When you’re in charge of WordPress websites for several clients, it’s hard to ever relax. Problems seem to come out of nowhere, and clients will email, text, and call in a panic because their site has slowed down or crashed. Plus, if one client’s site goes down, you know that there could be trouble with all the other ones as well. Being dedicated to your job and having clients spread across different time zones means you never get a break from the worry.
There’s no surefire way to ensure a website never, ever has a problem. However, relying on dependable WordPress-focused services, like your host and theme provider, can solve and prevent many common issues, including hacks.
If your WordPress site has ever been hacked – or even if you’ve just imagined it when going over all the possible outcomes – you know the panic that’s bound to set in. Simply knowing a security breach is possible is enough to get you on track to creating a safer website that’s monitored by a reliable host. In this article, we’ll go over how to harden your WordPress website and arm it with the best security possible.
There are a number of reasons why your WordPress site may get hacked – and there are several ways to strengthen your site, too. Let’s go over the main security vulnerabilities that every agency, developer, and freelancer should know about, plus, how to protect your site from falling prey to them.
Always Use the Latest Version of WordPress
Every time WordPress releases a new version, you should update your website as soon as possible. WordPress versions often have security patches to fix problems with the previous version. If you don’t update, you could leave your site vulnerable.
By always having the latest version of WordPress, you close security gaps that hackers can potentially get through. Your best option is to set up automatic updates so they run without you having to do it manually. And remember that every time you update your site, you should have a backup of your site saved. Any quality host will automatically update your site to the latest version of WordPress so that you don’t have to stay on top of it.
Use the Strongest Passwords Possible
If you don’t create a secure enough website, it’s easy for hackers to access your WordPress admin panel – and once they do that, they can do pretty much anything they want. Hackers use automated tools to run through numerous potential passwords until they hit on the right one. They can then log in to your WordPress admin account and have full control.
Having a weak password is one of the biggest website vulnerabilities, but it’s also the one that’s easiest for you to remedy. In addition to setting a secure password for your WordPress admin account – and changing it regularly – make sure that every website-related service is protected by a strong and unique password, like your FTP and host logins.
Here are a few tips for setting strong passwords:
- Don’t use a version of your name, username, brand name, or website name.
- Don’t use a dictionary word, whether it’s in English or another language.
- Never create a short password – it should be around eight characters, minimum.
- Don’t use just letters or just numbers – your password should combine letters, numbers, and symbols.
There are security plugins such as Wordfence (also available as a standalone Login Security plugin) you can use that will force all users to create strong passwords, and sometimes this service comes standard with hosting plans. Also, if you add two-factor authentication to your website, it’ll be even harder for hackers to get in and create their own account. Furthermore, if you haven’t already, set a schedule for regular password updating, like once every 30, 60, or 90 days.
Set a Limit on Login Attempts
WordPress default is to let users attempt to log in a limitless number of times. However, this leaves your site vulnerable to hackers who attempt to find your password by trying numerous combinations. You can use a dedicated plugin such as Wordfence, linked above, to set a limit on login attempts, but your web application firewall (more on that in a bit) may come standard with this feature.
Limit Access to Your Site
The larger your team, the harder it is to limit who has access to your site. However, the fewer people, the better, because you lower the risk for accidental or purposeful security breaches. Look through your list of admin accounts (go to Users in the Dashboard sidebar) to see if there are any that are no longer part of the team, don’t need access to WordPress or should have less access to your site. Also, note any users that you don’t recognize.
Before removing a user you don’t recognize, check with your account holders to see if they updated their account details – it’s possible a user is an actual admin, but they’ve made a change you don’t recognize. At this point, also clean up your user list to remove anyone who is no longer part of your website and/or shouldn’t have access. Click the checkbox next to any user you want to remove, then change the Bulk Actions dropdown to Delete. Or, to remove a single user, click the Delete link under their username.
Set a Logout Timer for Idle Users
If you have a lot of people who have access to your site, consider using a dedicated plugin that will automatically log them out when they’re idle. If the user walks away from their computer while they’re still logged in to your site, anyone can make changes to your WordPress account. A plugin, such as the free Inactive Logout, will let you set the duration to decide how long a user can be idle before they’re auto-logged out. You can also write a message that will pop up on the screen right before the user is logged out – that way, if they’re still in front of their computer, they can opt to stay logged in.
Reinforce Your Site With Server-Side Protection
When you can have protection on the server-side of your site, hackers will have an even tougher time breaking in. By adding an extra layer of protection to your wp-admin, you protect your login screen, WordPress admin area, and files. The best way to do this is by using HTTPS SSL, which is an encrypted connection, to protect your wp-admin. Check with your host to see if they offer this level of security.
Use a Web Application Firewall
One of the best ways to keep your site secure is by using a web application firewall (WAF). Essentially, a WAF will keep malicious traffic away from your site. There are two options:
- DNS-level firewall: This type of firewall will send traffic through its own cloud proxy servers. The only traffic that will make its way all the way to your site will be quality, non-malicious traffic.
- Application-level firewall: When you use a plugin to serve as a WAF, the traffic will reach your server, but the plugin will check it out before loading scripts.
While an application-level firewall is better than nothing, a DNS-level firewall is the safer option of the two. Popular plugins like Wordfence, services like Cloudflare, and secure hosts like ASPHostPortal offer this.
Only Install Up-To-Date, Reliable Plugins and Themes
If you have out of date or nulled plugins or themes, your WordPress website is vulnerable to a hack. “Nulled” refers to premium plugins and themes that should be paid for (when purchased from the right source) but instead are offered for free on another site. These elements are meant to collect information or, worse, harm your site.
Never use a plugin or theme from a source you don’t trust. Select yours from the WordPress library or make sure to read plenty of reviews if you go with an outside source. Furthermore, any plugins you choose should be tested and compatible with your WordPress version.
The reason why plugins and themes have to be updated is that those updates include security features and patches. If you don’t have the latest version, you don’t have the latest security measures. Stay updated by always using the latest versions of reputable plugins and themes. If you choose the right hosting provider, they’ll run these updates for you.
Get Rid of Unused Installations
If you have deactivated plugins and themes that you won’t be needing, delete them. The same goes for unnecessary files, WordPress installations, and databases – get rid of them. The more data that’s sitting in WordPress, the more vulnerable your site is, especially when it comes to old WordPress installations that won’t be up to date.
Delete Unwanted Files
You need to discover any files that don’t belong there, and then remove them. To do this, you may need to install a security plugin, like the ones below. Popular options are Wordfence (again!), Defender, and MalCare. These types of plugins can scan your site and alert you to anything that doesn’t belong.
However, note that a quality web host will do this for you automatically, which means you won’t have to worry about installing a plugin, scanning regularly, or removing problematic files. And if you feel that your site needs a manual scan right now, you can contact your host to handle that for you, too.
Run Regular Backups and Scans
Backup your WordPress site regularly (once a day or more), and make sure to include the database, media files, and plugin and theme files in each backup. Also, run malware and file integrity scan regularly to locate any malicious files that may be on your server. There are several WordPress security plugins you can use to automate this process. However, note that scans don’t actually remove malware – they just let you know it’s present. You’ll still need to get rid of the malware yourself (or have your host handle it).
You should regularly scan for malware, spyware and viruses on your computer, too. No matter how secure your website is, if your computer is unsafe – for example, if there’s a keylogger on it – your website is at risk.
Monitor Changes to Your Files
Any time an attack occurs, there’s some trace that it leaves behind – there may be evidence of the attack in the logs or in files, for example. You should be monitoring your files all the time, and there should be alerts set up so that you know whenever a change is made. That way, if a change occurs that you didn’t know about in advance, you can quickly assess if it’s due to a security breach or not. Some of the plugins mentioned above, such as Defender, can take care of this for you.
Regularly Clean Your Database
When you clean out your database, you get rid of extra, unnecessary data that your site’s accumulated over time, like spam and trash comments, settings for themes you no longer use, etc. The less useless data there is in your database, the faster your site will run. Plus, if you received an alert from your security plugin or provider that your database has been hacked, this step is a necessary one. There are several plugins to choose from in the WordPress directory: WP Optimize is the most popular dedicated option, or you can consider WP-Sweep, or Advanced Database Cleaner. Alternatively, you can work with a host who handles regular database cleanups for you.
Choose a Secure Web Host
When you’re partnered with an unreliable and insecure hosting company, you face a number of problems, including the inability to scale, too much server downtime, and single points of failure. You should be able to scale your site up when traffic surges without worrying that it’s going to crash, go down, or become more vulnerable to security breaches. Here’s another consideration: the best hosting isolates each website so that one compromised site doesn’t affect any others.
If you settle for an inexpensive and low-quality hosting package, you’ll be sharing a server with hundreds of other customers. As a result, your site will slow down. Also, all of those other sites pose security risks to your site – the more sites that are crammed on a server, the more insecurities there are. Furthermore, a “budget” host probably won’t monitor your site closely or know if there’s been an attack.
Most hosting companies offer some sort of security service, but wherever their role stops, yours begins – and if you have no clue how to manage or secure a website, yours could be left highly vulnerable. Work with a host that will offer an array of security features and around-the-clock monitoring and management. Your host should also:
- Be open to answering any of your questions about security, including explanations of the features they offer and their processes.
- Offer the most recent stable version of software.
- Regularly backup your website, while also offering reliable processes for recovery should something go wrong.
Two standard security measures that every site should have are configuring a firewall and adding SSL for extra security. You can use plugins for both of these must-haves, but to keep your site lean, it’s best if you find a host that includes these features in their standard plan.
Here are two more important considerations when choosing a web host:
- Don’t use a shared server. You should never choose a host that will put your site on a shared server. When you’re on a shared server, that server is hosting your site along with many others. If one site is compromised, yours is at risk, too.
- Use SFTP encryption. Your web host should offer SFTP encryption, which means that your data and password are encrypted when you connect to your server. Even if there’s a hacker present, they won’t be able to see your password, because it will be concealed when transported between your computer and your website.
Set up Recurring Security Measures
By adding a security plugin to your WordPress site, you’ll be notified of suspicious activity as soon as it occurs. For example, if someone attempts an unauthorized login or adds a file, you can get a notification. The plugin should provide a warning that clearly communicates what the issue is so that you know the next steps to take.
Alternatively, you can work with a security service provider that will monitor your site and fix problems that occur. This is a costly option, though, but security shouldn’t be an option for most site owners – you need your WordPress site to be safe. Quality WordPress hosting should have 24/7 security monitoring built-in so that you don’t have to hire yet another service provider just to keep your site functioning.
How to Prioritize WordPress Security With Your Web Host
It’s best to always partner with providers that use top-notch security services. For example, Patchman is a server-level solution that detects and fixes vulnerabilities and malware. It does it all while running behind the scenes – customers don’t have to install or configure it, or even keep an eye on it for maintenance. When Patchman catches a security fix in a new release, it backports the fix to apply it to all earlier versions.
Here’s another example: Human Presence’s behavior analysis engine detects and eliminates 99% of malicious bot spam. Website visitors can’t see that it’s working, but it continues to protect analytics, comments, forms and reviews, and it also stops content and data from being scraped from your site.
When you choose web hosting from ASPHostPortal, security services come standard. For example, Cloudflare’s enterprise security functionality is a good way of securing your WordPress site, but it usually costs upwards of $200 per month. With next-generation hosting, you get this out-of-the-box.
These other security features are highly important, too. With many hosting packages, you’d have to purchase these security benefits separately – now, you can have them included in your standard package:
- Advanced firewall rules.
- Advanced managed rule set.
- Automated malware patching.
- Automated vulnerability patching.
- Comment and form spam protection.
- Enterprise DDoS mitigation.
- Human presence bot detection.
- Intelligent threat detection.
- OWASP core rule sets.
- Rate limiting.
- Reputation-based threat protection.
Find a Web Host You Trust
Relying on secure WordPress hosting is a must for agencies, developers, freelancers, and any website owner who needs their site up-and-running without hiccups. Full-service hosting means you can rely on your provider to watch your website closely, know as soon as there’s an issue and fix it, all without your involvement. Here are just a few of the features to look for in a secure web host:
- Latest PHP
- Disabled directory browsing
- Hardened database security
- Scales to demand (which also avoids unnecessary costs)
- Site isolation and container security
A secure website isn’t one that will never have any security-related issues – it would be impossible to promise that. Instead, a secure website is one where there are as many security risk reductions made as possible. The stronger and more secure your website, the less vulnerable it is to hacks.
Some security measures to keep your site from getting WordPress hacked are obvious and easy to handle on your own, like creating strong passwords and only opting for reputable plugins and themes. Others are more difficult to manage, though, especially if you’re in charge of numerous websites for clients.
Nobody wants to deal with the trouble of a WordPress hack. Your site will become unavailable to visitors, and your business can be impacted – and the longer your site is inaccessible, the greater the overall impact. Taking action fast is necessary.
So much of this can be automated and handled for you with the right host – they can take over regular backups, malware scans, security updates, encryption, and firewalls. Whether you’ve had a hacked site and never want to go through it again or you’d love to boast that your sites have never been hacked, quality security is key. Keeping your WordPress website up-to-date and partnering with a quality hosting partner like ASPHostPortal can prevent hacks from happening in the future.