
define ('WP_DEBUG', false);
define ('WP_DEBUG_LOG', true);
define ('WP_DEBUG_DISPLAY', false);

16. Enabling Automatic Logout for “Idle User”

Anything can happen if you are negligent and underestimate the security of WordPress. When you are logged in to WordPress and there is no activity, even if the user leaves the screen it creates a security risk. The plugin that you can use is Idle User Logout. You can make settings to determine when your WordPress admin is automatically logged out. It’s easy to use, you activate the plugin and enter the Idle User Logout plugin settings.

17. Enabling the Firewall

Don’t forget your network security. Like a traffic police raid, a firewall will filter out secure and authorized network traffic that is allowed to pass through. Firewalls are useful for maintaining traffic flow so that valuable information is not stolen or preventing malware from entering your network. The firewall will perform an inspection through the IP Address, Port, Protocol and even the header contained in the package. Therefore, immediately check with the technical support of your hosting service provider, make sure the firewall settings on your server are active.

18. Install a Security Plugin in WordPress

One of the plugins that you can use for your WordPress security is wordfence. You must scan your website for malware and viruses. Additionally, malicious IP attempts can be automatically blocked by Wordfence. To get this plugin, you can directly download it via wordpress.org. If you don’t know how to install a plugin, please follow the guide below.

19. Install Antivirus on WordPress and Your Device

Not only virus and malware scans on your WordPress website, you also need to install a local antivirus on your device. Like Smadav, Nod32, Avira etc. You need to do this to anticipate infected files from your device or from the website to your device when uploading/downloading data.

The points above are things you need to pay attention to secure your WordPress website. If you didn’t care about the security of WordPress before, be careful, because crime doesn’t only happen in the real world but also happens in cyberspace. If you have any experience related to WordPress security, please share it in the ministry column