Many rely on WordPress to build websites, since, unlike other CMS, it is possible to use it very easily even without having any knowledge of web design. Unlike in the past, moreover, it is now much easier to install it on a hosting service. For example, you can do it with a click, without having to resort to uploading via FTP.
However, WordPress is also one of the CMS most exposed to the dangers of the network and often those who use it do not know exactly what to do to prevent attacks on their site, which can range from simple bot spam in comments up to malicious code injection or more.
In this guide we will help you understand what are some of the most vulnerable aspects of WordPress and what you can do to make your site more secure.
Use unique username and password for your WordPress Website
Many newbies still make this mistake: the username “admin” and password such as “password”, “1234” or even your date of birth is absolutely to be avoided, as they are a first-rate vulnerability for sites in WordPress. Hackers, through so-called bots (i.e. automatic scripts), continually scan the web knowing that sooner or later they will be able to sneak into some site through standard credentials.
Change your login address
Standards represent important weaknesses for CMS like WordPress, precisely because as such they are aware of everyone. Creating unique Username and Password is the first essential step to prevent hackers from entering the site, but the second is to hide the front door.
Even if you don’t have a login button on the site, it is known that by default the page to access the WordPress admin panel is located at the addresses /wp-login.php or /wp-admin. The latter are therefore constantly targeted by bots, who find the page and try to login by entering numerous combinations of standard credentials, including “admin”, “password”, “1234” or even the name of your site.
To change your WordPress login address you can very simply resort to a plugin. One very light and useful for this purpose is WP Hide Login: once installed and activated, go to settings, in the General section, and at the bottom of the page replace the login address as you like (make sure you can memorize it or write it down in a safe place). Finally click on save changes.
By doing this, you will already be safe from most brute-force attacks. Furthermore, you will also have secured the registration page (if you have it active), since it directly depends on the login page: the default one is found on /wp-login.php?action=register.
Change the database prefix
If you are looking for the ultimate in security, another WordPress standard that should be revised is the database table prefix, which usually, without customization, is “wp_ “. This change should be made the first time you install WordPress, but if you are looking to make a site already online more secure, you can change the database prefix in a few clicks using plugins like Brozzme DB PREFIX.
Install a web firewall
Even in cases, already includes security software on the hosting, it is good that you also have a plugin on your WordPress site that acts as a firewall, protecting you from more complex types of attacks than simple brute-force on the login.
The most effective and used to do this is Wordfence, which carefully monitors the site and keeps you constantly updated, notifying you via email small and large vulnerabilities (even simply an outdated plugin), and has very useful functions such as malware scan, blocking IP manual and limitation of login attempts.
Even more protection with Cloudflare pro
The free version of Cloudflare, which can be easily activated from your Customer Area, offers you an excellent CDN (Content Delivery Network) service that greatly improves the performance of your site, but in addition to this, with Cloudflare Pro you can also have a very valid ally for the security.
The Pro version in fact includes protection from DDoS attacks and the Web Application Firewall (WAF), which promptly stops all attacks that aim to exploit vulnerabilities, including SQLi, XSS and the like. If you buy Cloudflare Pro from us you don’t even have to worry about all the necessary settings on the service, because our technicians take care of setting everything up to perfection!
You can request Cloudflare Pro by sending us a ticket or more simply by going to the Hosting section of your Customer Area, clicking on the gear icon to the right of the domain name and looking for it in “Buy additional services”.
Find a good anti-spam
If you have a comments section within your WordPress site, rest assured that spambots will try to link us to disreputable sites, and often there is no Wordfence or Google Captcha to care.
For this reason, if you encounter frequent cases of spamming, you would do well to have a lightweight and effective plugin that prevents attackers from doing their own thing in the comments, undermining the safety of your visitors and ruining the reputation of your website. For this purpose we would like to recommend Akismet, the best known anti-spam plugin for WordPress, or even Stop Spammers, both very easy to use.
Make backups regularly
Regular backups are essential in order not to waste hours, days or more of valuable online work. You can also use a plugin in this case (but remember that it is always better to install as little as possible!). One of the best is UpdraftPlus, which allows you to save backups even on cloud platforms such as Dropbox or Google Drive.
Use only official themes and plugins
The web is full of pirated WordPress premium themes and plugins, and often newcomer may find it inviting to take advantage of them, thus enjoying all the options available without having to open their wallet. But is it really worth it?
Shortcuts, as always, have more pitfalls than you think. In this case, pirated themes and plugins not only create vulnerabilities due to not being able to update them regularly like the legal ones, but above all they can enclose backdoors, predict data theft, the injection of malicious code into the website or more.
Regularly update WordPress, themes and plugins
Keeping WordPress always updated to the latest version, along with the themes and plugins you have installed, is essential to reduce vulnerabilities as much as possible. The update operations can be performed manually from the admin panel of your site.
Pay attention to the roles you assign to users
If your WordPress site requires other users to register, always pay attention to the roles you assign them:
Subscriber: can only read and comment
Accountant: can edit and delete articles
Author: can create, modify, publish and delete articles
Publisher: has full powers over articles and pages
Administrator: has full powers over the entire site
Make sure newly enrolled users have a role as simple subscribers by default.
Apply SSL certificate to the site
Nowadays it is practically essential to have an SSL certificate applied to your site and therefore to offer your visitors a connection with the https protocol. In terms of security, this guarantees users encrypted connections while preserving the privacy of their data, but it also means not being penalized in SEO or browsing on the main browsers such as Chrome, which now tend to report sites without SSL as unsafe.
WordPress security requires regular and active maintenance and monitoring in order to keep it running smoothly. It is advisable to hire a dedicated WordPress website service provider to protect and secure your codebase and keep your business investment safe.
If you are looking for a WordPress web development and other related web development services, please explore our WordPress web development services! We also provide WordPress website maintenance services and WordPress application security audit. For more information, please visit our WordPress maintenance services!