Because WordPress is open-source, many worry about vulnerabilities and attacks. However, there is a variety of ways and plugins you can download to make sure no one will hack into your account.
So, how you can make your WordPress website more secure?
In this article, I’m going to tell how to secure your WordPress website. For the purpose of this guide, I’ve used the Sucuri Security plugin - because this method is not only reliable, it also doesn't require any coding knowledge whatsoever.
Here’s the securing your WordPress website process:
- Step 1 - Change your username and passwords
- Step 2 - Backup your website
- Step 3 - Upgrade existing plugins
- Step 4 - Install the Sucuri Security plugin
- Step 5 - Generate a free API key
- Step 6 - Edit your hardening settings
- Step 7 - Customize your email alerts
1. Change Your Username and Passwords
WordPress sets the default username for each website as admin.
While WordPress security is tighter and you can now choose your own personal username and password, there are still some one-click installations that continue to use this setting.
The problem is, this makes it much easier for hackers to perform brute force attacks on your website. With this in mind, it’s important that you change it as quickly as possible. There are three ways you can do this, however, I recommend creating a new one and simply deleting the old one.
You can do this by clicking on “Users” on your dashboard followed by “Add New”. On the next page, you’ll have to choose a new username as well as add a new email address. The latter must be different from the one currently in use. Next, assign the new user an administrator role and click on “Add New User”.
Once this step is complete, log out of your WordPress website and then log back in. From there, click on “Users” and click on “Delete” under the old username.
Of course, passwords are very important, too.
When learning how to secure your WordPress site, you need to keep your passwords in mind. Aside from choosing ones that are as secure as possible, you also need to change them on a regular basis. You can do this by clicking on “Users” in your WordPress dashboard followed by “Edit” under the username for whom you would like to change the password.
To change the password, scroll down to the Account Management section. Then, next to New Password click on “Generate Password”. To save your changes, select “Update User”.
2. Backup Your Website
The truth is, today, nothing is 100% secure.
As a result, it’s important you perform regular backups so that you never lose any important data. With a backup, you can restore your website should you experience a security breach.
While you can perform a manual backup, this procedure is more complex than simply using one of WordPress' many plugins. I used the UpdraftPlus plugin to save my website content. With this tool, all you have to do is navigate to your WordPress dashboard and click on “Plugins” followed by “Add New”. Then, search for UpdraftPlus. From there, click on “Install Now”.
Once installed, click on “Activate”. While the plugin does have a premium version, its basic one allows you to backup and restore your site should anything happen.
Next, navigate to the Installed Plugins section of your dashboard and click on “Take Tour”. On the next page, click on “Backup Now”.
In the pop-up tick the options that suit you and click on “Backup Now”.
3. Update Existing Plugins
When you’ve finished backing up your WordPress site, you need to update everything.
This is because running your site on outdated plugins, themes, and software compromises it. You can find out which aspects of your site need backing up by navigating to “Dashboard” followed by “Updates”.
Here, you can check which version of WordPress you’re using. You can also see if your plugins need updating and if you scroll down to the bottom of the page, you’ll find out whether or not your theme and translations are up-to-date too.
If you’re not convinced that these aspects are updated, you can click on “Check Again” at the top of the page.
4. Install the Sucuri Security Plugin
Once you've backed everything up as well as upgraded your software, plugins, and theme, you need to install a plugin that will audit and monitor what happens on your website.
To do this, I used Sucuri Security because it scans for malware, monitors integrity, and tells you about any failed login attempts.
If you’d like to use this tool, click on “Plugins” followed by “Add New”. Search for “Sucuri Security” and click “Install Now”.
Then, click on “Activate”. Upon activation, click on “Sucuri Security” on your dashboard to get to grips with your new security plugin.
5. Generate a Free API Key
Once you’ve landed on the Sucuri Security page, click on the “Generate API Key” to enable integrity checking, email alerts, and various other features.
There is a strong chance that your site already has an assigned API. If this is the case, you’ll receive a notification on your dashboard. You’ll also receive an email from Sucuri Security.
6. Edit Your Hardening Settings
The next step is to lock down the areas of your site that hackers are most likely to attack. To do this, click on the “Hardening” tab in the Sucuri Security dashboard. Once there, click on “Apply Hardening” for each section.
When clicking on some of the sections, you’ll find that a message appears at the top of the page saying that you need to upgrade to a Premium account. If you’d prefer to stick to a free account, click on each hardening tab and leave those that require you to upgrade your plan alone.
7. Customize Your Email Alerts
Once you’ve hardened various security features for your WordPress site, I recommend you change the email alert settings for the plugin. The default alerts settings can clutter your inbox with more than 30 emails a day.
To personalize your alert settings, click on “Alerts” on your Sucuri Security dashboard. Next, choose where you’d like the alerts to be sent to and add any trusted IP addresses to your plugin. There, you can also change the alert subject and decide how many alerts you would like per hour.
I highly recommend you receive alerts for failed logins to avoid brute force attacks from hackers. Make sure to also scroll through the various options so that you receive the notifications that you’re truly interested in.
Additional Steps To Ensure Extra Security
All the steps above should allow you to secure your WordPress website. That said, if you want to take your site’s security to the next level, you can also add questions to your WordPress login screen. To do this, take the following steps:
- Navigate to “Plugins” on your dashboard followed by “Add New”
- Search for the WP Security Questions plugin and hit “Install Now” followed by “Activate”
- Go to “Installed Plugins”
- Click on “Settings” below WP Security Question
- Choose your security questions and answers
- Change any other settings based on your individual preferences
- Click on “Save Settings”
In addition to all the above, I highly recommend you encrypt your data using a Secure Socket Layer (SSL). You can buy a certificate for your WordPress site from a third-party company. Alternatively, some of the most secure WordPress hosting providers offer them for free. Our guide on how to install WordPress SSL might come in handy!
Have you taken additional steps to create a secure WordPress site? If so, share some of your tips below. I’d love to know your thoughts.