How to Secure WordPress Protect from Hackers and Data Loss!

How to Secure WordPress Protect from Hackers and Data Loss! .elementor-19992 .elementor-element.elementor-element-19992{text-align:center}Last Updated on March 1, 2020Ive had my site hacked twice because I didnt secure WordPress properly.Neither was a particularly fun experience. Disclosure As an independent review site, we get compensated if you purchase through the referral links or coupon codes on this page â€" at no additional cost to you. Dismiss alert In short, getting your site hacked = spending your whole day trying to fix things that you dont entirely understand, and thats provided that the hack wasnt of a deep-cutting variety.Luckily for me, patching a few things and changing my web host did the trick and fixed everything., but not everyone gets off that easily.For instance, I have a friend who not only got his site hacked but then also lost his whole domain as a result of it.I guess the thing Im trying to say is this:You must secure WordPress because site hacking is much more common than wed like it to be.You might also like: Best WordPress hosting There were over 81,000 reported hacked sites in 2009, then 98k, 144k, and 170k  in subsequent years.Then, in 2014 we all lost count with one massive report after another. Literally, hundreds of thousands of WordPress websites are taken advantage of every year, and possibly millions remain vulnerable. Join the FREE TrainingDo You Want To Learn How To Build 6 Figures Authority Sites?Join This Free Training To...Finally have a proven method to finding profitable nichesGet access to a foolproof keyword research methodLearn how to outsource quality contentLearn how to build white hat links to your site without headaches But theres an elephant in the room:Table of Contents Why secure WordPress, who would hack my site?How to secure WordPress sites or blogsThe beginner tier of WordPress security9. Choose the best  web host you can afford10. Only download plugins and themes from known sourcesThe intermediate tier of WordPress securityThe advanced tier of WordPress securityHow to secure WordPress: my conclusionWhy secure WordPress, who would hack my site?The fact is that most of the great majority, rather of attacks are automated. This means that various bots (pieces of software) developed by hackers crawl the web and look for vulnerable sites.Then if theyre successful, the site gets added to the hackers portfolio, so to speak, and can be used for various purposes. In other words, your site by itself is no special, but 10,000 sites just like yours are pure gold for a hacker. Such a network of hacked sites can be used for things like black hat SEO, mass email sending, database scraping (to get your users personal info), and so on.You really shouldnt feel overly safe just because/if you run a relatively small website.Hackers dont discriminate.Now, WordPress security doesnt happen automatically. Even though WordPress is an awesome platform and a hugely popular one, it does have its problems. More so, its popularity contributes to the problem s significantly!Just think about it, if youre a hacker, youre not going to try breaking some obscure CMS system. Instead, youre going after the most popular one  out there, just so you can gain access to potentially the biggest number of websites.All this means that as a WordPress user, you should take care of at least the most basic security measures, just to make sure that you can sleep well and that you wont find your website under hackers control in the morning.Okay, lets get to the good stuff! Heres everything you need to know about securing your WordPress blog:How to secure WordPress sites or blogsThis guide has been divided into three  sections. Each section presents a set of things you can do to make your WordPress site secure. Pick whats best for you:The beginner tier do this to have the basic security taken care of; a must-do for most WordPress blogs and sites.The intermediate tier do this to get additional security; still not particularly technical or hard to do on your own, but will require slightly more free time.The advanced tier do this to stay on top of things and keep your site secure at all times.The beginner tier of WordPress securityThis is your absolute must-do list:1. Secure your Administrator accountWhatever you do, please dont use an obvious login/username for your main Administrator account, like admin for example.This is waaaaay too easy to guess. Instead, go with something fun, like master-commander-45.The usernames in WordPress cant be changed once set during install. So heres what you do:Create a new user account in Users Add New. Assign it to the Administrator role:Instead, create an Editor account for all content work you do. Again, make the login non-obvious. Do this in  Users Add New.most commonly used passwords, or anything thats a combination of common words (e.g. JohnSmith1).Instead, follow this path:Craft one, just one, ultra-secure password for yourself. Follow this guide.Sign up to  LastPass (its free) and set that u ltra-secure password as your main vault password.Then, use LastPass to generate safe passwords for everything going on with your site.Solution? Limit the possible login attempts with this plugin.There are all kinds of viruses out there. Starting from simple key loggers that will pay close attention to your keystrokes and then try recreating your login and password, to direct FTP-based bots that look for open FTP connections and then upload a hacked file straight to your server.The solution is simple. Take care of your computer. Use good anti-virus software.6. Update WordPress regularlyUpdating WordPress is one of those things that everyone knows they need to be doing, but we still somehow end up forgetting about it. So  let me tell you why it is, indeed, crucial.A detailed change log goes alongside every new release of WordPress. In that changelog, every bug thats been fixed is listed. In other words, it is a manual for hackers who want to target older versions of WordPress.How seri ous this can be? Well, last year, the WordPress guys announced that all versions prior to 3.9.2 were vulnerable to cross-site scripting  hacks. Around 86% of all WordPress sites were vulnerable at the time.And a bit more recently, the Sucuri guys detected a malware campaign already in progress.Luckily for us, the solution is very simple most of the time just  enable auto-updates for your WordPress site, or always perform an update manually as soon as you see  a notification like this:And the consequences can be quite serious if you neglect this.For example, a while ago, there was the big  MailPoet issue.(MailPoet is a popular email marketing plugin    you can use it to send email newsletters to your list of contacts directly through your WordPress blog.)The problem was that a bug in MailPoet enabled hackers to upload PHP executable files to your web server and take control of the site entirely. Even PCWorld wrote about this!  50,000 sites got hacked.Lesson? Always update your plugi ns as soon as a notification pops up. You just dont know when a new vulnerability gets discovered and then fixed by a subsequent update.Backups are invaluable. If you have a recent backup of your site then you will be able to restore it  back to normal no matter what bad thing might happen.Two of the best methods to have this taken care of:through a free plugin  WordPress Backup to Dropbox   it takes your files and database contents, and stores it in your Dropbox account. Everything done on autopilot once a day; or:I, for instance, once had my server infected  by  malicious code while running on a cheap $5 / month hosting plan. My site, my domain, and my WordPress were not even involved in the breach. Its the server itself that got hacked.Lesson? Dont save money on your service plan. Always go for the best web hosting service that you can afford.Some quality recommendations:Hostgator,HostPapa,SiteGround,Flywheel.10. Only download plugins and themes from known sourcesAccidental vuln erabilities, lets name them that way, arent the only thing that can bite you.There are also intentional vulnerabilities.For instance, if you get a plugin from a shady source, it might feature source code designed specifically to hack your site. In that case, by getting the  plugin, its you whos effectively hacking your own site.The same thing goes for themes.How to find quality plugins and themes?The first places to go are the official theme and plugin directories at WordPress.org. The downloads  there dont feature deliberately dangerous code.When it comes to premium themes and plugins, you need to go by the sellers reputation.  ThemeForest is an example of a site that mass sells themes. This kind of site is generally safe due to the lengthy and thorough review process for each new theme and plugin submitted there, but there are also smaller companies that create amazing themes like Astra. These companies are even safer, their entire business relies on their product, and there are n o outside vendors adding their themes, just the company.The intermediate tier of WordPress securityDo the following for  extra security; still not particularly technical tasks:11. Delete plugins you dont useAs the  MailPoet example teaches  us (described above), you never know what surprises await inside your  plugins.Sometimes youll come across  basic security vulnerabilities, other times something more serious.Either way, to save yourself from troublesome more, simply remove all those plugins that you dont use. Keeping them inactive wont cut it. Remember that the source files of those plugins are still on your server.So create a new habit, instead of just deactivating the plugin youre not using at the moment, delete it completely.And Im not talking about just deleting stuff at random and losing good functionality.Instead, try using plugins that replace other plugins with their functionality.Heres an example. Jetpack   a well-known plugin from team Automattic  can successfully rep lace a handful of other plugins that you might be using right now. For instance, some of the things Jetpack can give you:contact forms,image galleries and carousels,social media buttons,mobile theme,links to related posts,site stats, and more.13. Use a security pluginThis is often done through database scans, firewall protection, file permission control, and a range of other things (lets not get into the technical details).Here are the most popular security plugins:Sucuri SecurityBulletProof SecurityAntiVirusAcunetix WP SecurityWordfence SecurityThe great thing about them is that, very often, they work on autopilot, so you dont need to necessarily understand whats going on under the hood.(Note. Its best to use just one of such plugins, to avoid any software conflicts.)14. Protect your site against brute force attacksBrute force attacks are a different kind of animal.Basically, if someone wants to mess things up on your site, they have two possible paths:the surgical attack where th ey meticulously look for a vulnerability and then explore it with laser precision,the brute force attack where they simply attempt to guess your password multiple times until successful, which often means millions of tries in a row.The best way to protect yourself from the latter used to be  a plugin called BruteProtect. But as of August 2014,  BruteProtect has been  integrated into Jetpack (mentioned above).15. Use CloudFlareCloudFlare is a really mysterious solution for me. And whats mysterious about it isnt the fact that its very effective at what it does, but that most of the goodies are available for free.16. Monitor for malwareMalware is an umbrella term (Wikipedia says) that refers to various forms of intrusive software, including malicious web scripts the stuff that can attack your WordPress blog. I hate malware.  Ive had malware one time on my site and it wasnt fun.And the sad thing is that you dont find out that you have malware until its basically too late and the damag es been done. Oh, and Google already dropped my site from the rankings at that point.The best way to save yourself from similar trouble is to use a solution that scans your WordPress site constantly, and lets you know whenever anything shady is going on.Two possibilities:Sucuri  (from $16.66 / month).CodeGuard  (from $5 / month).17. Perform a theme checkWhen youre thinking about changing your theme, or getting a theme for a new site, start by performing a theme check with this plugin.. Just deselect this box:19. Generate new WordPress security keysWordPress Security Keys handle the encryption of information stored in the users cookies. To make things secure, the keys need to be generated randomly for each WordPress install. Find them in the  wp-config.php file.wp-config.php file.xmlrpc.php file.23. Disable PHP error reportingIn itself, PHP error reporting is a good debug tool when building a new PHP app/website. But if enabled on a live site, in case of an error occurring, your whol e server path gets displayed on the screen. This is a piece of info thats rather valuable to hackers.Consider disabling error reporting.24. Track whats going on in your dashboardThis is really  useful if you have a number of users working in your dashboard (multi-author blogs).Basically, having a handy log that records everything thats going on in the dashboard can never hurt you. You can use the  WP Security Audit Log plugin for this.GSC is very useful when it comes to letting you know about malicious things going on with your site.When my site got hacked for the first time, its GSC that notified me what was going on.The lesson is simple; whatever site you have/manage, hook it up to GSC. It costs nothing and can bring huge benefits.26.  Read SucuriYou may have noticed that I mentioned Sucuri and the Sucuri blog a handful of times in this post. Its no accident.The Sucuri guys are always on the lookout for new vulnerabilities, and very often its they who report on new problems before anyone else notices them.Want to stay safe? Simply subscribe to their blog and read their reports.Of course, checking the security level of every plugin manually prior to installing it is beyond what any  sane person is willing to do, but there are shortcuts.For instance, some websites publish regular reports covering the latest WordPress vulnerabilities, including issues found in popular plugins. One of those websites is the aforementioned Sucuri, the other is this one.(Just to motivate you some more to take this step; did you know that plugin issues  account for 54% of all vulnerabilities found on WordPress blogs and sites?)28. Use SSLSSL is a technology allowing you to encrypt the connection between your web server and your visitors browsers. This increases the security of the whole experience, purely because all data being transferred cant be easily read by third parties.Enabling SSL for your site isnt a five-minute deed, though. First, you need the right web host. Then, you ne ed to get the SSL certificate itself. And finally, you need to integrate it with your WordPress site (plugins for that; e.g. Verve SSL  or  WP Force SSL).How to secure WordPress: my conclusionWhew! Weve covered a lot of ground here. I hope youll use these tips to make your WordPress blog more secure effectively shutting the door on  hackers and shady malware scripts.But maybe theres something Ive missed here? Do you know of any other ways to secure WordPress sites blogs? WordPress blog security WordPress keyboard shortcuts