WordPress Security: How to secure a website - wpDataTables

WordPress security is on the minds of many site owners. WordPress has an open source script, so naturally, everyone is worried that it’s vulnerable to attacks of all kinds. However, WordPress is not inherently vulnerable, however, and there are many steps you can take to secure WordPress.

At the end of the day, the site owner is often more responsible for hacks than the platform. It turns out that you have a lot of say in how to make your WordPress site secure. Here are some tips and tricks to help you figure out how to secure your website on WordPress.

Create a Site Lockdown and Ban Users

Creating a lockdown feature for repeated failed login attempts will help prevent would-be hackers from making continuous brute force attempts that eventually succeed. Any hacking attempt that repeatedly uses repetitive long passwords locks the site and you will be notified of unauthorized activity. This will block out a lot of hackers right away.

One of the ways to increase WordPress security against this kind of hacking attempt is the iThemes Security plugin. It has been great for a long time with no sign of slowing down. It offers you the option to specify how many failed login attempts a user has before the plugin bans their IP address and alerts you.

Use 2-Factor Authentication Methods

2-factor authentication (SFA) is one of many WordPress security best practices. It asks the user to provide login details for two spate components. As the site owner, you can decide what these two components are. This can be a regular password followed by a secret code, a secret question, a set of characters, a CAPTCHA, and so forth.

A lot of site owners prefer the 2FA method of securing their site. The Google Authenticator is a good plugin for including 2FA on your site. It is, as with many plugins from Google, reliable and often updated.

Use Email as the Login Username

The default for most sites asks for a username to log in. In order to increase WordPress security, use an email ID instead of a username. It’s more secure approach. Usernames are easy for hackers to predict. Emails are not so easy to predict. Also, WordPress user accounts have to be created using a unique email address, which makes them a more valid identifier.

A good plugin for increasing WordPress security this way is the WP Email Login. It works right after install. Simply activate it and go. No configuration necessary. If you’d like to test it out, just log out of your site and then log back in using the email address that you created the account with.

Rename Your Login URL

It’s very easy to change your login URL. The default WordPress login is easy to access via wp-login.php or wp-admin added to your site’s main URL. When hackers know the direct URL of the login page, they will often try to brute force a way into your site. They’ll then try to log in with their Guess Work Database (GWDb), a database of guessed usernames and passwords that contains millions of character combinations. Hackers find it easy to do this. It’s crude, it’s simple, but it is all too often effective.

If you’ve followed all the steps detailed above, then you’ve already restricted the number of user login attempts and swapped out usernames for email identification. By changing the URL in addition to those two WordPress security measures, you’ll get rid of 99% of direct brute force attacks. This will do a lot keep away the most common kind of WordPress hacker.

All you have you to do in order to restrict unauthorized entity from accessing the login page is use the iThemes Security plugin to do this:

Change wp-login.php to something unique; e.g. my_new_login
Change /wp-admin/ to something unique; e.g. my_new_admin
Change /wp-login.php?action=register to something unique

Use a Good Quality Host

Your host is much like your site’s street on the internet. Like street addresses in real life, the quality of the street can affect what kind of traffic it sees.

A good host will affect how reliable your site is, how it performs, how big it can get, and even how high it ranks on search engines. Really great hosts offer site owners a lot of useful features, including good support and services tailored to the owner’s chosen platform.

Look for hosts that frequently update their service, software, and tools on a regular, almost constant basis. It should also respond to the latest threats and quickly eliminate possible security breaches. A web host should offer targeted security features like SSL/TLS certificates and DDoS protection. You should get access to a Web Application Firewall (WAF) to help monitor and block serious threats to the WordPress site.

A good web host will also likely provide you with a way to backup your site. In some cases, they’ll even do the backup for you. This will allow you to revert to previous stable version if your site ever gets hacked. They should offer reliable 24/7 support so you will always be able to contact an expert to help with website security issues.

Switch Your Site to HTTPS

With an SSL/TLS certificate, you can switch your WordPress site to HyperText Transfer Protocol Secure (HTTPS), which a more secure version of HTTP. This is a great way to increase WordPress security.

HTTP is the protocol that transfers data between a website and a browser attempting to access it. Whenever a visitor clock on your page, all the constant, media, and code are sent through this protocol to the visitor location. This is necessary but it also creates security problems.

With HTTPS, this problem is solved. It does the same thing as HTTP, but it also encrypts the site’s data as it travels from one place to another. It started out as something that was used to protect sensitive customer info, like credit card details, but it’s become more and more common for all kinds of sites.

When you switch to HTTPS, customers will get high confidence to deal with your site. It is recommended to have an SSL from authenticated brands like Comodo, Thawte, GlobalSign, etc. If you are having a single domain site then, we recommend having a Comodo PositiveSSL certificate from Comodo or any other single-domain SSL from discussed brands. It will secure online transactions between the server and the browser.

Ending thoughts on WordPress security

These WordPress security tips will help you make sure that all the work you’ve put into your site won’t get lost in a hack. It will encourage people to visits and see what you have to offer.

If you enjoyed reading this article on WordPress security, you should check out this one about WordPress SSL plugin.

We also wrote about a few related subjects like malware scanner plugins and WordPress salts.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.

Cookie	Duration	Description
CONSENT	16 years 2 months 19 days 14 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-47773209-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.

Cookie	Duration	Description
paddle_session	2 hours	No description available.
prism_610072376	1 month	No description available.