Every day thousands of websites get hacked and blacklisted by Google. A compromised website can seriously damage your personal or business reputation, cause downtime and inconveniences for your visitors, and ultimately affect your revenue.
If you’re serious about your website or blog, you have to take extra precautions to make hackers’ life difficult. You’re probably nodding your head at this point, but you aren’t sure how to tackle this. Well, I’ve got good news for you. It’s not that complicated. These seven simple steps will improve your website security significantly and help you sleep better at night 🙂
1. Keep your software up-to-date
This is by far the most important security tip anyone can give you. Outdated themes, plugins, and WordPress version are the easiest targets for hackers. So just by doing regular software updates, you’re greatly reducing the chances of your website being hijacked by the bad guys.
2. Improve your password strength
Weak passwords and usernames are vulnerable to “brute force attacks” where hackers use sophisticated software to guess your password. To protect against such attacks, passwords should be made of a combination of uppercase and lowercase letters, numbers, and special characters. They should be at least 10 characters long and should be changed on a regular basis.
How to change your WordPress admin password?
In the admin area, go to Users and select the user you’d like to edit. Scroll down to the New Password section and click on Generate Password. A password will be generated automatically, but you can change it to anything you like. WordPress will indicate the strength of your password so make sure it’s strong enough! Click the Update User button on the bottom of the page to save it.
3. Change the admin login page URL
Most of the times hackers will try to gain access to a WordPress website by targeting the default admin area login page (www.yoursite.com/wp-admin/). If you change this default URL, you will effectively protect your site against all such threats.
This can be a very technical task, but luckily there are many plugins that help us achieve that without any programming knowledge. We have been using All In One WP Security & Firewall which is a free, comprehensive security plugin that’s super easy to use.
Install and activate the plugin, go to WP Security > Brute Force and change the login page URL to anything you like. Now your default login URL won’t work anymore, so next time you log in you will have to use your new URL instead.
4. Add a security question to the admin login page
Adding a security question to your WordPress login page makes it much harder for automated scripts to get unauthorized access. All In One WP Security plugin helps us achieve that with just a few clicks.
Go to WP Security > Brute Force and select the Login Captcha tab. Now you can activate the login page security question by checking Enable Captcha On Login Page or alternatively install Google reCAPTCHA.
5. Limit login attempts
By default, WordPress allows users to try to
Go to WP Security > User Login and select the Login Lockdown tab. You can activate the feature by checking Enable Login Lockdown Feature. Once checked, you can configure the max login attempts (we recommend using between 3 and 10), the time length of the lockout (we recommend between 30 to 60 minutes) and other settings to ensure this feature is doing its job. Make sure to check the Notify By Email option and enter your preferred email. This way, if there is ever a login attempt that failed, you will be notified on your email.
6. Enable firewall
A firewall will stop malicious scripts before they get a chance to mess with the code on your WordPress website. All In One WP Security comes with a basic firewall that’s very easy to use and will be enough for most websites. However, if your site contains sensitive data, we recommend that you explore other premium firewalls, such as CloudFlare WAF, Jetpack or others.
Go to WP Security > Firewall and select the Basic Firewall Rules tab. All you need to do to activate the firewall is to check Enable Basic Firewall Protection.
7. Change WordPress Database Prefix
The database is the most valuable part of your website because every single information is stored
The database prefix is a string of characters before the database table name. The default prefix in WordPress is wp_. Every hacker worth a grain of salt knows this. That’s why is absolutely crucial to change the database prefix for all tables!
How to change the database prefix?
The default database prefix can be easily changed during installation, on the page where you configure your username, password,
Go to WP Security > Database Security and select that DB Prefix tab. Navigate to Generate New DB Table Prefix and change the database prefix to your own (we recommend at least 3 to 6 characters) or check for the plugin to generate a random 6 character string of letters. Hit the Change DB Prefix button and that’s it! Your database is now much safer.
Important note: In some rare cases, changing the database prefix can break your website. Before the change, it is recommended to perform a backup.
How do you keep your website secure? Share your tips and experiences with all of us in the comments below.